Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I Infected? Please Help!


  • Please log in to reply
3 replies to this topic

#1 photomom

photomom

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 13 January 2007 - 02:06 PM

Am I infected? Could you please help fix the problem if there is one?

Logfile of HijackThis v1.99.1
Scan saved at 12:01:12 PM, on 1/13/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon06.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\hpbpro.exe
C:\WINDOWS\System32\hpboid.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\3carnutz\Local Settings\Temporary Internet Files\Content.IE5\RF9J2F7V\HijackThis[1]\HijackThis.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Bresnan OnLine
F2 - REG:system.ini: UserInit=userinit.exe
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\3carnutz\Application Data\Mozilla\Profiles\default\7e5k0gbf.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - (no file)
O2 - BHO: (no name) - {9E4F45DB-2EC3-4b09-91F9-31C702B3285D} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\System32\hphmon06.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [XPRepairBusiness] C:\Program Files\XP Repair Pro\xprepairpro.exe /s
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bresnan.net
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...0|pdp|viewpoint
O16 - DPF: {14578416-1111-1111-1111-111111411123} - file://C:\Documents and Settings\3carnutz\Local Settings\Temporary Internet Files\Content.IE5\B7AM7KYX\fotos\1\calc.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.runaware.com/dolphin/wficat.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093788616503
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128708161414
O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://surf.direcway.com/dwayready/dpcsysinfo.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://142.22.58.150/activex/AxisCamControl.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/1444/ftp...23/cpbrkpie.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/instal...edsolutions.cab
O16 - DPF: {AAD32D2E-02C8-11D7-81B3-0050FC352236} (Softwell_DVR_Monitor.monitor) - http://69.144.219.166/activeX/DvrActiveXSetup.exe
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\hpboid.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

BC AdBot (Login to Remove)

 


#2 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:05:48 PM

Posted 14 January 2007 - 01:56 PM

Hi and welcome to the Forums :thumbsup:

You got something that we'll get rid of....

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

Download HijackThis to your desktop from here

Create a new folder for HijackThis and move HijackThis.exe into it.

==================

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list. Fix the O6 entries too if you haven't locked Internet Explorer settings on purpose.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: IEWatchObj Class - {9527D42F-D666-11D3-B8DD-00600838CD5F} - (no file)
O2 - BHO: (no name) - {9E4F45DB-2EC3-4b09-91F9-31C702B3285D} - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {14578416-1111-1111-1111-111111411123} - file://C:\Documents and Settings\3carnutz\Local Settings\Temporary Internet Files\Content.IE5\B7AM7KYX\fotos\1\calc.exe
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/1444/ftp...23/cpbrkpie.cab

Restart your computer to the safe mode:
  • Restart your computer
  • Start tapping the F8 key when the computer restarts.
  • When the start menu opens, choose Safe mode
  • Press Enter. The computer then begins to start in Safe mode.
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
UNITE & ASAP member since 2006
Posted Image
Posted Image

#3 photomom

photomom
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:48 AM

Posted 15 January 2007 - 06:57 PM

Thank you for your help.
Here is the new HijackThic log:

Logfile of HijackThis v1.99.1
Scan saved at 4:38:14 PM, on 1/15/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon06.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\3carnutz\Desktop\HijackThis.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Bresnan OnLine
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = <local>
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = <local>
F2 - REG:system.ini: UserInit=userinit.exe
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\3carnutz\Application Data\Mozilla\Profiles\default\7e5k0gbf.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\System32\hphmon06.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [XPRepairBusiness] C:\Program Files\XP Repair Pro\xprepairpro.exe /s
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.bresnan.net
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...0|pdp|viewpoint
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://www.runaware.com/dolphin/wficat.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1093788616503
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128708161414
O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://surf.direcway.com/dwayready/dpcsysinfo.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://142.22.58.150/activex/AxisCamControl.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/instal...edsolutions.cab
O16 - DPF: {AAD32D2E-02C8-11D7-81B3-0050FC352236} (Softwell_DVR_Monitor.monitor) - http://69.144.219.166/activeX/DvrActiveXSetup.exe
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\System32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\System32\hpboid.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe


Here is the AVG's report:

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:27:52 PM 1/15/2007

+ Scan result:



C:\Program Files\WebSavingsfromEbates -> Adware.MoneyMaker : Cleaned with backup (quarantined).
C:\Program Files\WebSavingsfromEbates\ApplicationData -> Adware.MoneyMaker : Cleaned with backup (quarantined).
C:\Program Files\WebSavingsfromEbates\ApplicationData\3carnutz -> Adware.MoneyMaker : Cleaned with backup (quarantined).
C:\Program Files\WebSavingsfromEbates\ApplicationData\3carnutz\dataexcludeebateswebsavingsdr1saved.dls -> Adware.MoneyMaker : Cleaned with backup (quarantined).
C:\Program Files\WebSavingsfromEbates\ApplicationData\3carnutz\ebateswebsavingsdr1data.dls -> Adware.MoneyMaker : Cleaned with backup (quarantined).
C:\Program Files\WebSavingsfromEbates\ApplicationData\merchants.dls -> Adware.MoneyMaker : Cleaned with backup (quarantined).
C:\Program Files\WebSavingsfromEbates\Applications -> Adware.MoneyMaker : Cleaned with backup (quarantined).
C:\Program Files\WebSavingsfromEbates\Applications\cmpck.dls -> Adware.MoneyMaker : Cleaned with backup (quarantined).
C:\Program Files\WebSavingsfromEbates\Applications\ebatesdatamerchCust.dls -> Adware.MoneyMaker : Cleaned with backup (quarantined).
C:\Program Files\WebSavingsfromEbates\System -> Adware.MoneyMaker : Cleaned with backup (quarantined).
C:\Program Files\WebSavingsfromEbates\System\MTemp -> Adware.MoneyMaker : Cleaned with backup (quarantined).
C:\Program Files\WebSavingsfromEbates\System\MTemp\logfile.txt -> Adware.MoneyMaker : Cleaned with backup (quarantined).
C:\Program Files\WebSavingsfromEbates\System\Temp -> Adware.MoneyMaker : Cleaned with backup (quarantined).
C:\Program Files\WebSavingsfromEbates\System\Temp\dump.txt -> Adware.MoneyMaker : Cleaned with backup (quarantined).
C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_confirmredir0.htm -> Adware.MoneyMaker : Cleaned with backup (quarantined).
C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_confirmredir0_wo.htm -> Adware.MoneyMaker : Cleaned with backup (quarantined).
C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_preferences0.htm -> Adware.MoneyMaker : Cleaned with backup (quarantined).
C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_preferences0_wo.htm -> Adware.MoneyMaker : Cleaned with backup (quarantined).
C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm -> Adware.MoneyMaker : Cleaned with backup (quarantined).
C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0_wo.htm -> Adware.MoneyMaker : Cleaned with backup (quarantined).
C:\Program Files\WebSavingsfromEbates\WebSavings_README.txt -> Adware.MoneyMaker : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\WinStatX.Installer -> Adware.WinTaskAd : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\WinStatX.Installer\CLSID -> Adware.WinTaskAd : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\d147s.exe -> Logger.Banker.amq : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\d270s.exe -> Logger.Banker.amq : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\tgs.dll -> Logger.Banker.amq : Cleaned with backup (quarantined).
C:\Documents and Settings\3carnutz\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-5a2702fd-16837056.zip/Dummy.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc114.txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc143.txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc202.txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc228.txt -> TrackingCookie.2o7 : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc127.txt -> TrackingCookie.Adbrite : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc132.txt -> TrackingCookie.Addynamix : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc131.txt -> TrackingCookie.Adrevolver : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc136.txt -> TrackingCookie.Adtech : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc255.txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc256.txt -> TrackingCookie.Burstnet : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc152.txt -> TrackingCookie.Casalemedia : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc164.txt -> TrackingCookie.Com : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc291.txt -> TrackingCookie.Com : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc178.txt -> TrackingCookie.Fastclick : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc196.txt -> TrackingCookie.Fastclick : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc305.txt -> TrackingCookie.Fastclick : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc312.txt -> TrackingCookie.Fastclick : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc232.txt -> TrackingCookie.Liveperson : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc270.txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc156.txt -> TrackingCookie.Overture : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc209.txt -> TrackingCookie.Overture : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc212.txt -> TrackingCookie.Overture : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc235.txt -> TrackingCookie.Overture : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc295.txt -> TrackingCookie.Overture : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc134.txt -> TrackingCookie.Pointroll : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc221.txt -> TrackingCookie.Questionmarket : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc175.txt -> TrackingCookie.Ru4 : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc302.txt -> TrackingCookie.Ru4 : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc309.txt -> TrackingCookie.Ru4 : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc129.txt -> TrackingCookie.Specificclick : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc238.txt -> TrackingCookie.Statcounter : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc137.txt -> TrackingCookie.Tacoda : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc139.txt -> TrackingCookie.Tacoda : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc239.txt -> TrackingCookie.Tacoda : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc243.txt -> TrackingCookie.Trafficmp : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc244.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc126.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc145.txt -> TrackingCookie.Zedo : Cleaned.
C:\RECYCLER\S-1-5-21-1110412475-473866232-3689853989-1006\Dc288.txt -> TrackingCookie.Zedo : Cleaned.


::Report end

#4 Mr_JAk3

Mr_JAk3

    HJT Team Member


  • Members
  • 527 posts
  • OFFLINE
  •  
  • Location:Finland
  • Local time:05:48 PM

Posted 16 January 2007 - 02:47 PM

Hi again, it is looking clean now :thumbsup:
The computer is running fine ?

You had keyloggers there (programs that logs keystrokes), if this system is used for online banking or has credit card information on it, all passwords should be changed immediately. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this article too.

If everything is running fine, then the first priority is to visit Windows Update and get your system updated
-> At first, install Win XP Service Pack 2 Update
-> Reboot and get back to the Windows Update
-> Install all remaining important updates
(NOTE: You'll propably have to reboot and get back to the update several times before all of them are installed)

Now you can clean AVG's Quarantine:
  • Open AVG Anti-Spyware
  • Click Infections
  • Click Quarantine tab
  • Click Select all
  • Click Remove finally
  • Close the program
You can remove the tools we used.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
  • Clear your system restore
    This will clear the system restore folders from possible malware that was left behind during the cleaning process.
  • Use ATF Cleaner
    Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
  • Use Ad-Aware
    Download and install Ad-Aware. Update it and scan your computer regularly with it.
  • Use AVG Anti-Spyware
    Update it and scan your computer regularly with it.
  • Use Spybot S&D
    Download and install Spybot S&D. Update it and scan your computer regularly with it.
  • Install SpywareBlaster
    SpywareBlaster will prevent spyware from being installed.
  • Install MVPS Hosts file
    This prevents your computer from connecting to harmful sites.
  • Use Firefox browser
    Firefox is faster, safer and better browser than Internet Explorer.
  • Keep your systen up-to-date
    Visit Windows Update regularly.
  • Keep your antivirus and firewall up-to-date
    Scan your computer regularly with your antivirus.
  • Read this article by TonyKlein
    So how did I get infected in the first place?
  • Stand Up and Be Counted !
    The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)

Edited by Mr_JAk3, 16 January 2007 - 02:47 PM.

UNITE & ASAP member since 2006
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users