Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Psw Generic3.cdd And Cdf Internet Problem


  • This topic is locked This topic is locked
7 replies to this topic

#1 FullMJ

FullMJ

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 03 February 2007 - 06:07 AM

Logfile of HijackThis v1.99.1
Scan saved at 09:58:33, on 03/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\rmctrl.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\WINDOWS\system32\atwtusb.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\000_[NO_INSTALL]\Security\Hijack This V 1_99_1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\system32\rmctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\system32\regscan.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\okviewer4.dll' missing
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: PCI Adapter (PCIDown) - Unknown owner - C:\WINDOWS\alg.exe (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

____________________________________________________________________________________

I updated my AVG Virus tables yesterday and was about to check for Updates for Adaware,Spybot Spywareblaster etc when I noticed that none of them would connect to update.

I tried to check the net for info and it wouldn't connect to Google etc.

I ran AVG,Adaware and Spybot S&D,fixed the entries that showed up,deleted the Temp Files and ran Hijackthis to look for any "suspicious" looking entries (but I'm a little out of my depth here).

I suspect that items
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\okviewer4.dll' missing
and
O23 - Service: PCI Adapter (PCIDown) - Unknown owner - C:\WINDOWS\alg.exe (file missing)
may be something to do with this as both of these files appear in the AVG Virus Vault.

I looked for info on the net (on another Computer) about these files but didn't turn up much.

Also I tried to Defrag and noticed that Executive Diskeeper was also no longer accessible
(though this may be a different problem entirely).

Any help at all with any of this would be very much appreciated.

Tim(UK)

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 03 February 2007 - 08:12 AM

Welcome FullMJ :thumbsup:

Download the following to the desktop using the pc with the internet connection,then burn them to a blank cd,or copy them to a USB Flash/Pen Drive:
Download LSPFix from:
http://www.bleepingcomputer.com/files/spyware/lspfix.zip
Download the Sysclean Package (3.2MB):
http://www.trendmicro.com/download/pattern-dcs.asp
Download the latest Virus Pattern File for Windows (lpt243.zip) (15.6MB):
http://www.trendmicro.com/download/viruspattern.asp


Place the cd you've just created into the infected machine's cd-rom drive,or the Flash/Pen Drive into an available USB port.
First install LSP-Fix,extract it to your desktop.
Close all windows on your computer.
Launch/start lspfix.
Put a checkmark in the 'I know what I'm doing' checkbox.
Now move any instances of "c:\windows\system32\okviewer4.dll" into the remove box using the >> button.
Press the finish button.
Then reboot.

===============================

First make sure you're logged on to your pc as Administrator,or at least logged on with an account with Administrator's privileges.

First create a new folder on your desktop:
[Right click on a blank area of the desktop 'New',select 'Folder].
Right click on that new folder 'Rename',rename it to Sysclean.
Now place the Sysclean Package inside that new folder.
Unzip/extract the Virus Pattern File to that new folder.

Close all open applications,and DISABLE your current antivirus software.
Open the Sysclean folder and double-click on sysclean.com to start the scan.
It will take some time to complete.
Be patient and let it clean whatever it finds.
Exit when done and post back with how you got on please.

Edited by RichieUK, 03 February 2007 - 09:21 AM.

Posted Image
Posted Image

#3 FullMJ

FullMJ
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 03 February 2007 - 11:28 AM

Hi RichieUK,
Firstly let me say THANK YOU for such a prompt reply to this issue.

I came across (and downloaded) the LSPFix last night.

After posting in the forum today,I read through the info
that I'd saved on it yesterday and decided to Run it and see if it helped at all.

I ran it before got your reply,so unfortunately I didn't use the
"I Know what I'm doing" checkbox...but...It did seem to do the trick.

I ran it again after reading your post and nothing new came up so
I'm hoping that it will be OK.

I did everything else that you suggested and let the Sysclean package
thoroughly check the entire Hard Drive and clean whatever it found.

Thanks to your help the System is back up and running,Online and
Executive Diskeeper is now working properly again.

I'm still not sure about the
O23 - Service: PCI Adapter (PCIDown) - Unknown owner - C:\WINDOWS\alg.exe (file missing)
entry in Hijackthis but I can look into this in more detail now that I'm back Online

I'd just like to say a personal Thank You for all of your help with this problem
and I'd also like to Thank all of the people who help run/contribute to
such a fantatstic resource.

Tim(UK)

_____________________________________________________________

My New Hijackthis log


Logfile of HijackThis v1.99.1
Scan saved at 15:51:41, on 03/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\rmctrl.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\WINDOWS\system32\atwtusb.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\000_[NO_INSTALL]\Security\Hijack This V 1_99_1\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\system32\rmctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\system32\regscan.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: PCI Adapter (PCIDown) - Unknown owner - C:\WINDOWS\alg.exe (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 03 February 2007 - 12:09 PM

Click on Start>Run and type Services.msc then hit Ok.
Scroll down and find the service called:
PCI Adapter (PCIDown)
When you find it, double-click on it.
In the next window that opens, click the 'Stop' button.
Then change the 'Startup Type:' to 'Disabled'.
Now press Apply and then Ok and close any open windows.
=====================================
Go to Control Panel>Folder Options>View tab,and enable 'Show hidden files and Folders',
now press Apply>OK.
=====================================
Please download/install AVG Anti-Spyware 7.5.
Please follow these instructions carefully.
Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\system32\regscan.exe
O23 - Service: PCI Adapter (PCIDown) - Unknown owner - C:\WINDOWS\alg.exe (file missing)

Exit Hijack This,find and delete if present:
C:\WINDOWS\system32\regscan.exe

Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.
Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

Post the AVG Anti Spyware report and a new Hijack This log into your next reply.
Let me know how your pc is running now please.
Posted Image
Posted Image

#5 FullMJ

FullMJ
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 03 February 2007 - 03:18 PM

Hi RichieUK,
And there was me thinking that it was all sorted (lol)!

I followed your instructions as per the thread.

A couple of things.....
1. After Disabling the PCI Adapter [PCI Down] in Services.msc
O23 - Service: PCI Adapter (PCIDown) - Unknown owner - C:\WINDOWS\alg.exe (file missing)
no longer appeared in the hijackthis scan so I couldn't "Fix" it.
(I assume that this means its no longer a problem/has gone).

2.I searched for the C:\WINDOWS\system32\regscan.exe file
but it also didn't appear.

I did everything else as you suggested and the Machine seems
to be running just fine.
Thanks once again for all of your help.

Copies of my logs are listed below.

Tim(UK)


Logfile of HijackThis v1.99.1
Scan saved at 18:33:46, on 03/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\000_[NO_INSTALL]\Security\Hijack This V 1_99_1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\system32\rmctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe



---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 19:34:52 03/02/2007

+ Scan result:



D:\DATA XFER_(Partition K)\Computer & Telecommunications\Security\AAA_Appz_Misc\Merijn_Kill2Me\kill2me.zip/Kill2Me.exe -> Adware.LookMe : Cleaned.
D:\DATA XFER_(Partition K)\Computer & Telecommunications\Optical Media_(Not Backed Up)\000_Appz To Archive\Nero 5.5.1.8_[Hicks-Rush]\Nero 5.5.1.8. Keygen.exe -> Backdoor.Rbot : Cleaned.
D:\DATA XFER_(Partition K)\Computer & Telecommunications\OS\M$\Windows\XP\000_APPZ\Keyz & Crackz\XPKeySP2\XPKeySP2.exe -> Backdoor.Tagent.e : Cleaned.
D:\DATA XFER_(Partition K)\Computer & Telecommunications\OS\M$\Windows\XP\Keyz\000_Sky-prohosting\oem_key_full_files\Key Utils\XPKeySP2.exe -> Backdoor.Tagent.e : Cleaned.
D:\000_TO DELETE\Plugins\Amplitube\CrcCheck.exe -> Downloader.Dadobr.bk : Cleaned.
D:\DATA XFER_(Partition K)\Computer & Telecommunications\AV\Audio\Appz\000_APPZ To Archive\Samplers & Synths (incl BFD)\instr\Slayer_Guitar Sim\pdxrfxsl.zip/CrcCheck.exe -> Downloader.Dadobr.bk : Cleaned.
D:\DATA XFER_(Partition K)\Computer & Telecommunications\Data\Backup\safety\Windows Backup\x-stream bkup\Grdsys32.exe -> Heuristic.Win32.Dialer : Cleaned.
D:\DATA XFER_(Partition K)\Computer & Telecommunications\Security\Protected Storeage PassView\v1-62\pspv.exe -> Not-A-Virus.PSWTool.Win32.PassView.162 : Cleaned.
D:\DATA XFER_(Partition K)\Computer & Telecommunications\Security\Protected Storeage PassView\v1-62\pspv.zip/pspv.exe -> Not-A-Virus.PSWTool.Win32.PassView.162 : Cleaned.
D:\000 Archive-Backup-Copies\Zip Programs_(Include On All Archive Discs)\WinRAR\winrar290\patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned.
D:\DATA XFER_(Partition K)\Computer & Telecommunications\Data\File Utils\Zip Programs\WinRAR\winrar290\patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned.
D:\DATA XFER_(Partition K)\Computer & Telecommunications\OS\M$\Windows\XP\000_APPZ\Keyz & Crackz\XP Cracks\Windows Xp Cracks and helpers\WPAPATCH.EXE -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned.
D:\DATA XFER_(Partition K)\Computer & Telecommunications\Optical Media_(Not Backed Up)\000_Appz To Archive\Alcohol 1481222\Alcohol_v1.4.8.1222 with key\patch\smart_patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned.
D:\DATA XFER_(Partition K)\Computer & Telecommunications\Telecomms_Internet\Streaming\Appz\Streambox VCR V1.0 Beta 3.1 Unzipped\Crack\fr_svcr1b31_crack.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned.
D:\DATA XFER_(Partition K)\Computer & Telecommunications\Telecomms_Internet\Streaming\Appz\Streambox VCR V1.0 Beta 3.1 Unzipped\StreamBox VCR 1.0 Beta 3.1 Stealth Mulder Fix\fr_svcr1b31smf_crack.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned.
D:\DATA XFER_(Partition K)\Computer & Telecommunications\Telecomms_Internet\Streaming\Appz\Streambox VCR V1.0 Beta 3.1 Unzipped\StreamBoxVCR1.0Beta3.1StealthMulderFix.zip/StreamBox VCR 1.0 Beta 3.1 Stealth Mulder Fix/fr_svcr1b31smf_crack.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned.
D:\DATA XFER_(Partition K)\Computer & Telecommunications\Telecomms_Internet\Streaming\Appz\Streambox VCR V1.0 Beta 3.1 Unzipped\fr_svcr1b31_crack.zip/fr_svcr1b31_crack.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned.
D:\DATA XFER_(Partition K)\Computer & Telecommunications\Telecomms_Internet\Streaming\Appz\Streambox VCR V1.0 Beta 3.1\StreamBox!VCR.zip/StreamBoxVCR1.0Beta3.1StealthMulderFix.zip/StreamBox VCR 1.0 Beta 3.1 Stealth Mulder Fix/fr_svcr1b31smf_crack.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned.
D:\DATA XFER_(Partition K)\Computer & Telecommunications\Telecomms_Internet\Streaming\Appz\Streambox VCR V1.0 Beta 3.1\StreamBox!VCR.zip/fr_svcr1b31_crack.zip/fr_svcr1b31_crack.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned.
C:\Documents and Settings\Paul\Cookies\paul@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Paul\Cookies\paul@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Paul\Cookies\paul@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned.
:mozilla.6:C:\Documents and Settings\Simon\Application Data\Mozilla\Profiles\default\o56dr09w.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Paul\Cookies\paul@e-2dj6wakoqjcjmgq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Paul\Cookies\paul@e-2dj6wfkiold5gaq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Paul\Cookies\paul@e-2dj6wfkokgcpeao.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Paul\Cookies\paul@e-2dj6wflooiazico.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Paul\Cookies\paul@e-2dj6wfmiaicpgkp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Paul\Cookies\paul@e-2dj6wgkoshcjifo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Paul\Cookies\paul@e-2dj6whkighajmko.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Paul\Cookies\paul@e-2dj6wjk4aic5kbp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Paul\Cookies\paul@e-2dj6wjk4kgdjaep.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Paul\Cookies\paul@e-2dj6wjk4qmdjigp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Paul\Cookies\paul@e-2dj6wjmiupd5wfq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Paul\Cookies\paul@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.87:C:\Documents and Settings\Paul\Application Data\Mozilla\Profiles\default\e4xa9m5v.slt\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.69:C:\Documents and Settings\Paul\Application Data\Mozilla\Profiles\default\e4xa9m5v.slt\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Paul\Cookies\paul@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.75:C:\Documents and Settings\Paul\Application Data\Mozilla\Profiles\default\e4xa9m5v.slt\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.76:C:\Documents and Settings\Paul\Application Data\Mozilla\Profiles\default\e4xa9m5v.slt\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.77:C:\Documents and Settings\Paul\Application Data\Mozilla\Profiles\default\e4xa9m5v.slt\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 03 February 2007 - 03:36 PM

Please Note:
If your computer was used for online banking or has credit card information on it,all passwords should be changed immediately to include those used for email,eBay and forums.
You should consider them to be compromised.
Banking and credit card institutions should be notified of the possible security breech.
===========================
Your log is clean :thumbsup:
If all's ok,please do the following:

Go to Control Panel>Folder Options>View tab,and disable 'Show hidden files and Folders',
now press Apply>OK.

Turn off System Restore,then turn it back on again:
Help if needed:
http://www.pchell.com/virus/systemrestore.shtml

Create a new System Restore Point:
Help if needed:
Click on Start/All Programs/Accessories/System Tools/System Restore.
In the System Restore window,click "Create a Restore Point" button,then click 'Next'.
In the window that appears,enter a description,then click on "Create", then "Close".
The date and time is created automatically.

Click on Start>Run,type cleanmgr then press Ok.
In the opening 'Select Drive' box,click Ok again.
In the 'Disk Cleanup for [C:]' box click on the 'More Options' tab.
In the 'System Restore' window at the bottom click on 'Clean up...'.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Then click on 'Ok' at the bottom of the 'Disk Cleanup for [C:]' box.
A box will pop up 'Are you sure you want to perform these actions?',click on 'Yes'.
Disk Cleanup will then run and close automatically.

You should now go to Windows Update and install any available critical/high priority updates.

Read through the info found here,to help you prevent any possible future infections:
http://forums.spywareinfo.com/index.php?showtopic=60955

Note:
Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6.0'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Posted Image
Posted Image

#7 FullMJ

FullMJ
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 08 February 2007 - 05:29 PM

Hi RichieUK,
Please accept my apologies at the delay in replying to your last post.

I did everything as suggested in the thread, and after downloading
ALL of the Security Updates(I didn't realise how many I didn't have),
Installing a couple of Security Programs from the thread that you linked to,
changing passwords and finally upgrading my Browsers/to new a new Firewall
(which I'm still grappling with)......
I am happy to inform you that all seems to be running smoothly with the machine.

Again,please accept my personal thanks for all of your help/advice with this issue and
hopefully I won't be "darkening your doorstep" again too soon.

Tim(UK)

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:11:36 AM

Posted 08 February 2007 - 05:32 PM

You're most welcome Tim,glad to help out :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users