Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firstadsolutions Removal


  • Please log in to reply
11 replies to this topic

#1 azyure

azyure

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 29 September 2006 - 07:48 AM

Hi there,

I know there are alot of threads about the removal of 'firstadsolutions' pop-up's but I havn't been able to find one that fits with the files I have.

Going on other threads advice - I have downloaded HijackThis and have included the log below.

The files that look dodgy to me (and that I manually found) '\Application Data\Vga Gpl Fork' which inluces
-Balm Media Drv.exe
-Free first second.exe
-ObjFourCurbDrive.exe
-ejleqmji.exe

I'm also not sure what these are:

'O2 - BHO: (no name) - {E88EDF01-CE30-A0D4-5FA5-E1DE779E4AD9} - C:\DOCUME~1\cshanks\APPLIC~1\PlayBat\dog atom.exe (file missing)'

'O4 - HKLM\..\Run: [manageruploadfirstacid] C:\Documents and Settings\All Users\Application Data\Bin hole manager upload\once spam.exe'

I belive it may have been introduced when I installed MSN Live Plus (which i have since deleted)

HijackThis Log below:

Logfile of HijackThis v1.99.1
Scan saved at 13:44:17, on 29/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ANTS Load\RedGate.Ants.AntsService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\BT Fusion\PhoneManager\PhoneManager.exe
c:\progra~1\intern~1\iexplore.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\cshanks\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by RNM Systems Ltd
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.200:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.*.*;*.condeco.resonate.co.uk;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {E88EDF01-CE30-A0D4-5FA5-E1DE779E4AD9} - C:\DOCUME~1\cshanks\APPLIC~1\PlayBat\dog atom.exe (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [manageruploadfirstacid] C:\Documents and Settings\All Users\Application Data\Bin hole manager upload\once spam.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [File multi] C:\DOCUME~1\cshanks\APPLIC~1\VGAGPL~1\Balm Media Drv.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Phone Manager.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-30.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1101144640406
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = resonate.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = resonate.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = resonate.co.uk
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ANTS Load distributed test service (ANTSLoad) - Unknown owner - C:\Program Files\ANTS Load\RedGate.Ants.AntsService.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe


:thumbsup: Thanks for taking the time!
Cassandra

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:58 AM

Posted 29 September 2006 - 11:22 AM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

We are dealing with a LOP infection here, installed with Messenger Live Plus.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: (no name) - {E88EDF01-CE30-A0D4-5FA5-E1DE779E4AD9} - C:\DOCUME~1\cshanks\APPLIC~1\PlayBat\dog atom.exe (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [manageruploadfirstacid] C:\Documents and Settings\All Users\Application Data\Bin hole manager upload\once spam.exe
O4 - HKCU\..\Run: [File multi] C:\DOCUME~1\cshanks\APPLIC~1\VGAGPL~1\Balm Media Drv.exe


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Using Windows Explorer, please locate the following files/folders, and delete them if still present:

C:\Documents and Settings\All Users\Application Data\Bin hole manager upload
C:\Documents and Settings\cshanks\Application Data\Vga Gpl Fork

Please reboot back to normal mode now.

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

David

#3 azyure

azyure
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 02 October 2006 - 04:41 AM

Hi there - thanks so much for answering and sorry for the slow reply!

I have done all as instructed and I havn't had anything pop up so far - here are my logs!

Thanks alot again!

combofix:

cshanks - 06-10-02 10:21:56.85 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\cshanks\Desktop"
((((((((((((((((((((((((((((((( Files Created from 2006-09-02 to 2006-10-02 ))))))))))))))))))))))))))))))))))
No new files created in this timespan
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-10-02 10:20 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-29 12:24 -------- d-------- C:\Program Files\MSN Messenger
2006-09-28 17:32 -------- d-------- C:\Documents and Settings\cshanks\Application Data\Lavasoft
2006-09-28 17:30 -------- d-------- C:\Program Files\Lavasoft
2006-09-05 11:18 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-09-05 10:54 -------- d-------- C:\Program Files\OfficeUpdate11
2006-09-05 10:44 -------- d---s---- C:\Documents and Settings\cshanks\Application Data\Microsoft
2006-08-30 16:14 -------- d-------- C:\Program Files\Yahoo!
2006-08-30 10:19 -------- d-------- C:\Program Files\Widget
2006-07-29 19:32 48936 --a------ C:\WINDOWS\SYSTEM32\sirenacm.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Share-to-Web Namespace Daemon"="c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000003

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,96,00,00,00,00,00,00,00,6a,04,00,00,e2,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,96,00,00,00,00,00,00,00,6a,04,00,00,e2,03,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="http://www.marumushi.com/apps/newsmap/newsmap.cfm"
"SubscribedURL"="http://www.marumushi.com/apps/newsmap/newsmap.cfm"
"FriendlyName"="newsmap"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,4a,01,00,00,61,00,00,00,96,03,00,00,d2,02,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,4a,01,00,00,61,00,00,00,96,03,00,00,d2,02,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:b4,5c,07,00,ff,ff,ff,ff,10,5d,07,00,94,04,d7,77,18,b8,\
d4,77,ff,ff,ff,ff

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\A4505B4D91B7D92D.job

Completion time: 02/10/2006 10:28:53.85
ComboFix.txt


:thumbsup: ________________________________________________________________________



Here is the HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 10:29:58, on 02/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ANTS Load\RedGate.Ants.AntsService.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\BT Fusion\PhoneManager\PhoneManager.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\cshanks\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by RNM Systems Ltd
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.200:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.*.*;*.condeco.resonate.co.uk;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Phone Manager.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-30.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1101144640406
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = resonate.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = resonate.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = resonate.co.uk
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ANTS Load distributed test service (ANTSLoad) - Unknown owner - C:\Program Files\ANTS Load\RedGate.Ants.AntsService.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe


Thanks again!

Edited by azyure, 02 October 2006 - 04:41 AM.


#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:58 AM

Posted 02 October 2006 - 12:23 PM

You're welcome azyure, but we've got a bit more to do.
Firstly you've got a nasty scheduled task running on the PC.

Open notepad and copy and paste next content in it:

%systemdrive%
cd %WinDir%\Tasks
attrib -r -s -h A4505B4D91B7D92D.job
del A4505B4D91B7D92D.job

Save this as remjobs.bat , choose to save as *all files and place it on your desktop.
Doubleclick on remjobs.bat. A doswindow will open and close again, this is normal.

Malware like this normally never comes alone and there are probably infected files left on your computer.
Please visit Panda Online to carry out a virus scan.
Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
Enter your personal details.
Click the big Scan Now button.
It will ask to install various content - please allow this.
It will start downloading the files it requires for the scan, which may take a while.
When download is complete, click on Local Disks to start the scan.
When the scan completes, click the See Report button.
Click Save Report and save the file to your desktop.
Post the contents of the report in your next reply, along with a new Hijackthis log.

Please let me know how the PC is running also.
David

#5 azyure

azyure
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 03 October 2006 - 05:07 AM

Hi again,

Right did all those things - the Panda scan took ages! I have the logfile and also the HijackThis log too.

My computer runs okay most of the time - slow to start up, but handles the coding/photoshop I do during the day without too much complaining. Nothing specific I can think of at the moment as being a problem. (and the pop-up's have gone)


Panda Activescan Log:


Potentially unwanted tool:Application/ServUBased.A Not disinfected C:\cassandra\exe\susetup.exe[SERVUDAEMON.EXE]

Virus:W32/Alcan.A.worm Disinfected
Personal Folders\Inbox\Emailing: Roboform 6.3.95\Roboform 6.3.95.zip[Setup.exe]

Spyware:Cookie/2o7 Not disinfected
C:\Documents and Settings\afxtemp\Cookies\afxtemp@112.2o7[1].txt

Spyware:Cookie/Searchportal Not disinfected
C:\Documents and Settings\afxtemp\Cookies\afxtemp@searchportal.information[2].txt

Spyware:Cookie/Xmts Not disinfected
C:\Documents and Settings\afxtemp\Cookies\afxtemp@xmts[2].txt

Spyware:Cookie/2o7 Not disinfected
C:\Documents and Settings\cshanks\Application
Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.2o7.net/]

Spyware:Cookie/2o7 Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.112.2o7.net/]

Spyware:Cookie/2o7 Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.2o7.net/]

Spyware:Cookie/Doubleclick Not disinfected
C:\Documents and Settings\cshanks\Application
Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.doubleclick.net/]

Spyware:Cookie/Atlas DMT Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.atdmt.com/]

Spyware:Cookie/WebtrendsLive Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[statse.webtrendslive.com/]

Spyware:Cookie/Com.com Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.com.com/]

Spyware:Cookie/QuestionMarket Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.questionmarket.com/]

Spyware:Cookie/Serving-sys Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.serving-sys.com/]

Spyware:Cookie/Serving-sys Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.bs.serving-sys.com/]

Spyware:Cookie/Mediaplex Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.mediaplex.com/]

Spyware:Cookie/Advertising Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.advertising.com/]

Spyware:Cookie/BurstNet Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.burstnet.com/]

Spyware:Cookie/Statcounter Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.statcounter.com/]

Spyware:Cookie/Overture Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.overture.com/]

Spyware:Cookie/Tucows Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.tucows.com/]

Spyware:Cookie/Adrevolver Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.adrevolver.com/]

Spyware:Cookie/Tribalfusion Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.tribalfusion.com/]

Spyware:Cookie/FastClick Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.fastclick.net/]

Spyware:Cookie/Tradedoubler Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.tradedoubler.com/]

Spyware:Cookie/Adtech Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.adtech.de/]

Spyware:Cookie/Falkag Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.as-eu.falkag.net/]

Spyware:Cookie/Xiti Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.xiti.com/]

Spyware:Cookie/RealMedia Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.realmedia.com/]

Spyware:Cookie/Clickbank Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.clickbank.net/]

Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[server.iad.liveperson.net/hc/67227766]

Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[server.iad.liveperson.net/]

Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[server.iad.liveperson.net/hc/67227766]

Spyware:Cookie/onestat.com Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[stat.onestat.com/]

Spyware:Cookie/Bluestreak Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.bluestreak.com/]

Spyware:Cookie/Bfast Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.bfast.com/]

Spyware:Cookie/Adviva Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.adviva.net/]

Spyware:Cookie/Hitbox Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.hitbox.com/]

Spyware:Cookie/Traffic Marketplace Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.trafficmp.com/]

Spyware:Cookie/Atwola Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.atwola.com/]

Spyware:Cookie/Maxserving Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.maxserving.com/]

Spyware:Cookie/RealMedia Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.247realmedia.com/]

Spyware:Cookie/Falkag Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.as-us.falkag.net/]

Spyware:Cookie/Hitbox Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.hg1.hitbox.com/]

Spyware:Cookie/YieldManager Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[ad.yieldmanager.com/]

Spyware:Cookie/YieldManager Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.ad.yieldmanager.com/]

Spyware:Cookie/WUpd Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.revenue.net/]

Spyware:Cookie/Clicktracks Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[stats1.clicktracks.com/]

Spyware:Cookie/HotLog Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.hotlog.ru/]

Spyware:Cookie/Valueclick Not disinfected
C:\Documents and Settings\cshanks\Application Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.valueclick.com/]

Spyware:Cookie/888 Not disinfected
C:\Documents and Settings\cshanks\Application
Data\Mozilla\Firefox\Profiles\yrkqbm42.default\cookies.txt[.888.com/]

Spyware:Cookie/2o7 Not disinfected
C:\Documents and Settings\cshanks\Cookies\cshanks@112.2o7[1].txt

Spyware:Cookie/YieldManager Not disinfected
C:\Documents and Settings\cshanks\Cookies\cshanks@ad.yieldmanager[2].txt

Spyware:Cookie/Hbmediapro Not disinfected
C:\Documents and Settings\cshanks\Cookies\cshanks@adopt.hbmediapro[2].txt

Spyware:Cookie/NewMedia Not disinfected
C:\Documents and Settings\cshanks\Cookies\cshanks@anm.co[2].txt

Spyware:Cookie/Atwola Not disinfected
C:\Documents and Settings\cshanks\Cookies\cshanks@atwola[1].txt

Spyware:Cookie/BurstNet Not disinfected
C:\Documents and Settings\cshanks\Cookies\cshanks@burstnet[2].txt

Spyware:Cookie/Cgi-bin Not disinfected
C:\Documents and Settings\cshanks\Cookies\cshanks@cgi-bin[1].txt

Spyware:Cookie/Cgi-bin Not disinfected
C:\Documents and Settings\cshanks\Cookies\cshanks@cgi-bin[3].txt

Spyware:Cookie/Com.com Not disinfected
C:\Documents and Settings\cshanks\Cookies\cshanks@com[1].txt

Spyware:Cookie/DriveCleaner Not disinfected
C:\Documents and Settings\cshanks\Cookies\cshanks@drivecleaner[2].txt

Spyware:Cookie/Adrevolver Not disinfected
C:\Documents and Settings\cshanks\Cookies\cshanks@media.adrevolver[2].txt

Spyware:Cookie/2o7 Not disinfected
C:\Documents and Settings\cshanks\Cookies\cshanks@microsofteup.112.2o7[1].txt

Spyware:Cookie/Searchportal Not disinfected
C:\Documents and Settings\cshanks\Cookies\cshanks@searchportal.information[1].txt

Spyware:Cookie/Reliablestats Not disinfected
C:\Documents and Settings\cshanks\Cookies\cshanks@stats1.reliablestats[2].txt

Spyware:Cookie/Toplist Not disinfected
C:\Documents and Settings\cshanks\Cookies\cshanks@toplist[1].txt

Spyware:Cookie/Tucows Not disinfected
C:\Documents and Settings\cshanks\Cookies\cshanks@tucows[2].txt

Spyware:Cookie/BurstBeacon Not disinfected
C:\Documents and Settings\cshanks\Cookies\cshanks@www.burstbeacon[2].txt

Spyware:Cookie/DriveCleaner Not disinfected
C:\Documents and Settings\cshanks\Cookies\cshanks@www.drivecleaner[1].txt

Spyware:Cookie/myaffiliateprogram Not disinfected
C:\Documents and Settings\cshanks\Cookies\cshanks@www.myaffiliateprogram[2].txt

Spyware:Cookie/Xiti Not disinfected
C:\Documents and Settings\cshanks\Cookies\cshanks@xiti[1].txt

Spyware:Cookie/Xmts Not disinfected
C:\Documents and Settings\cshanks\Cookies\cshanks@xmts[2].txt

Spyware:Cookie/Yadro Not disinfected
C:\Documents and Settings\cshanks\Cookies\cshanks@yadro[2].txt

Spyware:Cookie/2o7 Not disinfected
C:\Documents and Settings\kristians\Cookies\kristians@112.2o7[2].txt

Adware:Adware/Lop Not disinfected C:\RECYCLER\S-1-5-21-3231116100-639115373-4105824531-500\Dc1\Balm Media Drv.exe

Adware:Adware/Lop Not disinfected C:\RECYCLER\S-1-5-21-3231116100-639115373-4105824531-500\Dc1\ejleqmji.exe

Adware:Adware/Lop Not disinfected C:\RECYCLER\S-1-5-21-3231116100-639115373-4105824531-500\Dc1\Free first second.exe

Adware:Adware/Lop Not disinfected C:\RECYCLER\S-1-5-21-3231116100-639115373-4105824531-500\Dc1\ObjFourCurbDrive.exe

Adware:Adware/Lop Not disinfected C:\RECYCLER\S-1-5-21-3231116100-639115373-4105824531-500\Dc2\once spam.exe



:thumbsup: _____________________________________________________________________



HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 10:51:11, on 03/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ANTS Load\RedGate.Ants.AntsService.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\BT Fusion\PhoneManager\PhoneManager.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\cshanks\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by RNM Systems Ltd
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.200:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.*.*;*.condeco.resonate.co.uk;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Phone Manager.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-30.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1101144640406
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = resonate.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = resonate.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = resonate.co.uk
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ANTS Load distributed test service (ANTSLoad) - Unknown owner - C:\Program Files\ANTS Load\RedGate.Ants.AntsService.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe


Thanks again David - I really appreciate you taking the time!
Cassandra

Edited by azyure, 03 October 2006 - 06:13 AM.


#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:58 AM

Posted 03 October 2006 - 10:30 AM

You're welcome, but we haven't finished just yet...

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

° Close all instances of Internet Explorer .
° Go to your control panel and open "Internet Options".
° Click on the "General" tab.
° Click the "Delete Cookies" button, then the "Delete Files" button.
° When prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

° Go to start and click on the "run" button.
° Type the following in the fox --> cleanmgr and click ok.
° Let it scan your system for files to remove.
° Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
° Press OK to remove them.

I also want you to clean your cache and cookies from your firefox browser.
There are a few infected files which need to be removed from your system.

° Open the firefox browser.
° Click on the "tools" button and click on "options".
° Click "privacy" in the menu on the left side window.
° Open the History, Cookies and Cache tabs individually.
° Choose the "clear" button on each.
° Click OK to close the Options window

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, copy and paste next in the field:

C:\WINDOWS\vVX3000.exe

Then click the Send File button below.
Please let me know when you have submitted the file.

David

#7 azyure

azyure
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 04 October 2006 - 04:03 AM

Hi again! :thumbsup:

Right done all the temp file/cookies/cache clearing and also submitted that file.

Though I do believe that the file:

C:\WINDOWS\vVX3000.exe

is part of the installation for my webcam (Microsoft LifeCam VX3000)

I wasn't sure if you wanted my HijackThis log again - but here it is!

Logfile of HijackThis v1.99.1
Scan saved at 09:59:23, on 04/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ANTS Load\RedGate.Ants.AntsService.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\BT Fusion\PhoneManager\PhoneManager.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\cshanks\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by RNM Systems Ltd
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.200:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.*.*;*.condeco.resonate.co.uk;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Phone Manager.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-30.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1101144640406
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = resonate.co.uk
O17 - HKLM\Software\..\Telephony: DomainName = resonate.co.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = resonate.co.uk
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ANTS Load distributed test service (ANTSLoad) - Unknown owner - C:\Program Files\ANTS Load\RedGate.Ants.AntsService.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe

Thanks again! :flowers:

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:58 AM

Posted 05 October 2006 - 12:00 PM

Yes you are right, that file was part of your Microsoft LifeCam VX3000.
I see a clean log here, how is the PC running now?

#9 azyure

azyure
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 06 October 2006 - 11:30 AM

Hi again, :thumbsup:

PC seems to be chugging along fine now - no pop-up's (thank goodness)! and nothing weird going on.

Think its all gone?

Thanks for all your help!

Edited by azyure, 06 October 2006 - 11:32 AM.


#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:58 AM

Posted 06 October 2006 - 12:59 PM

Glad I could help! :thumbsup:
The latest log is looking clean!
Follow this list and your potential for being infected again will be reduced dramatically.

Use an Anti Virus Software -
* It is very important that your computer has an anti-virus software running on your machine.
* This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
* Click here for more information on -> Computer Safety On line - Anti-Virus
* I would recommend Grisoft's AVG or AVAST.
* These are the more secure and better ones.

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall -
* I can not stress how important it is that you use a Firewall on your computer.
* Without a firewall your computer is susceptible to being hacked and taken over.
* Simply using a Firewall in its default configuration can lower your risk greatly.
* For an article on Firewalls and a listing of some available ones see the link below:
* Click here for more information on -> Computer Safety On line - Software Firewalls
* I would recommend ZoneAlarm as a firewall as it's easy to use.

Visit Microsoft's Windows Update Site Frequently -
* It is important that you visit http://www.windowsupdate.com regularly.
* This will ensure your computer has always the latest security updates available installed on your computer.
* If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly

Install Spybot© - Search and Destroy- Install and download Spybot - Search and Destroy with its TeaTimer option.
* This will provide real-time spyware & hijacker protection on your computer alongside your virus protection.
* You should also scan your computer with program on a regular basis just as you would an anti virus software.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Lavasofts© Ad-Aware - Install and download Ad-Aware.
* You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Javacools© SpywareBlaster -
* SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
* A article on anti-malware products with links for this program and others can be found here:
* Click here for more info -->Computer Safety on line - Anti-Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.

If you have any addition questions just ask...
David

#11 azyure

azyure
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:58 AM

Posted 13 October 2006 - 09:51 AM

Thanks again!

PC is going great and I will keep all that information in mind regarding security.

Really appreciated your help and time and will make a donation as soon as I get paid!

:thumbsup:
Cassandra

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:58 AM

Posted 13 October 2006 - 11:08 AM

You're welcome Cassandra! :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users