Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Locking Up On Normal Boot - Unkown Infection


  • Please log in to reply
12 replies to this topic

#1 Lonranger

Lonranger

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:07:24 AM

Posted 22 April 2007 - 05:02 AM

Hi there:

Upon rebooting, my computer will not shut down properly, and when I finally hard restart it, if I do not start in safe mode, it will freeze after a while with only the task manager able to run, and some desktop items. Teh desktop does not refresh, and no access to the quicklaunch toolbar or start menu or systray.

The only thing that came up recently was a note in counterspy that bsplayer was low risk and suggested I ignore it. As well, after reboot, the counterspy program resident would not enable.

I am running, adaware, spybot, AVG, ad-watch, bho-demon, and spyware blaster.
Here is a hijackthis log...

Logfile of HijackThis v1.99.1
Scan saved at 3:50:37 AM, on 4/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
P:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
P:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
P:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
P:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
P:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\Brmfrmps.exe
P:\program files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\LOGI_MWX.EXE
C:\WINDOWS\system32\nvsvc32.exe
P:\PROGRA~1\KEMailKb\KEMailKb.EXE
P:\program files\CyberLink\Shared files\RichVideo.exe
P:\Program Files\Sunbelt Software\CounterSpy\Consumer\SBCSSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
P:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
P:\program files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\svchost.exe
P:\program files\Brother\Brmfcmon\BrMfcWnd.exe
P:\program files\Microsoft Office\Office10\OUTLOOK.EXE
P:\program files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
P:\program files\BHODemon 2\BHODemon.exe
C:\Program Files\MouseButton\Mbutton.EXE
P:\program files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\system32\wuauclt.exe
P:\Program Files\Microsoft Office\Office10\WINWORD.EXE
P:\program files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.plentyoffish.com/
O1 - Hosts: Miner][HumanTag Monitor]
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - P:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - P:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] P:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MessengerPlus3] "P:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SetDefPrt] P:\program files\Brother\Brmfl04b\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] P:\program files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [KEMailKb] P:\PROGRA~1\KEMailKb\KEMailKb.EXE
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SunServer] P:\program files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] P:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] P:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "P:\program files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "P:\program files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: Ad-Watch SE Professional.lnk = P:\program files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
O4 - Startup: BHODemon 2.0.lnk = P:\program files\BHODemon 2\BHODemon.exe
O4 - Startup: Middle Mouse Button.lnk = C:\Program Files\MouseButton\Mbutton.EXE
O4 - Global Startup: Status Monitor.lnk = P:\program files\Brother\Brmfcmon\BrMfcWnd.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://P:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - P:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - P:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - P:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - P:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (Talisma NetAgent Customer ActiveX Control version 3) - https://intuitcanada.ehosts.net/netagent/ob...s/custappx3.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1159847774875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160789263171
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "P:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - P:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - P:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - P:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - P:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - P:\program files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - P:\Program Files\Sunbelt Software\CounterSpy\Consumer\SBCSSvc.exe

I hope that you can help.

TIA

Sam

BC AdBot (Login to Remove)

 


m

#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:24 AM

Posted 28 April 2007 - 03:55 PM

Hi Lonranger, :flowers:

If you still need help please post a fresh HijackThis log and I'll be happy to look at it for you.

Thanks for your patience. :thumbsup:

#3 Lonranger

Lonranger
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:07:24 AM

Posted 29 April 2007 - 10:35 AM

Thank you for the response. As requested here is a new log...

Logfile of HijackThis v1.99.1
Scan saved at 9:27:52 AM, on 4/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
P:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
P:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
P:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
P:\program files\CyberLink\Shared files\RichVideo.exe
P:\Program Files\Sunbelt Software\CounterSpy\Consumer\SBCSSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
P:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
P:\Program Files\MessengerPlus! 3\MsgPlus.exe
P:\program files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\Logi_MwX.Exe
P:\PROGRA~1\KEMailKb\KEMailKb.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
P:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
P:\program files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\System32\svchost.exe
P:\program files\MSN Messenger\msnmsgr.exe
P:\program files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
P:\program files\BHODemon 2\BHODemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\MouseButton\Mbutton.EXE
P:\program files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\system32\wuauclt.exe
P:\program files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.plentyoffish.com/
O1 - Hosts: Miner][HumanTag Monitor]
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - P:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - P:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] P:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MessengerPlus3] "P:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SetDefPrt] P:\program files\Brother\Brmfl04b\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] P:\program files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KEMailKb] P:\PROGRA~1\KEMailKb\KEMailKb.EXE
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SunServer] P:\program files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] P:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] P:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [BitTorrent] "P:\program files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [msnmsgr] "P:\program files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Ad-Watch SE Professional.lnk = P:\program files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
O4 - Startup: BHODemon 2.0.lnk = P:\program files\BHODemon 2\BHODemon.exe
O4 - Startup: Middle Mouse Button.lnk = C:\Program Files\MouseButton\Mbutton.EXE
O4 - Global Startup: Status Monitor.lnk = P:\program files\Brother\Brmfcmon\BrMfcWnd.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://P:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - P:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - P:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - P:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - P:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (Talisma NetAgent Customer ActiveX Control version 3) - https://intuitcanada.ehosts.net/netagent/ob...s/custappx3.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1159847774875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160789263171
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "P:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - P:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - P:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - P:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - P:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - P:\program files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - P:\Program Files\Sunbelt Software\CounterSpy\Consumer\SBCSSvc.exe

Hope that you can help me out.

Thank you.

#4 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:24 AM

Posted 01 May 2007 - 12:08 PM

Hi Lonranger, :thumbsup:

Welcome to BleepingComputer Forums and thanks again for your patience.

Looking at the problems you describe I have three questions:

1. For me to understand the problem better: if you turn off your computer and start it up again you cannot get into normal mode? Or is it only so when you use the reboot button?
2. Do you get any error messages? If you do please report them here and be as specific as possible.
3. Have you installed new equipment with a usb connection just before the problems started.

Your HijackThis log has been made in Normal mode so you can run your computer in Normal mode and download programmes.

1. To begin with defragment your hard drive:
  • Open My Computer and right-click on the C: drive. Select Properties, then click on the Tools tab and select Defragment Now...
  • The Windows Disk Defragmenter program will open and all drives are listed in the top window pane. Since the program is going to be arranging files on your hard drive, it is important that no files are being accessed during the process, or the program won't be able to move them. Close all open programs.
  • The C: drive is where operating system files and programs are installed by default, so make sure that it is selected, then click Defragment. While the program is running, it is recommend that you not use your computer. The time it takes to run the defragmenting process is dependent on the size of your hard drive and amount of fragmentation.

    While the program is running you will see a graphical representation of the blocks of files on your hard drive being moved and the fragmented segments joined together. Usually the less gaps of free space between the contiguous segments the better, but as long as the fragmented files are put together into contiguous segments, it will help your computer's performance.
  • Once the process is complete, the graphic should display most of the contiguous files on the left and the majority of the free space on the right. Close the Disk Defragmenter window and resume using your computer.
2. Are you using a firewall? I see nothing in your log that would indicate that you have one installed and active.

If not I urge you to install one since it's your first defense against malware. There are several good but for free programmes available like:

Sygate
Kerio
Zone alarm

For a tutorial on Firewalls click: Understanding and Using Firewalls!

3. We need to disable some of your protection programmes since they may hinder with the fixes we have to make. When your log is clean, you can enable them again: I will let you know.

Teatimer
> Run Spybot S&D, go to the Mode menu and select Advanced Mode;
> On the left hand side choose Tools > Resident;
> Uncheck Resident Teatimer and click Ok (close Spybot).

Ad-Watch
  • Right click on the Ad-Watch icon in the system tray and select "Restore Ad-Watch".
  • At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
    • Active: Switches Monitoring On or Off without closing
      Automatic: Switches Automatic Blocking On or Off
  • Uncheck (red X) both items.
CounterSpy
  • Right Click on the CounterSpy Icon located in your system tray.
  • With your mouse, hover over Active Protection Status (This should be enabled)
  • A menu will slide out, then right click on Disable Active Protection
Once your log is clean please re-enable CounterSpy.

4. Run HijackThis, click Scan and checkmark the following entries:

O1 - Hosts: Miner][HumanTag Monitor]
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -


If you, or someone in your name, didn't set these rules for IE, check the following entries:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

5. Download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

6. Please run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

7. You're using an outdated version of Java (latest one is Java Runtime Environment (JRE) 6u1). Older versions have vulnerabilities that malware can use to infect your system. Please update and remove the older versions. Do the following:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • Then Download and install the newest version from here:

    Java Runtime Environment (JRE) 6u1
Please post the F-Secure report together with a fresh HijackThis log and don't forget to answer my questions.

#5 Lonranger

Lonranger
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:07:24 AM

Posted 03 May 2007 - 02:04 AM

ok...

Done all you asked. Here are the two reports...


Scanning Report


Wednesday, May 02, 2007 21:13:31 - 00:38:33

Computer name: ********
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\ G:\ I:\ P:\

------------------------------------------------------------------------


Result: 1 malware found

W32/Suspicious_F.gen
<http://cgi.f-secure.com/cgi-bin/websearch/vsearch.cgi?q=W32/Suspicious_F.gen&orig='disk'>
(virus)

* P:\PROGRAM FILES\ZUMA\_KEYGEN\ZUMA_KG.EXE (Submitted)

------------------------------------------------------------------------


Statistics

Scanned:

* Files: 60923
* System: 6298
* Not scanned: 51

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 1
* Submitted: 1

Files not scanned:

* x?x?AGEFILE.SYS C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION
DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\088B086E1CB59403E898C81E15B3B12A_D3F28AAD-1EA5-4F0A-BA16-675635A02611

* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION
DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\0C5A5DF99B280EFA61C49D8E31D6C93D_D3F28AAD-1EA5-4F0A-BA16-675635A02611

* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION
DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\11AFD61DAC9F43F059FBD18FFB81CB79_D3F28AAD-1EA5-4F0A-BA16-675635A02611

* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION
DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\1E0C5B44C782592228297253CCF94E11_D3F28AAD-1EA5-4F0A-BA16-675635A02611

* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION
DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\225F7DDE586A6FE91D5A9DEB638C004F_D3F28AAD-1EA5-4F0A-BA16-675635A02611

* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION
DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\25241896764C46F3AEABAF39968BB675_D3F28AAD-1EA5-4F0A-BA16-675635A02611

* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION
DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\29794DE2318542406CFB9EE27CAA997A_D3F28AAD-1EA5-4F0A-BA16-675635A02611

* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION
DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\2F5DADA24697D4A1C95FFE1CD61CE6B5_D3F28AAD-1EA5-4F0A-BA16-675635A02611

* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION
DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\3750893485055C41BA3B0B989E10E102_D3F28AAD-1EA5-4F0A-BA16-675635A02611

* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION
DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\434A75874666F6448B5BECE114F29137_D3F28AAD-1EA5-4F0A-BA16-675635A02611

* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION
DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\452745FE100E3C8C2C2CA22BF126D4D5_D3F28AAD-1EA5-4F0A-BA16-675635A02611

* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION
DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\4B612D522EAB84A61293DEF555C27076_D3F28AAD-1EA5-4F0A-BA16-675635A02611

* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION
DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\502909886C67153493154BBA1BB399C3_D3F28AAD-1EA5-4F0A-BA16-675635A02611

* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION
DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\567B541C5AC13E734AD0DE43405E1DF6_D3F28AAD-1EA5-4F0A-BA16-675635A02611

* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION
DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\64403B18A96AF8B0ED7DB4C09A0DBE6C_D3F28AAD-1EA5-4F0A-BA16-675635A02611

* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION
DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6960F8252B82465DFEE89105894C856A_D3F28AAD-1EA5-4F0A-BA16-675635A02611

* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION
DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\802399E68CCA83FCCCF4627EE06ACF9F_D3F28AAD-1EA5-4F0A-BA16-675635A02611

* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION
DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\82B5DFF8D81CEE8F2F8127A779E59133_D3F28AAD-1EA5-4F0A-BA16-675635A02611

* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION
DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\84E1B1AF5C831E449F4F237394973E36_D3F28AAD-1EA5-4F0A-BA16-675635A02611

* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION
DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\919AED9FF76023E244575F9F8DF85881_D3F28AAD-1EA5-4F0A-BA16-675635A02611

* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION
DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\A00CDDFB134BB54F1A582CFAD6D1E5D9_D3F28AAD-1EA5-4F0A-BA16-675635A02611

* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION
DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\A304B4B33008A2F8CBA67CE686DCBBDC_D3F28AAD-1EA5-4F0A-BA16-675635A02611

* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION
DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\A65868047ED1AC8A541C96F925C18518_D3F28AAD-1EA5-4FEKE<5

------------------------------------------------------------------------


Options

Scanning engines:

* F-Secure Libra: 2.4.2, 2007-05-01
* F-Secure AVP: 7.0.171, 2007-05-03
* F-Secure Orion: 1.2.37, 2007-05-03
* F-Secure Blacklight: 1.0.53, 0000-00-00
* F-Secure Draco: 1.0.35, 0260-23-12
* F-Secure Pegasus: 1.19.0, 2007-03-25

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT
VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM
ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK
WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML
PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
* Use Advanced heuristics

------------------------------------------------------------------------


Copyright 1998-2006 Product support
<http://support.f-secure.com/> |Send virus sample to
F-Secure
<http://support.f-secure.com/enu/home/virusproblem/sample/>


F-Secure assumes no responsibility for material
created or published by third parties that F-Secure
World Wide Web pages have a link to. Unless you have
clearly stated otherwise, by submitting material to
any of our servers, for example by E-mail or via our
F-Secure's CGI E-mail, you agree that the material you
make available may be published in the F-Secure World
Wide Pages or hard-copy publications. You will reach
F-Secure public web site by clicking on underlined
links. While doing this, your access will be logged to
our private access statistics with your domain
name.This information will not be given to any third
party. You agree not to take action against us in
relation to material that you submit. Unless you have
clearly stated otherwise, by submitting material you
warrant that F-Secure may incorporate any concepts
described in it in the F-Secure products/publications
without liability.



and now the new hijack report...

Logfile of HijackThis v1.99.1
Scan saved at 12:42:58 AM, on 5/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
P:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
P:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
P:\Program Files\MessengerPlus! 3\MsgPlus.exe
P:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
P:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\system32\nvsvc32.exe
P:\PROGRA~1\KEMailKb\KEMailKb.EXE
P:\program files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
P:\program files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\MouseButton\Mbutton.EXE
C:\WINDOWS\System32\svchost.exe
P:\program files\Brother\Brmfcmon\brmfcwnd.exe
P:\program files\Brother\Brmfcmon\BrMfcmon.exe
P:\program files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.plentyoffish.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - P:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - P:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] P:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MessengerPlus3] "P:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SetDefPrt] P:\program files\Brother\Brmfl04b\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] P:\program files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KEMailKb] P:\PROGRA~1\KEMailKb\KEMailKb.EXE
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SunServer] P:\program files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] P:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [BitTorrent] "P:\program files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] P:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MessengerPlus3] "P:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - Startup: Ad-Watch SE Professional.lnk = P:\program files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
O4 - Startup: BHODemon 2.0.lnk = P:\program files\BHODemon 2\BHODemon.exe
O4 - Startup: Middle Mouse Button.lnk = C:\Program Files\MouseButton\Mbutton.EXE
O4 - Global Startup: Status Monitor.lnk = P:\program files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://P:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - P:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - P:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - P:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - P:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (Talisma NetAgent Customer ActiveX Control version 3) - https://intuitcanada.ehosts.net/netagent/ob...s/custappx3.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1159847774875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160789263171
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "P:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - P:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - P:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - P:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - P:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - P:\program files\CyberLink\Shared files\RichVideo.exe



I hope that this helps out and that you can direct me further.

Thanks again for all your assistance, in the past, present and possible future.

#6 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:24 AM

Posted 03 May 2007 - 04:56 AM

Hi Lonranger, :flowers:

While I go through your logs could you please answer the questions I had? :thumbsup:

#7 Lonranger

Lonranger
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:07:24 AM

Posted 03 May 2007 - 01:00 PM

Looking at the problems you describe I have three questions:

1. For me to understand the problem better: if you turn off your computer and start it up again you cannot get into normal mode? Or is it only so when you use the reboot button?

I could get into normal mode/safe mode...but the system would lock up a short time later. It would not matter.

2. Do you get any error messages? If you do please report them here and be as specific as possible.

had not been getting any error messages in the past. Sometimes though, I did get a message that explorer needed to close.

3. Have you installed new equipment with a usb connection just before the problems started.

I had not installed any new equipment with or without USB.

4. Do you have a firewall installed?

Yes I have a hardware firewall running from my router. To wit have therefore am not running the windows xp firewall.

To note:
I have recently have MB problems with the IDE controller. I do not know if some of the problems were related to that or not. I currently do not have the ide controller in use, and therefore the ide drive is also not in use.

I hope that this answers the questions.

Edited by Lonranger, 03 May 2007 - 05:04 PM.


#8 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:24 AM

Posted 04 May 2007 - 07:13 AM

Hi Lonranger, :thumbsup:

I hope that this helps out and that you can direct me further.

Thanks again for all your assistance, in the past, present and possible future.


You're very welcome.

1. Disable Ad-Watch and Teatimer once more:

Teatimer

> Run Spybot S&D, go to the Mode menu and select Advanced Mode;
> On the left hand side choose Tools > Resident;
> Uncheck Resident Teatimer and click Ok (close Spybot).

Ad-Watch

* Right click on the Ad-Watch icon in the system tray and select "Restore Ad-Watch".
* At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
Active: Switches Monitoring On or Off without closing
Automatic: Switches Automatic Blocking On or Off
* Uncheck (red X) both items.

2. Run HijackThis, click Scan and checkmark the following entries:

O4 - HKLM\..\Run: [SunJavaUpdateSched] P:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -


Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

3. Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete the following folder in bold if they exist:

P:\Program Files\Java\jre1.5.0_06

4. Download Deckard's System Scanner and save it to your Desktop.

* Double click dss.exe and follow the prompts.
* When finished, it will produce a log for you.
* Post the contents of that log in your next reply.
* Using Windows Explorer (to get there right-click your Start button and go to "Explore"), navigate to the C:\Deckard\System Scanner folder. You will find two logs in the folder, main.txt and extra.txt.
* Open the main.txt log in Notepad
* Also Copy and Paste its contents in a reply.

Please reboot and post the DSS report along with a new HijackThis log for review and let me know how things are running.

#9 Lonranger

Lonranger
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:07:24 AM

Posted 04 May 2007 - 09:31 AM

Here are the logs that you requested....

Logfile of HijackThis v1.99.1
Scan saved at 8:24:30 AM, on 5/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
P:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
P:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
P:\Program Files\MessengerPlus! 3\MsgPlus.exe
P:\program files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\Logi_MwX.Exe
P:\PROGRA~1\KEMailKb\KEMailKb.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
P:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
P:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
P:\program files\MSN Messenger\msnmsgr.exe
P:\program files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
P:\program files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
P:\program files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
P:\program files\BHODemon 2\BHODemon.exe
C:\Program Files\MouseButton\Mbutton.EXE
P:\program files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
P:\program files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.plentyoffish.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - P:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - P:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] P:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MessengerPlus3] "P:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SetDefPrt] P:\program files\Brother\Brmfl04b\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] P:\program files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KEMailKb] P:\PROGRA~1\KEMailKb\KEMailKb.EXE
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunServer] P:\program files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [BitTorrent] "P:\program files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MessengerPlus3] "P:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "P:\program files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Ad-Watch SE Professional.lnk = P:\program files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
O4 - Startup: BHODemon 2.0.lnk = P:\program files\BHODemon 2\BHODemon.exe
O4 - Startup: Middle Mouse Button.lnk = C:\Program Files\MouseButton\Mbutton.EXE
O4 - Global Startup: Status Monitor.lnk = P:\program files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://P:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - P:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - P:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - P:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - P:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (Talisma NetAgent Customer ActiveX Control version 3) - https://intuitcanada.ehosts.net/netagent/ob...s/custappx3.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1159847774875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160789263171
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "P:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - P:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - P:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - P:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - P:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - P:\program files\CyberLink\Shared files\RichVideo.exe

and the other one....

Deckard's System Scanner v20070426.43
Run by Sam on 2007-05-04 at 08:15:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
40: 2007-05-04 14:15:17 UTC - RP229 - Deckard's System Scanner Restore Point
39: 2007-05-04 03:36:16 UTC - RP228 - System Checkpoint
38: 2007-05-03 03:18:35 UTC - RP227 - System Checkpoint
37: 2007-05-01 23:23:37 UTC - RP226 - Installed Java™ SE Runtime Environment 6 Update 1
36: 2007-05-01 22:21:39 UTC - RP225 - Removed Sunbelt CounterSpy.


-- First Restore Point --
1: 2007-03-30 20:00:28 UTC - RP190 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Sam.exe) -------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:16:18 AM, on 5/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
P:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
P:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
P:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
P:\program files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
P:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
P:\Program Files\MessengerPlus! 3\MsgPlus.exe
P:\program files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\Logi_MwX.Exe
P:\PROGRA~1\KEMailKb\KEMailKb.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
P:\program files\MSN Messenger\msnmsgr.exe
P:\program files\Brother\Brmfcmon\BrMfcWnd.exe
P:\program files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
P:\program files\BHODemon 2\BHODemon.exe
C:\Program Files\MouseButton\Mbutton.EXE
P:\program files\Brother\Brmfcmon\BrMfcmon.exe
C:\WINDOWS\System32\svchost.exe
P:\program files\Microsoft Office\Office10\OUTLOOK.EXE
P:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Sam\Desktop\dss.exe
P:\PROGRA~1\HIJACK~1\Sam.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.plentyoffish.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - P:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - P:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] P:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MessengerPlus3] "P:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SetDefPrt] P:\program files\Brother\Brmfl04b\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] P:\program files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KEMailKb] P:\PROGRA~1\KEMailKb\KEMailKb.EXE
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunServer] P:\program files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [BitTorrent] "P:\program files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [msnmsgr] "P:\program files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] P:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Ad-Watch SE Professional.lnk = P:\program files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
O4 - Startup: BHODemon 2.0.lnk = P:\program files\BHODemon 2\BHODemon.exe
O4 - Startup: Middle Mouse Button.lnk = C:\Program Files\MouseButton\Mbutton.EXE
O4 - Global Startup: Status Monitor.lnk = P:\program files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://P:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - P:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - P:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - P:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - P:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (Talisma NetAgent Customer ActiveX Control version 3) - https://intuitcanada.ehosts.net/netagent/ob...s/custappx3.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1159847774875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160789263171
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "P:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - P:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - P:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - P:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - P:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - P:\program files\CyberLink\Shared files\RichVideo.exe


-- HijackThis Fixed Entries (P:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20061009-132727-122 O20 - Winlogon Notify: ddccb - C:\WINDOWS\
backup-20061009-132727-342 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
backup-20061009-132727-425 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
backup-20061009-132728-164 O20 - Winlogon Notify: sstqo - C:\WINDOWS\
backup-20061009-132728-474 O20 - Winlogon Notify: vtutuur - C:\WINDOWS\
backup-20061018-180600-110 O20 - Winlogon Notify: ddccb - C:\WINDOWS\
backup-20061018-180600-843 O20 - Winlogon Notify: sstqo - C:\WINDOWS\
backup-20061018-180601-469 O20 - Winlogon Notify: vtutuur - C:\WINDOWS\
backup-20070501-181202-164 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
backup-20070501-181202-247 O1 - Hosts: Miner][HumanTag Monitor]
backup-20070501-181202-508 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
backup-20070501-181202-654 O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
backup-20070504-081235-720 O4 - HKLM\..\Run: [SunJavaUpdateSched] P:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
backup-20070504-081235-762 O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
backup-20070504-081236-137 O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 BANTExt (Belarc SMBios Access) - c:\windows\system32\drivers\bantext.sys
R3 DKbFltr (Dritek HotKey Keyboard Filter Driver) - c:\windows\system32\drivers\dkbfltr.sys <Not Verified; Dritek System Inc.; Dritek MMKey>
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 RichVideo (Cyberlink RichVideo Service(CRVS)) - "p:\program files\cyberlink\shared files\richvideo.exe" <Not Verified; ; RichVideo Module>

S3 NBService - p:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Scheduled Tasks -------------------------------------------------------------

2007-04-15 06:14:06 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-04-04 and 2007-05-04 -----------------------------

2007-05-01 17:23:41 0 d-------- C:\Program Files\Common Files\Java
2007-04-18 01:35:20 0 d-------- P:\Program Files\MSECache
2007-04-12 12:55:30 0 d-------- P:\Program Files\GlobalMedia
2007-04-06 09:44:26 0 d-------- C:\Documents and Settings\Sam\Application Data\Media Player Classic


-- Find3M Report ---------------------------------------------------------------

2007-05-04 08:16:14 0 d-------- P:\Program Files\Hijack This
2007-05-01 17:24:06 0 d-------- P:\Program Files\Java
2007-05-01 17:16:31 0 d-------- C:\Documents and Settings\Sam\Application Data\Real
2007-05-01 17:10:18 10 --a------ C:\WINDOWS\popcinfo.dat
2007-05-01 16:22:23 0 d-------- C:\Documents and Settings\Sam\Application Data\uTorrent
2007-04-22 04:03:20 0 d-------- P:\Program Files\SpywareBlaster
2007-04-21 23:24:56 0 d-------- P:\Program Files\Tune-Up 2007
2007-04-21 23:00:31 0 d-------- P:\Program Files\Windows Defender
2007-04-21 21:35:43 0 d-------- P:\Program Files\dvdSanta
2007-04-18 01:35:45 0 d-------- C:\Program Files\Common Files\Microsoft Shared
2007-04-07 01:40:05 0 d-------- C:\Documents and Settings\Sam\Application Data\Vso
2007-04-05 15:28:50 0 d-------- P:\Program Files\DVDFab Platinum 3
2007-04-02 18:40:07 0 d-------- C:\Documents and Settings\Sam\Application Data\AdobeUM
2007-03-31 12:57:28 34 --a------ C:\Documents and Settings\Sam\Application Data\pcouffin.log
2007-03-31 12:57:19 47360 --a------ C:\Documents and Settings\Sam\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2007-03-31 12:57:19 1144 --a------ C:\Documents and Settings\Sam\Application Data\pcouffin.inf
2007-03-31 12:57:19 1074 --a------ C:\Documents and Settings\Sam\Application Data\pcouffin.cat
2007-03-31 12:57:15 0 d-------- P:\Program Files\vso
2007-03-31 12:56:03 0 d-------- P:\Program Files\Cucusoft video converter
2007-03-31 12:36:59 0 d-------- P:\Program Files\K-Lite Codec Pack
2007-03-31 12:31:02 0 d-------- P:\Program Files\QuickTime
2007-03-28 13:44:53 0 d-------- P:\Program Files\WinAVIVideoConverter
2007-03-23 16:16:53 25056 --a------ C:\Documents and Settings\Sam\Application Data\GDIPFONTCACHEV1.DAT
2007-03-22 18:45:04 0 d-------- P:\Program Files\DVD Decrypter
2007-03-13 02:50:43 0 d-------- C:\Documents and Settings\Sam\Application Data\Ahead
2007-03-13 00:35:32 0 d-------- C:\Program Files\Common Files\Ahead
2007-03-06 20:14:04 0 d-------- C:\Documents and Settings\Sam\Application Data\TuneUp Software
2007-03-01 03:00:01 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-02-28 03:24:32 357 --a------ C:\WINDOWS\system32\SBRC.dat
2007-02-21 21:00:28 10752 --a------ C:\WINDOWS\system32\ff_vfw.dll


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} P:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"AVG7_CC"="P:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"MessengerPlus3"="\"P:\\Program Files\\MessengerPlus! 3\\MsgPlus.exe\""
"SetDefPrt"="P:\\program files\\Brother\\Brmfl04b\\BrStDvPt.exe"
"ControlCenter2.0"="P:\\program files\\Brother\\ControlCenter2\\brctrcen.exe /autorun"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"Logitech Utility"="Logi_MwX.Exe"
"KEMailKb"="P:\\PROGRA~1\\KEMailKb\\KEMailKb.EXE"
"nForce Tray Options"="sstray.exe /r"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SunServer"="P:\\program files\\Sunbelt Software\\CounterSpy\\Consumer\\sunserver.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"BitTorrent"="\"P:\\program files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"msnmsgr"="\"P:\\program files\\MSN Messenger\\msnmsgr.exe\" /background"
"SpybotSD TeaTimer"="P:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="P:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="Eudora's Shell Extension"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="MsgPlusLoader.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="P:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^CounterSpy.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\CounterSpy.lnk"
"backup"="C:\\WINDOWS\\pss\\CounterSpy.lnkCommon Startup"
"location"="Common Startup"
"command"="P:\\PROGRA~1\\SUNBEL~1\\COUNTE~1\\Consumer\\COUNTE~1.EXE "
"item"="CounterSpy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="P:\\PROGRA~1\\MI1933~1\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bittorrent"
"hkey"="HKCU"
"command"="\"P:\\program files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunServer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sunserver"
"hkey"="HKLM"
"command"="P:\\program files\\Sunbelt Software\\CounterSpy\\Consumer\\sunserver.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- Hosts -----------------------------------------------------------------------

127.0.0.1 ads.yieldmanager.com
127.0.0.1 www.babe.the-killer.bz
127.0.0.1 www.babe.k-lined.com
127.0.0.1 www.did.i-used.cc
127.0.0.1 www.coolwwwsearch.com
127.0.0.1 www.coolwebsearch.com
127.0.0.1 www.hi.studioaperto.net
127.0.0.1 www.webbrowser.tv
127.0.0.1 www.wazzupnet.com
127.0.0.1 www.gueb.com

3225 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-05-04 at 08:16:44 ---------

Things seem to be running better. I am curious if any of the other java dir needed attention. As well the true representation will be when I put the new mb in and hopefully re-engage the ide drive and see how things run then.

again...thank you for your time and patience. I look forward to hearing back from you.

#10 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:24 AM

Posted 05 May 2007 - 12:47 PM

Hi Lonranger, :thumbsup:

1. Before doing anything disable your realtime protection again:

Teatimer:

> Run Spybot S&D, go to the Mode menu and select Advanced Mode;
> On the left hand side choose Tools > Resident;
> Uncheck Resident Teatimer and click Ok (close Spybot).

Ad-Watch:

* Right click on the Ad-Watch icon in the system tray and select "Restore Ad-Watch".
* At the bottom of the screen there will be two checkable items called "Active" and "Automatic".
Active: Switches Monitoring On or Off without closing
Automatic: Switches Automatic Blocking On or Off
* Uncheck (red X) both items.

CounterSpy:

* Right Click on the CounterSpy Icon located in your system tray.
* With your mouse, hover over Active Protection Status (This should be enabled)
* A menu will slide out, then right click on Disable Active Protection

2. Open Notepad and copy and paste the following text in the codebox into it (starting with "Windows registry Editor):

Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}]

[-HKEY_CLASSES_ROOT\CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}]

Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

3. Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\popcinfo.dat
C:\WINDOWS\system32\SBFC.dat
C:\WINDOWS\system32\SBRC.dat


Open 'file' in the killbox menu on top and choose Paste from clipboard
You must use the file menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to reboot now, click "yes".
Click OK at any Pending File Rename Operations prompts, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Please post a fresh HijackThis log for review.

#11 Lonranger

Lonranger
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:07:24 AM

Posted 06 May 2007 - 01:03 PM

I did as you requested. Here is the hj log that you also requested.

Logfile of HijackThis v1.99.1
Scan saved at 11:58:18 AM, on 5/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
P:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
P:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
P:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
P:\program files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
P:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
P:\Program Files\MessengerPlus! 3\MsgPlus.exe
P:\program files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
P:\PROGRA~1\KEMailKb\KEMailKb.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
P:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
P:\program files\MSN Messenger\msnmsgr.exe
P:\program files\Brother\Brmfcmon\BrMfcWnd.exe
P:\program files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
P:\program files\BHODemon 2\BHODemon.exe
C:\Program Files\MouseButton\Mbutton.EXE
P:\program files\Brother\Brmfcmon\BrMfcmon.exe
P:\program files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.plentyoffish.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - P:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - P:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] P:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MessengerPlus3] "P:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SetDefPrt] P:\program files\Brother\Brmfl04b\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] P:\program files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KEMailKb] P:\PROGRA~1\KEMailKb\KEMailKb.EXE
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunServer] P:\program files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [BitTorrent] "P:\program files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MessengerPlus3] "P:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [SpybotSD TeaTimer] P:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "P:\program files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Ad-Watch SE Professional.lnk = P:\program files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
O4 - Startup: BHODemon 2.0.lnk = P:\program files\BHODemon 2\BHODemon.exe
O4 - Startup: Middle Mouse Button.lnk = C:\Program Files\MouseButton\Mbutton.EXE
O4 - Global Startup: Status Monitor.lnk = P:\program files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://P:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - P:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - P:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - P:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - P:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (Talisma NetAgent Customer ActiveX Control version 3) - https://intuitcanada.ehosts.net/netagent/ob...s/custappx3.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1159847774875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160789263171
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "P:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - P:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - P:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - P:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - P:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - P:\program files\CyberLink\Shared files\RichVideo.exe

As a side note:

The two dat files in the /system32/ directory are there on reboot. One is a 0 byte file and the other is a 1kb file. Hope that this helps.

I look forward to your next response.

Thanks again for all your help and assistance.

Edited by Lonranger, 06 May 2007 - 01:06 PM.


#12 Lonranger

Lonranger
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:07:24 AM

Posted 06 May 2007 - 01:17 PM

Hi there...

It seems that the first time I did the killbox it did not take. So I did it again on a file by file basis. i was able to verify that the files were indeed gone.

Here is the new hj log...

Logfile of HijackThis v1.99.1
Scan saved at 12:12:29 PM, on 5/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
P:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
P:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
P:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
P:\program files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
P:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
P:\Program Files\MessengerPlus! 3\MsgPlus.exe
P:\program files\Brother\ControlCenter2\brctrcen.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\System32\svchost.exe
P:\PROGRA~1\KEMailKb\KEMailKb.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
P:\program files\Brother\Brmfcmon\BrMfcWnd.exe
P:\program files\MSN Messenger\msnmsgr.exe
P:\program files\Brother\Brmfcmon\BrMfcmon.exe
P:\program files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
P:\program files\BHODemon 2\BHODemon.exe
C:\Program Files\MouseButton\Mbutton.EXE
C:\WINDOWS\system32\wuauclt.exe
P:\PROGRA~1\MOZILL~1\FIREFOX.EXE
P:\program files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.plentyoffish.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - P:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - P:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] P:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MessengerPlus3] "P:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SetDefPrt] P:\program files\Brother\Brmfl04b\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] P:\program files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [KEMailKb] P:\PROGRA~1\KEMailKb\KEMailKb.EXE
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunServer] P:\program files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [BitTorrent] "P:\program files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MessengerPlus3] "P:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "P:\program files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Ad-Watch SE Professional.lnk = P:\program files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
O4 - Startup: BHODemon 2.0.lnk = P:\program files\BHODemon 2\BHODemon.exe
O4 - Startup: Middle Mouse Button.lnk = C:\Program Files\MouseButton\Mbutton.EXE
O4 - Global Startup: Status Monitor.lnk = P:\program files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://P:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - P:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - P:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - P:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - P:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (Talisma NetAgent Customer ActiveX Control version 3) - https://intuitcanada.ehosts.net/netagent/ob...s/custappx3.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1159847774875
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160789263171
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "P:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - P:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - P:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - P:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - P:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - P:\program files\CyberLink\Shared files\RichVideo.exe



Would you also mind explaining what that fix.reg file was for?

Thank you again for your assistance and look forward to hearing back from you.

#13 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:24 AM

Posted 07 May 2007 - 03:11 PM

Hi Lonranger, :flowers:

1.

Would you also mind explaining what that fix.reg file was for?


Of course not. You had those two 016-leftovers in your HijackThis log. The regfile was written to delete those since HijackThis didn't. And as you can see the file did its job and the two are gone. Actually I think you're ready to go.

2. Your log looks clean!

Remove previous restore points and set a new one to purge any malware that may have been backed up:

Click Start>Help and Support>Undo changes to your computer with System Restore
Click Create A Restore Point then click Next. Give it a name it and then click Create

Click Start>Run and type Cleanmgr
Click the More Options Tab.
Click Clean Up in the System Restore section.

This will remove all previous restore points except the newly created one.

3. In order to prevent future infections follow these recommendations:

a. Visit Windows Update on a regular basis to stay current with critical updates.

b. Install and run the following free programs:

* Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here!

* Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found
here! Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

* SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here!

* SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here!

* IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Keep all these programs (including your anti-virus) up-to-date and run them regularly.
If you do not update regularly they will not be able to catch any of the new variants that may come out.

c. I recommend you to read Tony Klein's excellent article: So how did I get infected in the first place?

d. If you want to fight back the Malware Writers, please take a look here!

Glad I was able to help and if there are any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BleepingComputer Forums, we also help people with other computer problems! Do not forget to tell your friends about us!

Good luck! :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users