Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Log - Being Redirected To Dodgy Sites! (possibly Lop, Netdotnet)


  • Please log in to reply
5 replies to this topic

#1 Catlaydee

Catlaydee

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 30 November 2006 - 11:23 AM

I've done all the scans that are recommended - http://www.bleepingcomputer.com/forums/t/73862/being-redirected-to-dodgy-sites/ is my post where I've quoted all the things recommended :thumbsup:

Any help gratefully recieved!

Logfile of HijackThis v1.99.1
Scan saved at 16:16:15, on 11/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Filseclab\xfilter\xfilter.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\HijackThis.exe
C:\WINDOWS\notepad.exe
C:\HJT\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [XFILTER] "C:\Program Files\Filseclab\xfilter\xfilter.exe" -a
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Exif Launcher 2.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-30.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientIn...3/OCI/setup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120298904559
O16 - DPF: {6DB731A3-B074-4118-8B1C-32511C65D836} (FotovistaPhotoUploader.ctrFpu) - http://www.mypixmania.com/uk/uk/tools/activex/fpu.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137853126906
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37480.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (Bl_camera Control) - http://carracam2.dyndns.info:8500/bl_camera.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/includes...uditControl.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup...ta/imloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D28BE23-4D08-4925-8EAC-2578B5875D8F}: NameServer = 85.255.115.101,85.255.112.115
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D12D1F4-7A43-4AE3-A651-0A5BD95AEA2D}: NameServer = 85.255.115.101,85.255.112.115
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC511619-13F3-44DD-B87A-22B5D577FF7D}: NameServer = 85.255.115.101,85.255.112.115
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe

Edited by Catlaydee, 30 November 2006 - 11:27 AM.


BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:30 PM

Posted 30 November 2006 - 03:28 PM

Hello Catlaydee,

I am SifuMike and I will be helping you. :thumbsup:

Disable your antivirus program and go here http://www.bitdefender.com/scan8/ie.html and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee. :flowers:
Please be patient, as it can take many hours to run. It all depends on the size of your hard drive.

When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the BitDefender log.


Download ATF (Atribune Temp File) Cleaner© by Atribune DO NOT run it yet.

Download and install AVG Anti-Spyware 7.5 (formerly Ewido)
This is a 30 day trial of the program

1. After download, double click on the file to launch the install process.
2. Choose a language, click "OK" and then click "Next".
3. Read the "License Agreement" and click "I Agree".
4. Accept the default installation path: C:\Program Files\AVG Anti-Spyware 7.5 and click "Next", then click "Install".
5. After setup completes, click "Finish" to start the program automatically or launch ewido by double-clicking its icon on your desktop or in the system tray.
6. The main "Status" menu will appear. You can select "Change state" to inactivate 'Resident Sheild' and 'Automatic Updates'. If you choose to do this, then right click on ewdio in the system tray and uncheck "Start with Windows".
7. Select the "Update" button and click "Start update". If you are having problems with the updater, manually update with the Ewido Full database installer from here.
8. Exit AVG Anti-Spyware 7.5 when done - DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method so Windows will start with minimal drivers and running processes.
To do this restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly.
A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

1.) Double-click the small BLUE Garbage Can ATF-Cleaner.exe file to run the program.
2.) At the top, under Main choose: Select All
3.) Click the Empty Selected button.

If you use the Firefox browser:
1.) At the top, click Firefox and choose: Select All
2.) Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use the Opera browser:
1.) At the top, click Opera and choose: Select All
2.) Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


Scan with AVG Anti-Spyware 7.5 as follows:

1. Launch AVG Anti-Spyware 7.5, click on the "Scanner" button and choose the "Settings" tab.

Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.

Under "How to Scan?" check all (default).

Under "Possibly unwanted software" check all (default).

Under "What to Scan?" make sure "Scan every file" is selected (default).

Under "Reports" select "Automatically generate report after every scan and UNcheck "Only if threats were found".

2. Click the "Scan" tab to return to scanning options.
3. Click "Complete System Scan" to start.
4. When the scan has finished you will be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.
5. Click on "Save Report" to view all completed scans.
Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\AVG Anti-Spyware 7.5\Reports\
6. Exit AVG Anti-Spyware 7.5

When done, submit the AVG Anti-Spyware 7.5 log, the BitDefender log  and a  fresh Hijackthis log.

Edited by SifuMike, 30 November 2006 - 03:29 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Catlaydee

Catlaydee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 01 December 2006 - 04:59 AM

Here's my log -

BitDefender Online Scanner



Scan report generated at: Thu, Nov 30, 2006 - 23:25:27





Scan path: A:\;C:\;D:\;E:\;F:\;







Statistics

Time
02:21:53

Files
637463

Folders
9620

Boot Sectors
4

Archives
28451

Packed Files
62028




Results

Identified Viruses
13

Infected Files
19

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
19




Engines Info

Virus Definitions
323775

Engine build
AVCORE v1.0 (build 2368) (i386) (Nov 16 2006 11:31:19)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\Your_name\My Documents\lopremover.exe
Detected with: Adware.Lop

C:\Documents and Settings\Your_name\My Documents\lopremover.exe
Disinfection failed

C:\Documents and Settings\Your_name\My Documents\lopremover.exe
Deleted

C:\Documents and Settings\Your_name\My Documents\My Received Files\DragRacer-v3-Setup.exe=>(NSIS o)=>lzma_solid_nsis0003
Infected with: Trojan.Pakes.BC

C:\Documents and Settings\Your_name\My Documents\My Received Files\DragRacer-v3-Setup.exe=>(NSIS o)=>lzma_solid_nsis0003
Disinfection failed

C:\Documents and Settings\Your_name\My Documents\My Received Files\DragRacer-v3-Setup.exe=>(NSIS o)=>lzma_solid_nsis0003
Deleted

C:\Documents and Settings\Your_name\My Documents\My Received Files\DragRacer-v3-Setup.exe=>(NSIS o)
Update failed

C:\RECYCLER\S-1-5-21-343818398-220523388-682003330-1003\Dc2\backups\backup-20050326-161813-951.dll
Infected with: Backdoor.Optix.Pro.1

C:\RECYCLER\S-1-5-21-343818398-220523388-682003330-1003\Dc2\backups\backup-20050326-161813-951.dll
Disinfection failed

C:\RECYCLER\S-1-5-21-343818398-220523388-682003330-1003\Dc2\backups\backup-20050326-161813-951.dll
Deleted

C:\System Volume Information\_restore{77ECB911-3377-4566-B91C-04DD8CB0B5EF}\RP1090\A0438152.exe
Infected with: Trojan.Downloader.Swizzor.BO

C:\System Volume Information\_restore{77ECB911-3377-4566-B91C-04DD8CB0B5EF}\RP1090\A0438152.exe
Deleted

C:\System Volume Information\_restore{77ECB911-3377-4566-B91C-04DD8CB0B5EF}\RP1090\A0438153.exe
Infected with: Trojan.Downloader.Swizzor.DI

C:\System Volume Information\_restore{77ECB911-3377-4566-B91C-04DD8CB0B5EF}\RP1090\A0438153.exe
Disinfection failed

C:\System Volume Information\_restore{77ECB911-3377-4566-B91C-04DD8CB0B5EF}\RP1090\A0438153.exe
Deleted

C:\System Volume Information\_restore{77ECB911-3377-4566-B91C-04DD8CB0B5EF}\RP1090\A0438154.exe
Infected with: Trojan.Downloader.Swizzor.CN

C:\System Volume Information\_restore{77ECB911-3377-4566-B91C-04DD8CB0B5EF}\RP1090\A0438154.exe
Disinfection failed

C:\System Volume Information\_restore{77ECB911-3377-4566-B91C-04DD8CB0B5EF}\RP1090\A0438154.exe
Deleted

C:\System Volume Information\_restore{77ECB911-3377-4566-B91C-04DD8CB0B5EF}\RP1090\A0438155.exe
Infected with: Trojan.Downloader.Swizzor.CB

C:\System Volume Information\_restore{77ECB911-3377-4566-B91C-04DD8CB0B5EF}\RP1090\A0438155.exe
Disinfection failed

C:\System Volume Information\_restore{77ECB911-3377-4566-B91C-04DD8CB0B5EF}\RP1090\A0438155.exe
Deleted

C:\System Volume Information\_restore{77ECB911-3377-4566-B91C-04DD8CB0B5EF}\RP1090\A0438156.exe
Infected with: Trojan.Downloader.Swizzor.DG

C:\System Volume Information\_restore{77ECB911-3377-4566-B91C-04DD8CB0B5EF}\RP1090\A0438156.exe
Disinfection failed

C:\System Volume Information\_restore{77ECB911-3377-4566-B91C-04DD8CB0B5EF}\RP1090\A0438156.exe
Deleted

C:\System Volume Information\_restore{77ECB911-3377-4566-B91C-04DD8CB0B5EF}\RP1090\A0438157.exe
Infected with: Trojan.Downloader.Swizzor.CN

C:\System Volume Information\_restore{77ECB911-3377-4566-B91C-04DD8CB0B5EF}\RP1090\A0438157.exe
Disinfection failed

C:\System Volume Information\_restore{77ECB911-3377-4566-B91C-04DD8CB0B5EF}\RP1090\A0438157.exe
Deleted

C:\System Volume Information\_restore{77ECB911-3377-4566-B91C-04DD8CB0B5EF}\RP1090\A0438158.exe
Infected with: Trojan.Downloader.Swizzor.DE

C:\System Volume Information\_restore{77ECB911-3377-4566-B91C-04DD8CB0B5EF}\RP1090\A0438158.exe
Disinfection failed

C:\System Volume Information\_restore{77ECB911-3377-4566-B91C-04DD8CB0B5EF}\RP1090\A0438158.exe
Deleted

C:\System Volume Information\_restore{77ECB911-3377-4566-B91C-04DD8CB0B5EF}\RP1091\A0438310.dll
Infected with: Backdoor.Optix.Pro.1

C:\System Volume Information\_restore{77ECB911-3377-4566-B91C-04DD8CB0B5EF}\RP1091\A0438310.dll
Disinfection failed

C:\System Volume Information\_restore{77ECB911-3377-4566-B91C-04DD8CB0B5EF}\RP1091\A0438310.dll
Deleted

C:\WINDOWS\sqldata1.exe
Infected with: Trojan.Pakes.BC

C:\WINDOWS\sqldata1.exe
Disinfection failed

C:\WINDOWS\sqldata1.exe
Deleted

E:\My Documents\Karen's bits 2\blocky.exe=>(ZIP Sfx o)=>archstored:2
Infected with: Trojan.Muldrop.2788.A

E:\My Documents\Karen's bits 2\blocky.exe=>(ZIP Sfx o)=>archstored:2
Disinfection failed

E:\My Documents\Karen's bits 2\blocky.exe=>(ZIP Sfx o)=>archstored:2
Deleted

E:\My Documents\Karen's bits 2\blocky.exe=>(ZIP Sfx o)
Update failed

E:\My Documents\Karen's bits 2\jokes and funnies\xmasclipartfree.exe=>wise0054
Infected with: Dropped:Application.Adware.NewDotNet.A

E:\My Documents\Karen's bits 2\jokes and funnies\xmasclipartfree.exe=>wise0054
Disinfection failed

E:\My Documents\Karen's bits 2\jokes and funnies\xmasclipartfree.exe=>wise0054
Deleted

E:\My Documents\Karen's bits 2\jokes and funnies\xmasclipartfree.exe
Update failed

E:\My Documents\Karen's bits 2\jokes and funnies\xmasclipartfree.exe=>wise0055=>(RAR Sfx o)=>WhAgent.exe
Detected with: Application.Spyware.WebHancer.A

E:\My Documents\Karen's bits 2\jokes and funnies\xmasclipartfree.exe=>wise0055=>(RAR Sfx o)=>WhAgent.exe
Disinfection failed

E:\My Documents\Karen's bits 2\jokes and funnies\xmasclipartfree.exe=>wise0055=>(RAR Sfx o)=>WhAgent.exe
Deleted

E:\My Documents\Karen's bits 2\jokes and funnies\xmasclipartfree.exe=>wise0055=>(RAR Sfx o)
Update failed

E:\My Documents\Karen's bits 2\Copy of lopremover.exe
Detected with: Adware.Lop

E:\My Documents\Karen's bits 2\Copy of lopremover.exe
Disinfection failed

E:\My Documents\Karen's bits 2\Copy of lopremover.exe
Deleted

E:\My Documents\buddyiconsfree.exe=>wise0064
Infected with: Dropped:Application.Adware.NewDotNet.A

E:\My Documents\buddyiconsfree.exe=>wise0064
Disinfection failed

E:\My Documents\buddyiconsfree.exe=>wise0064
Deleted

E:\My Documents\buddyiconsfree.exe
Update failed

E:\My Documents\buddyiconsfree.exe=>wise0065=>(RAR Sfx o)=>WhAgent.exe
Detected with: Application.Spyware.WebHancer.A

E:\My Documents\buddyiconsfree.exe=>wise0065=>(RAR Sfx o)=>WhAgent.exe
Disinfection failed

E:\My Documents\buddyiconsfree.exe=>wise0065=>(RAR Sfx o)=>WhAgent.exe
Deleted

E:\My Documents\buddyiconsfree.exe=>wise0065=>(RAR Sfx o)
Update failed

E:\System Volume Information\_restore{77ECB911-3377-4566-B91C-04DD8CB0B5EF}\RP1091\A0438312.exe
Detected with: Adware.Lop

E:\System Volume Information\_restore{77ECB911-3377-4566-B91C-04DD8CB0B5EF}\RP1091\A0438312.exe
Disinfection failed

E:\System Volume Information\_restore{77ECB911-3377-4566-B91C-04DD8CB0B5EF}\RP1091\A0438312.exe
Deleted


AVG log

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:24:22 12/1/2006

+ Scan result:



C:\WINDOWS\system32\SetupCarnival.exe -> Adware.Casino : Cleaned with backup (quarantined).
C:\Documents and Settings\Your_name\My Documents\My Pictures\Emoticons\emomaker.exe -> Adware.F1Organizer : Cleaned with backup (quarantined).
E:\My Documents\Karen's bits 2\blocky.exe/1 -> Adware.IMAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{77ECB911-3377-4566-B91C-04DD8CB0B5EF}\RP1090\A0438151.dll -> Adware.MediaBack : Cleaned with backup (quarantined).
C:\Documents and Settings\Your_name\Desktop\NNuninstall.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{77ECB911-3377-4566-B91C-04DD8CB0B5EF}\RP1091\A0438174.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\DLP.dll -> Adware.Webdir : Cleaned with backup (quarantined).
HKU\S-1-5-21-343818398-220523388-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA} -> Adware.WebDir : Cleaned with backup (quarantined).
C:\Documents and Settings\Your_name\My Documents\My Received Files\buttkisser.exe -> Adware.Zango : Cleaned with backup (quarantined).
C:\WINDOWS\WMSysPrx(2).prx:twkxcl -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\WMSysPrx(3).prx:twkxcl -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\WORDPAD(2).INI:qvafj -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\WORDPAD(3).INI:qvafj -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\eReg.dat:bwdqgq -> Downloader.Agent.bc : Cleaned with backup (quarantined).
C:\WINDOWS\WMSysPr9(2).prx:lyfivj -> Downloader.Agent.td : Cleaned with backup (quarantined).
C:\WINDOWS\_default(2).pif:ootvi -> Downloader.Agent.td : Cleaned with backup (quarantined).
C:\WINDOWS\_default(3).pif:ootvi -> Downloader.Agent.td : Cleaned with backup (quarantined).
:mozilla.114:C:\Documents and Settings\Your_name\Application Data\Mozilla\Firefox\Profiles\yz1ihhf4.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.115:C:\Documents and Settings\Your_name\Application Data\Mozilla\Firefox\Profiles\yz1ihhf4.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.116:C:\Documents and Settings\Your_name\Application Data\Mozilla\Firefox\Profiles\yz1ihhf4.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.117:C:\Documents and Settings\Your_name\Application Data\Mozilla\Firefox\Profiles\yz1ihhf4.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.118:C:\Documents and Settings\Your_name\Application Data\Mozilla\Firefox\Profiles\yz1ihhf4.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.146:C:\Documents and Settings\Your_name\Application Data\Mozilla\Firefox\Profiles\yz1ihhf4.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.147:C:\Documents and Settings\Your_name\Application Data\Mozilla\Firefox\Profiles\yz1ihhf4.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.148:C:\Documents and Settings\Your_name\Application Data\Mozilla\Firefox\Profiles\yz1ihhf4.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.149:C:\Documents and Settings\Your_name\Application Data\Mozilla\Firefox\Profiles\yz1ihhf4.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.167:C:\Documents and Settings\Your_name\Application Data\Mozilla\Firefox\Profiles\yz1ihhf4.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.6:C:\Documents and Settings\Your_name\Application Data\Mozilla\Firefox\Profiles\66lzrbm4.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.105:C:\Documents and Settings\Your_name\Application Data\Mozilla\Firefox\Profiles\yz1ihhf4.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.150:C:\Documents and Settings\Your_name\Application Data\Mozilla\Firefox\Profiles\yz1ihhf4.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.161:C:\Documents and Settings\Your_name\Application Data\Mozilla\Firefox\Profiles\yz1ihhf4.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.164:C:\Documents and Settings\Your_name\Application Data\Mozilla\Firefox\Profiles\yz1ihhf4.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.165:C:\Documents and Settings\Your_name\Application Data\Mozilla\Firefox\Profiles\yz1ihhf4.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.166:C:\Documents and Settings\Your_name\Application Data\Mozilla\Firefox\Profiles\yz1ihhf4.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.108:C:\Documents and Settings\Your_name\Application Data\Mozilla\Firefox\Profiles\yz1ihhf4.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.55:C:\Documents and Settings\Your_name\Application Data\Mozilla\Firefox\Profiles\yz1ihhf4.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.162:C:\Documents and Settings\Your_name\Application Data\Mozilla\Firefox\Profiles\yz1ihhf4.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\WINDOWS\WININIT(2).INI:symcbh -> Trojan.Agent.bi : Cleaned with backup (quarantined).
C:\WINDOWS\_default(2).pif:xdcwht -> Trojan.Agent.bi : Cleaned with backup (quarantined).
C:\WINDOWS\_default(3).pif:xdcwht -> Trojan.Agent.bi : Cleaned with backup (quarantined).
HKU\S-1-5-21-343818398-220523388-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3A4E6FF3-BF59-446E-9DC8-731BCE2F349A} -> Trojan.Banker.q : Cleaned with backup (quarantined).


::Report end


HJT log

Logfile of HijackThis v1.99.1
Scan saved at 12:26:29, on 12/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [XFILTER] "C:\Program Files\Filseclab\xfilter\xfilter.exe" -a
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Exif Launcher 2.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-30.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientIn...3/OCI/setup.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120298904559
O16 - DPF: {6DB731A3-B074-4118-8B1C-32511C65D836} (FotovistaPhotoUploader.ctrFpu) - http://www.mypixmania.com/uk/uk/tools/activex/fpu.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137853126906
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37480.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (Bl_camera Control) - http://carracam2.dyndns.info:8500/bl_camera.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/includes...uditControl.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup...ta/imloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D28BE23-4D08-4925-8EAC-2578B5875D8F}: NameServer = 85.255.115.101,85.255.112.115
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D12D1F4-7A43-4AE3-A651-0A5BD95AEA2D}: NameServer = 85.255.115.101,85.255.112.115
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC511619-13F3-44DD-B87A-22B5D577FF7D}: NameServer = 85.255.115.101,85.255.112.115
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe

:thumbsup:

Edited by Catlaydee, 01 December 2006 - 07:45 AM.


#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:30 PM

Posted 01 December 2006 - 11:17 AM

Hello Catlaydee,

Looks like BitDefender and AVG antispyware removed much malware. :thumbsup:


You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from this site:
http://downloads.subratam.org/Fixwareout.exe


Save it to your desktop and run it.
Click Next, then Install, then make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts.
Afterwards, HijackThis will launch. Please click Scan, and check the following items:

O17 - HKLM\System\CCS\Services\Tcpip\..\{5D28BE23-4D08-4925-8EAC-2578B5875D8F}: NameServer = 85.255.115.101,85.255.112.115
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D12D1F4-7A43-4AE3-A651-0A5BD95AEA2D}: NameServer = 85.255.115.101,85.255.112.115
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC511619-13F3-44DD-B87A-22B5D577FF7D}: NameServer = 85.255.115.101,85.255.112.115



Click Fix Checked. Close HijackThis, and click OK to proceed.

At the end of the fix, you may need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log.

Edited by SifuMike, 01 December 2006 - 11:18 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Catlaydee

Catlaydee
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 01 December 2006 - 03:24 PM

Fantastic its worked!

HJT log

Logfile of HijackThis v1.99.1
Scan saved at 19:28:28, on 12/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Filseclab\xfilter\xfilter.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Documents and Settings\Your_name\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [XFILTER] "C:\Program Files\Filseclab\xfilter\xfilter.exe" -a
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Exif Launcher 2.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-30.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientIn...3/OCI/setup.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1120298904559
O16 - DPF: {6DB731A3-B074-4118-8B1C-32511C65D836} (FotovistaPhotoUploader.ctrFpu) - http://www.mypixmania.com/uk/uk/tools/activex/fpu.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1137853126906
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...canner37480.cab
O16 - DPF: {87BE3784-6977-4E84-AA08-55A96B9CEAC5} (Bl_camera Control) - http://carracam2.dyndns.info:8500/bl_camera.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/pla...0/Installer.exe
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://www.contentwatch.com/audit/includes...uditControl.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup...ta/imloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5D28BE23-4D08-4925-8EAC-2578B5875D8F}: NameServer = 85.255.115.101,85.255.112.115
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D12D1F4-7A43-4AE3-A651-0A5BD95AEA2D}: NameServer = 85.255.115.101,85.255.112.115
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC511619-13F3-44DD-B87A-22B5D577FF7D}: NameServer = 85.255.115.101,85.255.112.115
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe


Fixwareout log

Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\qlamz
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\lavinraCputeS
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.


I needed to run the windsockxpfix programme after as I couldn't connect to the internet unless I went through links in emails.

Many thanks for all your help - donation coming up :thumbsup:

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:07:30 PM

Posted 01 December 2006 - 10:02 PM

Hello Catlaydee,

I looked up this Internet provider 85.255.115.101,85.255.112.115

(Asked whois.ripe.net:43 about 85.255.115.101)

inetnum: 85.255.112.0 - 85.255.127.255
netname: inhoster
descr: Inhoster hosting company
descr: OOO Inhoster Poltavskij Shliax 24 Kharkiv 61000 Ukraine
remarks: -----------------------------------
remarks: Abuse notifications to: abuse@inhoster.com
remarks: Network problems to: noc@inhoster.com
remarks: Peering requests to: peering@inhoster.com
remarks: ----------------------------------- country: UA org: ORG-EST1-
remarks: address: OOO
Inhoster address: Poltavskij Shliax 24 Xarkov
address: 61000 Ukraine




It says it is in the Ukraine. :thumbsup: Is that your Internet Service Provider?

If it is your Internet Service Provider, then you can ignore the rest of my fix.

If not, then proceed.

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial


*******************************************

Make sure you have all the browser and explorer windows closed or the fix will not work.

In Normal Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix.”

If this Domain does not belong to your Internet Service Provider, or your firms network, these entries should be fixed.
Do you know the Internet Provider or Domain '85.255.115.101,85.255.112.115'? If not, fix this entry.


O17 - HKLM\System\CCS\Services\Tcpip\..\{5D28BE23-4D08-4925-8EAC-2578B5875D8F}: NameServer = 85.255.115.101,85.255.112.115
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D12D1F4-7A43-4AE3-A651-0A5BD95AEA2D}: NameServer = 85.255.115.101,85.255.112.115
O17 - HKLM\System\CCS\Services\Tcpip\..\{CC511619-13F3-44DD-B87A-22B5D577FF7D}: NameServer = 85.255.115.101,85.255.112.115



*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Finally, reboot to the Normal Mode and post a new Hijackthis log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users