Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

W32.myzor.fk@yf


  • This topic is locked This topic is locked
8 replies to this topic

#1 jumpinjax

jumpinjax

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 06 November 2006 - 09:23 AM

:thumbsup: Hello,
I'm in need of some help. The above virus has taken over my homepage and is telling me my computer is infected with a virus and malware. My homepage is now an anti-virus software site and is telling me to download and pay for their product to get rid of the virus. Ihave followed the advice given on this site to remove as much malware as possible, and below is a post of my Hijack this log file :
Logfile of HijackThis v1.99.1
Scan saved at 14:10:11, on 06/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\ntl\ntl Netguard\RPS.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.1.720.5674\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Shaun\LOCALS~1\Temp\Rar$EX00.844\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\ntl\ntl Netguard\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\ntl\ntl Netguard\FBHR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {8bf5b8fc-11cb-409f-8c91-4d4ca04a1b6d} - C:\Program Files\iVideoCodec\isaddon.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Protection Bar - {1a29a79a-b9c8-44a9-bedf-7fadde3cf33f} - C:\Program Files\iVideoCodec\iesplugin.dll
O4 - HKLM\..\Run: [ntl Netguard] "C:\Program Files\ntl\ntl Netguard\RPS.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe SILENT
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.1.720.5674\GoogleToolbarNotifier.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1152202918437
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: ferrateen - {27321538-5739-4aa1-b84c-7d18e4383f1f} - C:\WINDOWS\system32\rrtcany.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe

BC AdBot (Login to Remove)

 


#2 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:02:55 AM

Posted 06 November 2006 - 11:43 AM

Welcome to Bleeping Computer, jumpinjax.

* Please extract (unzip) HijackThis first. Otherwise the backups made when items are fixed won't be secure. The easiest way to accomplish this is to reinstall and delete any copies of HijackThis.zip you have saved.

Please download the self-extracting version of HijackThis from here:

HijackThis_sfx download

Save HijackThis_sfx to your desktop.

Double-click the file then click the Unzip button. Then close the Self-Extractor window.

Using My Computer/Windows Explorer, navigate to C:\Program Files\HijackThis and double click on HijackThis.exe to run it. If you would like to make a shortcut for your Desktop so it's more easily accessable, right click HijackThis.exe and choose Send To > Desktop (create shortcut).

Please run the extracted HijackThis.exe from now on. Delete any copies of HijackThis.zip that you have saved.

* Please download SmitfraudFix
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
Posted ImagePosted Image

Olivier

#3 jumpinjax

jumpinjax
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 06 November 2006 - 12:40 PM

Thanks for your help stonangel,here's the textfile you requested from smitfraudfix.cmd :



SmitFraudFix v2.119

Scan done at 17:33:18.40, 06/11/2006
Run from C:\Documents and Settings\Shaun\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\rrtcany.dll FOUND !

C:\Documents and Settings\Shaun


C:\Documents and Settings\Shaun\Application Data


Start Menu


C:\DOCUME~1\Shaun\FAVORI~1


Desktop


C:\Program Files

C:\Program Files\iVideoCodec\ FOUND !
C:\Program Files\VirusBursters\ FOUND !

Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{6af69c4d-420a-4c95-b34f-e4635f84f53b}"="forevouched"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{27321538-5739-4aa1-b84c-7d18e4383f1f}"="ferrateen"

[HKEY_CLASSES_ROOT\CLSID\{27321538-5739-4aa1-b84c-7d18e4383f1f}\InProcServer32]
@="C:\WINDOWS\system32\rrtcany.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{27321538-5739-4aa1-b84c-7d18e4383f1f}\InProcServer32]
@="C:\WINDOWS\system32\rrtcany.dll"



AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


pe386-msguard-lzx32


Scanning wininet.dll infection


End

#4 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:02:55 AM

Posted 06 November 2006 - 01:44 PM

Hi jumpinjax,

* You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

* First download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

* Please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

* Reboot into Safe mode,

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the C:\rapport.txt, the AVG Anti-Spyware report scan and a new hijackthis log, please.

Posted ImagePosted Image

Olivier

#5 jumpinjax

jumpinjax
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 06 November 2006 - 06:04 PM

:thumbsup: Hi Stonangel, followed your instructions and here are the results :
SmitFraudFix v2.119

Scan done at 20:14:26.54, 06/11/2006
Run from C:\Documents and Settings\Shaun\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{6af69c4d-420a-4c95-b34f-e4635f84f53b}"="forevouched"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{27321538-5739-4aa1-b84c-7d18e4383f1f}"="ferrateen"

[HKEY_CLASSES_ROOT\CLSID\{27321538-5739-4aa1-b84c-7d18e4383f1f}\InProcServer32]
@="C:\WINDOWS\system32\rrtcany.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{27321538-5739-4aa1-b84c-7d18e4383f1f}\InProcServer32]
@="C:\WINDOWS\system32\rrtcany.dll"


Killing process


Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\system32\rrtcany.dll -> Hoax.Win32.Renos.gen.g
C:\WINDOWS\system32\rrtcany.dll -> Deleted


Deleting infected files

C:\Program Files\iVideoCodec\ Deleted
C:\Program Files\VirusBursters\ Deleted

Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

Here's theAVG Anti-spyware report scan:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 22:46:12 06/11/2006

+ Scan result:



C:\System Volume Information\_restore{2D3F5C42-1E09-47C2-873F-2E7383B25262}\RP378\A0062885.exe/clientax.dll -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D3F5C42-1E09-47C2-873F-2E7383B25262}\RP378\A0062886.exe/clientax.dll -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D3F5C42-1E09-47C2-873F-2E7383B25262}\RP378\A0062887.exe/clientax.dll -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D3F5C42-1E09-47C2-873F-2E7383B25262}\RP379\A0065108.exe/clientax.dll -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D3F5C42-1E09-47C2-873F-2E7383B25262}\RP379\A0065109.exe/clientax.dll -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D3F5C42-1E09-47C2-873F-2E7383B25262}\RP379\A0065110.exe/clientax.dll -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D3F5C42-1E09-47C2-873F-2E7383B25262}\RP380\A0066332.exe/clientax.dll -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D3F5C42-1E09-47C2-873F-2E7383B25262}\RP380\A0066333.exe/clientax.dll -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D3F5C42-1E09-47C2-873F-2E7383B25262}\RP380\A0066334.exe/clientax.dll -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EBDC156B-EC49-42D8-9067-CFB2A7F63C14}\RP1\A0000048.exe/clientax.dll -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EBDC156B-EC49-42D8-9067-CFB2A7F63C14}\RP1\A0000049.exe/clientax.dll -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EBDC156B-EC49-42D8-9067-CFB2A7F63C14}\RP1\A0000050.exe/clientax.dll -> Adware.180Solutions : Cleaned with backup (quarantined).
HKU\S-1-5-21-1935655697-1500820517-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1A29A79A-B9C8-44A9-BEDF-7FADDE3CF33F} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1935655697-1500820517-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8BF5B8FC-11CB-409F-8C91-4D4CA04A1B6D} -> Adware.Generic : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D3F5C42-1E09-47C2-873F-2E7383B25262}\RP378\A0062826.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D3F5C42-1E09-47C2-873F-2E7383B25262}\RP378\A0062884.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D3F5C42-1E09-47C2-873F-2E7383B25262}\RP378\A0064041.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D3F5C42-1E09-47C2-873F-2E7383B25262}\RP379\A0065041.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D3F5C42-1E09-47C2-873F-2E7383B25262}\RP379\A0065045.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D3F5C42-1E09-47C2-873F-2E7383B25262}\RP379\A0065107.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D3F5C42-1E09-47C2-873F-2E7383B25262}\RP379\A0065262.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D3F5C42-1E09-47C2-873F-2E7383B25262}\RP380\A0066267.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D3F5C42-1E09-47C2-873F-2E7383B25262}\RP380\A0066269.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D3F5C42-1E09-47C2-873F-2E7383B25262}\RP380\A0066276.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D3F5C42-1E09-47C2-873F-2E7383B25262}\RP380\A0066331.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EBDC156B-EC49-42D8-9067-CFB2A7F63C14}\RP1\A0004021.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EBDC156B-EC49-42D8-9067-CFB2A7F63C14}\RP1\A0004053.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EBDC156B-EC49-42D8-9067-CFB2A7F63C14}\RP1\A0004710.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EBDC156B-EC49-42D8-9067-CFB2A7F63C14}\RP1\A0005038.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D111044B-2B01-45DB-B9EE-967E066E7FC5}\RP251\A0035201.exe -> Adware.SpywareQuake : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D3F5C42-1E09-47C2-873F-2E7383B25262}\RP368\A0034308.exe -> Adware.Surfside : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D3F5C42-1E09-47C2-873F-2E7383B25262}\RP368\A0034320.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2D3F5C42-1E09-47C2-873F-2E7383B25262}\RP368\A0034373.dll -> Adware.Surfside : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D111044B-2B01-45DB-B9EE-967E066E7FC5}\RP249\A0032158.exe -> Downloader.Zlob.auc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D111044B-2B01-45DB-B9EE-967E066E7FC5}\RP249\A0033164.exe -> Downloader.Zlob.auc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D111044B-2B01-45DB-B9EE-967E066E7FC5}\RP250\A0033181.exe -> Downloader.Zlob.auc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D111044B-2B01-45DB-B9EE-967E066E7FC5}\RP250\A0035181.exe -> Downloader.Zlob.auc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D111044B-2B01-45DB-B9EE-967E066E7FC5}\RP251\A0035215.exe -> Downloader.Zlob.auc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D111044B-2B01-45DB-B9EE-967E066E7FC5}\RP251\A0035219.exe -> Downloader.Zlob.auc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D111044B-2B01-45DB-B9EE-967E066E7FC5}\RP249\A0032157.dll -> Downloader.Zlob.aue : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D111044B-2B01-45DB-B9EE-967E066E7FC5}\RP249\A0032159.exe -> Downloader.Zlob.aue : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D111044B-2B01-45DB-B9EE-967E066E7FC5}\RP249\A0033163.dll -> Downloader.Zlob.aue : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D111044B-2B01-45DB-B9EE-967E066E7FC5}\RP249\A0033165.exe -> Downloader.Zlob.aue : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D111044B-2B01-45DB-B9EE-967E066E7FC5}\RP250\A0033180.dll -> Downloader.Zlob.aue : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D111044B-2B01-45DB-B9EE-967E066E7FC5}\RP250\A0033182.exe -> Downloader.Zlob.aue : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D111044B-2B01-45DB-B9EE-967E066E7FC5}\RP250\A0035180.dll -> Downloader.Zlob.aue : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D111044B-2B01-45DB-B9EE-967E066E7FC5}\RP250\A0035182.exe -> Downloader.Zlob.aue : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D111044B-2B01-45DB-B9EE-967E066E7FC5}\RP251\A0035214.dll -> Downloader.Zlob.aue : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D111044B-2B01-45DB-B9EE-967E066E7FC5}\RP251\A0035216.exe -> Downloader.Zlob.aue : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D111044B-2B01-45DB-B9EE-967E066E7FC5}\RP251\A0035220.exe -> Downloader.Zlob.aue : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D111044B-2B01-45DB-B9EE-967E066E7FC5}\RP252\A0036285.dll -> Downloader.Zlob.aue : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{EBDC156B-EC49-42D8-9067-CFB2A7F63C14}\RP1\A0000148.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).


::Report end

And finally, a hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 23:00:12, on 06/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\ntl\ntl Netguard\RPS.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\ntl\ntl Netguard\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\ntl\ntl Netguard\FBHR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ntl Netguard] "C:\Program Files\ntl\ntl Netguard\RPS.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe SILENT
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.1.720.5674\GoogleToolbarNotifier.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1152202918437
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe

#6 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:02:55 AM

Posted 07 November 2006 - 11:07 AM

Hi jumpinjax,

* Please Go to Start> Control Panel> Add or Remove Programs and uninstall if listed:

SpywareBot

Spyware remover of somewhat dubious repute; see here

Reboot afterwards.

* Please re-open HijackThis and scan. Check the below entry if found:

O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

Delete the following folder if still present:

C:\Program Files\SpywareBot

Close any open windows except for HijackThis then click on Fix checked.

* Restart your computer, post back a fresh hijackthis log and tell us how the computer is running now, please.

Edited by stonangel, 07 November 2006 - 11:08 AM.

Posted ImagePosted Image

Olivier

#7 jumpinjax

jumpinjax
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 07 November 2006 - 12:08 PM

:thumbsup: Hi Stonangel, here's my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 17:02:06, on 07/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ntl\ntl Netguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ntl\ntl Netguard\RPS.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\United Alerts\UnitedAlerts.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\ntl\ntl Netguard\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\ntl\ntl Netguard\FBHR.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ntl Netguard] "C:\Program Files\ntl\ntl Netguard\RPS.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe SILENT
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.1.720.5674\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [United Alerts] "C:\Program Files\United Alerts\UnitedAlerts.exe"
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1152202918437
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\ntl\ntl Netguard\fws.exe

The computer seems to be back to normal, my homepage is back and everything seems great. Thanks so much for your help, it is really appreciated.

#8 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:02:55 AM

Posted 08 November 2006 - 02:10 PM

Your welcome :thumbsup:

Seems to be fine.

* Please create a new restore point as explained here:
http://www.microsoft.com/windowsxp/using/h...temrestore.mspx

* Next,

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1: Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!
Posted ImagePosted Image

Olivier

#9 stonangel

stonangel

  • Members
  • 595 posts
  • OFFLINE
  •  
  • Location:France
  • Local time:02:55 AM

Posted 11 November 2006 - 04:19 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Posted ImagePosted Image

Olivier




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users