Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mind To Check My Pc?


  • Please log in to reply
9 replies to this topic

#1 cadre

cadre

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 10 March 2007 - 10:09 PM

Well, I got infected with some sort of virus. The virus apparently automatically deleted any program that I entered and once kept on opening and closing my CD drive until I closed my computer. I also have some suspicion that it is stealing some of my logins and passwords. I ran Spyware Doctor, Adware, Kaspersky, and Spybot in safe mode (had to reinstall all those programs because the virus deleted it all) and deleted what it told me to delete. So, can anyone check my PC if I got rid of the virus? Thanks!




Logfile of HijackThis v1.99.1
Scan saved at 9:59:14 PM, on 3/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
E:\iTunes\iTunesHelper.exe
D:\Kaspersky Anti-Virus\avp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
D:\AVG Anti-Spyware 7.5\guard.exe
D:\Kaspersky Anti-Virus\avp.exe
D:\Spyware Doctor\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
E:\iPod\bin\iPodService.exe
D:\Spyware Doctor\Spyware Doctor\swdoctor.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
D:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWSabout.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
R3 - URLSearchHook: (no name) - {D9CA5290-9A76-B8AD-7A02-CB896C5C66CD} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,iqhyiaa.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\SPYWAR~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\SPYWAR~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {D9CA5290-9A76-B8AD-7A02-CB896C5C66CD} - (no file)
O2 - BHO: (no name) - {E03043DD-33A6-4E2A-9E0A-FC5A0B555F52} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "D:\Kaspersky Anti-Virus\avp.exe"
O4 - HKLM\..\RunOnce: [IndexWipe] D:\iISystem Wiper\iISystem Wiper\IndexWipe.exe
O4 - HKCU\..\Run: [µTorrent] "E:\utorrent.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Adobe Reader\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: Download All by FlashGet - D:\FlashGet\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\FlashGet\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Kaspersky Anti-Virus\SCIEPlgn.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\SPYWAR~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107w.bay107.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1151464197390
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - ms-its:mhtml:file://c:\nesunew.mht!http://adgate.info/zscript/winfix.chm::/SystemDoctor2006FreeInstall.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: interceptor.dll,
O20 - Winlogon Notify: ideusr50 - ideusr50.dll (file missing)
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O20 - Winlogon Notify: MediaContentIndex - C:\WINDOWS\system32\dfu10.dll (file missing)
O20 - Winlogon Notify: RunServicesOnce - C:\WINDOWS\system32\aqtapi.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - D:\Kaspersky Anti-Virus\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\iPod\bin\iPodService.exe
O23 - Service: RemotelyAnywhere Maintenance Service (RAMaint) - Sonic Solutions - (no file)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Spyware Doctor\Spyware Doctor\sdhelp.exe
O23 - Service: CaReTaKeR-CT NetMgr 1.2.1 (sfmgr) - Unknown owner - D:\unzipped\sfmgr1_2_1\sfmgr.exe (file missing)

BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:51 PM

Posted 17 March 2007 - 10:22 PM

Apologies for the delay in responding.

The workload on this forum is intense, and sometimes it is not possible to respond to every inquiry.

It is best to have the most current log possible, so please run HijackThis again.

I will be notified when you do so, and will be glad to assist you.

Old duck...


#3 cadre

cadre
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 18 March 2007 - 03:04 AM

Heres the new log, thanks for the help!




Logfile of HijackThis v1.99.1
Scan saved at 4:00:10 AM, on 3/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\AVG Anti-Spyware 7.5\guard.exe
D:\Kaspersky Anti-Virus\avp.exe
D:\Spyware Doctor\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
E:\iTunes\iTunesHelper.exe
D:\Kaspersky Anti-Virus\avp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
E:\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWSabout.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
R3 - URLSearchHook: (no name) - {D9CA5290-9A76-B8AD-7A02-CB896C5C66CD} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,iqhyiaa.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\SPYWAR~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\SPYWAR~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {D9CA5290-9A76-B8AD-7A02-CB896C5C66CD} - (no file)
O2 - BHO: (no name) - {E03043DD-33A6-4E2A-9E0A-FC5A0B555F52} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "D:\Kaspersky Anti-Virus\avp.exe"
O4 - HKCU\..\Run: [µTorrent] "E:\utorrent.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Adobe Reader\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: Download All by FlashGet - D:\FlashGet\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\FlashGet\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Kaspersky Anti-Virus\SCIEPlgn.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\SPYWAR~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107w.bay107.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1151464197390
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - ms-its:mhtml:file://c:\nesunew.mht!http://adgate.info/zscript/winfix.chm::/SystemDoctor2006FreeInstall.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: interceptor.dll,
O20 - Winlogon Notify: ideusr50 - ideusr50.dll (file missing)
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O20 - Winlogon Notify: MediaContentIndex - C:\WINDOWS\system32\dfu10.dll (file missing)
O20 - Winlogon Notify: RunServicesOnce - C:\WINDOWS\system32\aqtapi.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - D:\Kaspersky Anti-Virus\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\iPod\bin\iPodService.exe
O23 - Service: RemotelyAnywhere Maintenance Service (RAMaint) - Sonic Solutions - (no file)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Spyware Doctor\Spyware Doctor\sdhelp.exe
O23 - Service: CaReTaKeR-CT NetMgr 1.2.1 (sfmgr) - Unknown owner - D:\unzipped\sfmgr1_2_1\sfmgr.exe (file missing)

#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:51 PM

Posted 18 March 2007 - 09:44 PM

Please download AVG Anti-Spyware:
http://www.ewido.net/en/download/
Locate the icon on the Desktop and double-click it to launch the program.

Now, update the definition files:
On the main screen select Update, and then select the Update Now link.
Next, select the Start Update button
(The update starts and a progress bar shows the updates installed.)

Once the update completes select: Scanner (the top of the screen)
Select the Settings tab
Once in the Settings screen click on: Recommended actions
Select: Quarantine
Under: Reports, select: Automatically generate report after every scan
Un-Select: Only if threats were found
Close AVG AS for now.

~~~~
Next, run HijackThis, Scan
Check box for:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWSabout.htm

R3 - URLSearchHook: (no name) - {D9CA5290-9A76-B8AD-7A02-CB896C5C66CD} - (no file)

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,iqhyiaa.exe

O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: (no name) - {D9CA5290-9A76-B8AD-7A02-CB896C5C66CD} - (no file)
O2 - BHO: (no name) - {E03043DD-33A6-4E2A-9E0A-FC5A0B555F52} - (no file)

The following ActiveX controls will reinstall when (and if) you revisit that website. Unless you know they are from a safe source, check to remove:
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/vir...5/installer.exe

Also check:
O20 - Winlogon Notify: ideusr50 - ideusr50.dll (file missing)
O20 - Winlogon Notify: MediaContentIndex - C:\WINDOWS\system32\dfu10.dll (file missing)
O20 - Winlogon Notify: RunServicesOnce - C:\WINDOWS\system32\aqtapi.dll (file missing)

Select: Fix checked

~~~~
Reboot to Safe Mode :
-Restart your computer.
-When the machine first starts again, tap the F8 key before Windows starts
-You are presented with a Windows XP Advanced Options menu.
-Select the option for Safe Mode using the arrow keys.
-Press Enter to boot into Safe Mode.

~~~~
Go to Start > Control Panel > Internet Options
In the General tab, Temporary Internet Files, click: Delete Files
When prompted, check: Delete all offline content
You can also check: Delete Cookies (You will have to re-enter passwords at websites that require them.)
Click OK

Then, go to Start >Run and enter: cleanmgr
Select the drive to clean: C:\
Check the following boxes and then press OK to remove:
Temporary Files
Temporary Internet Files
RecycleBin

Agree to the prompt to perform the action...

~~~~
Still in Safe Mode, launch AVG AS once again
Select: Scanner (at the top)
Select the Scan tab
Click on: Complete System Scan
AVG AS begins the scanning process, and it may take a while.
Please do not open any other windows or programs while AVG AS is scanning, it may interfere with the scanning process!!

Once the scan is complete, AVG AS lists any infections found.
It also automatically sets the recommended action.
Click: Apply all actions
AVG AS will then display: All actions have been applied

Next select: Reports (at the top)
Select: Save report as (lower left of the screen)
Save the report to a text file in a location where you can find it!
Close AVG AS.

~~~~
Restart the computer.

~~~~
Please provide the following:
The AVG AS report
A new HijackThis log

Old duck...


#5 cadre

cadre
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 19 March 2007 - 01:27 AM

Alright, here are the logs, thanks!





-------------------------------------
AVG Anti - Spyware - Scan Report
-------------------------------------
+ Created at: 1:44:58 AM 3/19/2007



+ Scan result:




C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-7c728-146b461d.class -> Adware.CWS : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{0B30236F-51BA-4769-9E11-CC49780931FF}\RP145\A0076857.exe -> Backdoor.Bifrose.uw : Cleaned with backup (quarantined).

D:\System Volume Information\_restore{0B30236F-51BA-4769-9E11-CC49780931FF}\RP144\A0076500.exe -> Backdoor.Bifrose.uw : Cleaned with backup (quarantined).

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe -> Downloader.Small : Cleaned with backup (quarantined).

C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe -> Downloader.Small : Cleaned with backup (quarantined).

C:\Program Files\Microsoft Hardware\Keyboard\type32.exe -> Downloader.Small : Cleaned with backup (quarantined).

C:\Program Files\Microsoft IntelliPoint\point32.exe -> Downloader.Small : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{0B30236F-51BA-4769-9E11-CC49780931FF}\RP143\A0076105.rbf -> Downloader.Small : Cleaned with backup (quarantined).

C:\WINDOWS\system32\spool\drivers\w32x86\3\fpdisp5a.exe -> Downloader.Small : Cleaned with backup (quarantined).

E:\System Volume Information\_restore{0B30236F-51BA-4769-9E11-CC49780931FF}\RP144\A0076214.rbf -> Downloader.Small : Cleaned with backup (quarantined).

C:\Documents and Settings\User\Cookies\user@kmpads[1].txt -> TrackingCookie.Kmpads : Cleaned.

C:\System Volume Information\_restore{0B30236F-51BA-4769-9E11-CC49780931FF}\RP139\A0075661.exe -> Trojan.Small.bs : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{0B30236F-51BA-4769-9E11-CC49780931FF}\RP145\A0077863.exe -> Trojan.Small.bs : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{0B30236F-51BA-4769-9E11-CC49780931FF}\RP145\A0077864.exe -> Trojan.Small.bs : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{0B30236F-51BA-4769-9E11-CC49780931FF}\RP145\A0077865.exe -> Trojan.Small.bs : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{0B30236F-51BA-4769-9E11-CC49780931FF}\RP145\A0077866.exe -> Trojan.Small.bs : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{0B30236F-51BA-4769-9E11-CC49780931FF}\RP145\A0077867.exe -> Trojan.Small.bs : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{0B30236F-51BA-4769-9E11-CC49780931FF}\RP145\A0077868.exe -> Trojan.Small.bs : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{0B30236F-51BA-4769-9E11-CC49780931FF}\RP145\A0077869.exe -> Trojan.Small.bs : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{0B30236F-51BA-4769-9E11-CC49780931FF}\RP145\A0077870.exe -> Trojan.Small.bs : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{0B30236F-51BA-4769-9E11-CC49780931FF}\RP145\A0077871.exe -> Trojan.Small.bs : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{0B30236F-51BA-4769-9E11-CC49780931FF}\RP145\A0077872.exe -> Trojan.Small.bs : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{0B30236F-51BA-4769-9E11-CC49780931FF}\RP145\A0077873.exe -> Trojan.Small.bs : Cleaned with backup (quarantined).





::Report end


Logfile of HijackThis v1.99.1
Scan saved at 2:22:42 AM, on 3/19/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
E:\iTunes\iTunesHelper.exe
D:\Kaspersky Anti-Virus\avp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
D:\AVG Anti-Spyware\AVG Anti-Spyware 7.5\guard.exe
D:\Kaspersky Anti-Virus\avp.exe
D:\Spyware Doctor\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
E:\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\HijackThis\HijackThis.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\SPYWAR~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\SPYWAR~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "D:\Kaspersky Anti-Virus\avp.exe"
O4 - HKCU\..\Run: [µTorrent] "E:\utorrent.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Adobe Reader\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: Download All by FlashGet - D:\FlashGet\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\FlashGet\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Kaspersky Anti-Virus\SCIEPlgn.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\SPYWAR~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107w.bay107.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1151464197390
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - ms-its:mhtml:file://c:\nesunew.mht!http://adgate.info/zscript/winfix.chm::/SystemDoctor2006FreeInstall.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: interceptor.dll,
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\AVG Anti-Spyware\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - D:\Kaspersky Anti-Virus\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\iPod\bin\iPodService.exe
O23 - Service: RemotelyAnywhere Maintenance Service (RAMaint) - Sonic Solutions - (no file)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Spyware Doctor\Spyware Doctor\sdhelp.exe
O23 - Service: CaReTaKeR-CT NetMgr 1.2.1 (sfmgr) - Unknown owner - D:\unzipped\sfmgr1_2_1\sfmgr.exe (file missing)

#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:51 PM

Posted 19 March 2007 - 08:27 PM

You can remove the files from the AVG AS Quarantine:
-Launch AVG AS and click the Infections button.
-Click the Quarantine tab
-Choose: Select All
-Click: Remove finally
-A window pops asking "Are you sure you want to remove the selected files...??"
-Select: Yes

~~~~
Next, run HijackThis, Scan
Check box for:

O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - ms-its:mhtml:file://c:\nesunew.mht!http://adgate.info/zscript/winfix.chm::/SystemDoctor2006FreeInstall.cab

Have you used the programs that follow and uninstalled them at some point?
If so, and if you would like to remove all traces of them, place a checkmark next to the following entries as well:

O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - D:\Kaspersky Anti-Virus\avp.exe" -r (file missing)
O23 - Service: RemotelyAnywhere Maintenance Service (RAMaint) - Sonic Solutions - (no file)
O23 - Service: CaReTaKeR-CT NetMgr 1.2.1 (sfmgr) - Unknown owner - D:\unzipped\sfmgr1_2_1\sfmgr.exe (file missing)

Select: Fix checked

~~~~
Restart the computer

~~~~
Are you still having malware problems?

Old duck...


#7 cadre

cadre
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 19 March 2007 - 11:05 PM

Everything seems to be work properly, I haven't yet had a problem that I could detect in the past few hours. But, when I tried to remove the last three items:

O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - D:\Kaspersky Anti-Virus\avp.exe" -r (file missing)
O23 - Service: RemotelyAnywhere Maintenance Service (RAMaint) - Sonic Solutions - (no file)
O23 - Service: CaReTaKeR-CT NetMgr 1.2.1 (sfmgr) - Unknown owner - D:\unzipped\sfmgr1_2_1\sfmgr.exe (file missing)

you said to remove on your last post, I removed them but they kept on coming back when I rescanned with it HijackThis. If those three items are not any real big threats or viruses, then I guess I could just leave them there if thats not a problem.

Heres my current log:




Logfile of HijackThis v1.99.1
Scan saved at 11:58:45 PM, on 3/19/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
E:\iTunes\iTunesHelper.exe
D:\Kaspersky Anti-Virus\avp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
D:\Kaspersky Anti-Virus\avp.exe
D:\Spyware Doctor\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
E:\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\SPYWAR~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\SPYWAR~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "D:\Kaspersky Anti-Virus\avp.exe"
O4 - HKCU\..\Run: [µTorrent] "E:\utorrent.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Adobe Reader\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: Download All by FlashGet - D:\FlashGet\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\FlashGet\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Kaspersky Anti-Virus\SCIEPlgn.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\SPYWAR~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} (USBAPTester Class) - http://www.nintendowifi.com/troubleshooting/usbaptest.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107w.bay107.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1151464197390
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: interceptor.dll,
O20 - Winlogon Notify: klogon - C:\WINDOWS\System32\klogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\AVG Anti-Spyware\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - D:\Kaspersky Anti-Virus\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\iPod\bin\iPodService.exe
O23 - Service: RemotelyAnywhere Maintenance Service (RAMaint) - Sonic Solutions - (no file)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Spyware Doctor\Spyware Doctor\sdhelp.exe
O23 - Service: CaReTaKeR-CT NetMgr 1.2.1 (sfmgr) - Unknown owner - D:\unzipped\sfmgr1_2_1\sfmgr.exe (file missing)

#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:51 PM

Posted 20 March 2007 - 01:57 PM

If you decided to fix the aforementioned items (O23‘s), let’s use the following instead:

Please launch Notepad, (Start > Run, type in: notepad)
Copy/paste all the blue text below to it

@echo off
sc stop AVP
sc delete AVP
sc stop RAMainy
sc delete RAMaint
sc stop sfmgr
sc delete sfmgr
exit


In Notepad, go to File (upper menu bar), and select: Save as
In the Save as prompt:
Save in: Desktop
File Name: FixServices.bat
Save as Type: All files
Click: Save
Exit out of Notepad.

Now, double click FixServices.bat
A window opens and closes quickly.

~~~~
There are some items you need to take care of:
The version of Java shown on the log is outdated.

Please go to Start > Control Panel > Add or Remove Programs
In the list of Currently Installed Programs, look for all previous versions of Java:
i.e. J2SE Runtime Environment number x, etc.
Select each Java entry and then click: Remove

Next, download and install the newest version
Scroll down to: Java Runtime Environment (JRE) 6
http://java.sun.com/javase/downloads/index.jsp

~~~~
Last, but not least, the log is showing an outdated version of the Windows XP Service Pack.
It is very important you download Service Pack 2 (SP2) !! It patches many of the security vulnerabilities through which attackers can gain access to your computer.

Please download SP2 from the Microsoft Windows Updates website:
http://www.microsoft.com/windowsxp/sp2/default.mspx

Post back on how this goes. If you experience any problems downloading SP2, it could indicate malware still resides in your system!!

~~~~
Please post one last HijackThis log when you are done with the above.

Edited by Aaflac, 20 March 2007 - 01:58 PM.

Old duck...


#9 cadre

cadre
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:51 PM

Posted 21 March 2007 - 07:02 AM

My computer just went from bad to worst, I followed all the instructions you gave me in your previous post. But, during the middle of installing Service Pack 2, my computer suddenly restarted by itself. So, then I tried to install Service Pack 2 again and it restarted by itself again. But, this time during the start up of the computer, I get a screen saying that file "Ntfs.sys" is missing or corrupted. So now I can't even login to my computer at home (currently typing from school). Any help is appreciated, thanks!

#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:02:51 PM

Posted 21 March 2007 - 08:46 PM

cadre,

Please use the following guidance from Microsoft:

http://support.microsoft.com/kb/555531

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users