Sign in to follow this  
avbferry

Hijacked by http://www.sysprotectionpage.com/ please help

Recommended Posts

I have carried out the Hijackthis scan and my log is as follows. Please assist and thank you.

 

 

Logfile of HijackThis v1.99.1

Scan saved at 10:36:27 PM, on 7/7/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Microsoft Money\System\urlmap.exe

C:\Documents and Settings\Brave\Desktop\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.kazaa.com/

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\userinit32.exe,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll

O2 - BHO: (no name) - {38fec3d6-4318-4b26-bba0-7617b00e8c77} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Nothing - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\WINDOWS\system32\hp100.tmp

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: (no name) - {480B42DC-5182-4481-AC1E-5A149A3878C3} - (no file)

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - (no file)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\RunServices: [CMD] cmd32.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe

O4 - Global Startup: KYESCAN.lnk = C:\Program Files\ScannerU\KYESCAN.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm

O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {023A3744-EA13-4C8A-8B23-ABF98974A9F5} (JoyOnPack Control) - http://gunbound.joyon.com/joyonpack.cab

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-arab.com/flashcab/ipix/ipixx.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab

O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB

O16 - DPF: {652524F4-F52B-4951-9C1E-30DB62B2B34D} - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_1sg.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {84B7AC1D-9AD1-474F-B6B0-FE1641DBFDFA} - http://www.contentpurity.com/xp/ScanFilexp.CAB

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -

O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -

O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...427/mcfscan.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7FDC0D07-BFDD-4470-AD95-9571F61787A2}: NameServer = 165.21.100.88 165.21.83.88

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: winhdn32 - winhdn32.dll (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Share this post


Link to post
Share on other sites

Attached below is my Ad-aware log file.

 

 

Ad-Aware SE Build 1.06r1

Logfile Created on:Friday, July 07, 2006 5:42:12 PM

Created with Ad-Aware SE Personal, free for private use.

Using definitions file:SE1R113 28.06.2006

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Malware.SpyAxe(TAC index:4):1 total references

MalwareWipe(TAC index:3):20 total references

MRU List(TAC index:0):20 total references

Tracking Cookie(TAC index:3):18 total references

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Ad-Aware SE Settings

===========================

Set : Search for negligible risk entries

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep-scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan my Hosts file

 

Extended Ad-Aware SE Settings

===========================

Set : Unload recognized processes & modules during scan

Set : Scan registry for all users instead of current user only

Set : Always try to unload modules before deletion

Set : During removal, unload Explorer and IE if necessary

Set : Let Windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Include basic Ad-Aware settings in log file

Set : Include additional Ad-Aware settings in log file

Set : Include reference summary in log file

Set : Include alternate data stream details in log file

Set : Play sound at scan completion if scan locates critical objects

 

 

7-7-2006 5:42:12 PM - Scan started. (Full System Scan)

 

MRU List Object Recognized!

Location: : C:\Documents and Settings\Brave\Application Data\microsoft\office\recent

Description : list of recently opened documents using microsoft office

 

 

MRU List Object Recognized!

Location: : C:\Documents and Settings\Brave\recent

Description : list of recently opened documents

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1602489464-1296836545-4109948839-1008\software\google\navclient\1.1\history

Description : list of recently used search terms in the google toolbar

 

 

MRU List Object Recognized!

Location: : software\microsoft\direct3d\mostrecentapplication

Description : most recent application to use microsoft direct3d

 

 

MRU List Object Recognized!

Location: : software\microsoft\direct3d\mostrecentapplication

Description : most recent application to use microsoft direct X

 

 

MRU List Object Recognized!

Location: : software\microsoft\directdraw\mostrecentapplication

Description : most recent application to use microsoft directdraw

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1602489464-1296836545-4109948839-1008\software\microsoft\directinput\mostrecentapplication

Description : most recent application to use microsoft directinput

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1602489464-1296836545-4109948839-1008\software\microsoft\directinput\mostrecentapplication

Description : most recent application to use microsoft directinput

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1602489464-1296836545-4109948839-1008\software\microsoft\internet explorer

Description : last download directory used in microsoft internet explorer

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1602489464-1296836545-4109948839-1008\software\microsoft\internet explorer\typedurls

Description : list of recently entered addresses in microsoft internet explorer

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1602489464-1296836545-4109948839-1008\software\microsoft\mediaplayer\preferences

Description : last playlist index loaded in microsoft windows media player

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1602489464-1296836545-4109948839-1008\software\microsoft\mediaplayer\preferences

Description : last playlist loaded in microsoft windows media player

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1602489464-1296836545-4109948839-1008\software\microsoft\windows\currentversion\applets\paint\recent file list

Description : list of files recently opened using microsoft paint

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1602489464-1296836545-4109948839-1008\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru

Description : list of recent programs opened

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1602489464-1296836545-4109948839-1008\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru

Description : list of recently saved files, stored according to file extension

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1602489464-1296836545-4109948839-1008\software\microsoft\windows\currentversion\explorer\recentdocs

Description : list of recent documents opened

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1602489464-1296836545-4109948839-1008\software\microsoft\windows\currentversion\explorer\runmru

Description : mru list for items opened in start | run

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1602489464-1296836545-4109948839-1008\software\realnetworks\realplayer\6.0\preferences

Description : list of recent skins in realplayer

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1602489464-1296836545-4109948839-1008\software\realnetworks\realplayer\6.0\preferences

Description : list of recent clips in realplayer

 

 

MRU List Object Recognized!

Location: : S-1-5-21-1602489464-1296836545-4109948839-1008\software\microsoft\windows media\wmsdk\general

Description : windows media sdk

 

 

Listing running processes

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ProcessID : 400

ThreadCreationTime : 7-7-2006 9:27:30 AM

BasePriority : Normal

 

 

#:2 [csrss.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 472

ThreadCreationTime : 7-7-2006 9:27:33 AM

BasePriority : Normal

 

 

#:3 [winlogon.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 496

ThreadCreationTime : 7-7-2006 9:27:33 AM

BasePriority : High

 

 

#:4 [services.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 540

ThreadCreationTime : 7-7-2006 9:27:34 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Services and Controller app

InternalName : services.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : services.exe

 

#:5 [lsass.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 552

ThreadCreationTime : 7-7-2006 9:27:34 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : lsass.exe

 

#:6 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 708

ThreadCreationTime : 7-7-2006 9:27:35 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:7 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 776

ThreadCreationTime : 7-7-2006 9:27:36 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:8 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 824

ThreadCreationTime : 7-7-2006 9:27:36 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:9 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 884

ThreadCreationTime : 7-7-2006 9:27:36 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:10 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1060

ThreadCreationTime : 7-7-2006 9:27:37 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:11 [spoolsv.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1116

ThreadCreationTime : 7-7-2006 9:27:39 AM

BasePriority : Normal

FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)

ProductVersion : 5.1.2600.2696

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolsv.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : spoolsv.exe

 

#:12 [avgamsvr.exe]

FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\

ProcessID : 1224

ThreadCreationTime : 7-7-2006 9:27:39 AM

BasePriority : Normal

FileVersion : 7,1,0,365

ProductVersion : 7.1.0.365

ProductName : AVG Anti-Virus System

CompanyName : GRISOFT, s.r.o.

FileDescription : AVG Alert Manager

InternalName : avgamsvr

LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.

OriginalFilename : avgamsvr.EXE

 

#:13 [avgupsvc.exe]

FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\

ProcessID : 1240

ThreadCreationTime : 7-7-2006 9:27:40 AM

BasePriority : Normal

FileVersion : 7,1,0,349

ProductVersion : 7.1.0.349

ProductName : AVG 7.0 Anti-Virus System

CompanyName : GRISOFT, s.r.o.

FileDescription : AVG Update Service

InternalName : avgupsvc

LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.

OriginalFilename : avgupdsvc.EXE

 

#:14 [avgemc.exe]

FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\

ProcessID : 1252

ThreadCreationTime : 7-7-2006 9:27:40 AM

BasePriority : Normal

FileVersion : 7,1,0,371

ProductVersion : 7.1.0.371

ProductName : AVG Anti-Virus System

CompanyName : GRISOFT, s.r.o.

FileDescription : AVG E-Mail Scanner

InternalName : avgemc

LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.

OriginalFilename : avgemc.exe

 

#:15 [ctsvccda.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1304

ThreadCreationTime : 7-7-2006 9:27:41 AM

BasePriority : Normal

FileVersion : 1.0.1.0

ProductVersion : 1.0.0.0

ProductName : Creative Service for CDROM Access

CompanyName : Creative Technology Ltd

FileDescription : Creative Service for CDROM Access

InternalName : CTsvcCDAEXE

LegalCopyright : Copyright © Creative Technology Ltd., 1999. All rights reserved.

OriginalFilename : CTsvcCDA.EXE

 

#:16 [appservices.exe]

FilePath : C:\PROGRA~1\Iomega\System32\

ProcessID : 1344

ThreadCreationTime : 7-7-2006 9:27:41 AM

BasePriority : Normal

FileVersion : 2, 0, 1, 0

ProductVersion : 2, 0, 1, 0

ProductName : Iomega App Services

CompanyName : Iomega Corporation

FileDescription : AppServices

InternalName : AppServices

LegalCopyright : Copyright © 2000

OriginalFilename : AppService.exe

Comments : Iomega App Services For Windows 2000/NT

 

#:17 [nvsvc32.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1460

ThreadCreationTime : 7-7-2006 9:27:42 AM

BasePriority : Normal

FileVersion : 6.14.10.5216

ProductVersion : 6.14.10.5216

ProductName : NVIDIA Driver Helper Service, Version 52.16

CompanyName : NVIDIA Corporation

FileDescription : NVIDIA Driver Helper Service, Version 52.16

InternalName : NVSVC

LegalCopyright : © NVIDIA Corporation. All rights reserved.

OriginalFilename : nvsvc32.exe

 

#:18 [mspmspsv.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1608

ThreadCreationTime : 7-7-2006 9:27:43 AM

BasePriority : Normal

FileVersion : 7.00.00.1954

ProductVersion : 7.00.00.1954

ProductName : Microsoft ® DRM

CompanyName : Microsoft Corporation

FileDescription : WMDM PMSP Service

InternalName : MSPMSPSV.EXE

LegalCopyright : Copyright © Microsoft Corp. 1981-2000

OriginalFilename : MSPMSPSV.EXE

 

#:19 [alg.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1780

ThreadCreationTime : 7-7-2006 9:27:44 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Application Layer Gateway Service

InternalName : ALG.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : ALG.exe

 

#:20 [devldr32.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 300

ThreadCreationTime : 7-7-2006 9:28:28 AM

BasePriority : Normal

FileVersion : 1, 0, 0, 22

ProductVersion : 1, 0, 0, 22

ProductName : Creative Ring3 NT Inteface

CompanyName : Creative Technology Ltd.

FileDescription : DevLdr32

InternalName : DevLdr

LegalCopyright : Copyright © 1997-2001 Creative Technology Ltd.

OriginalFilename : DevLdr32.exe

 

#:21 [explorer.exe]

FilePath : C:\WINDOWS\

ProcessID : 444

ThreadCreationTime : 7-7-2006 9:28:28 AM

BasePriority : Normal

FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 6.00.2900.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : EXPLORER.EXE

 

#:22 [directcd.exe]

FilePath : C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\

ProcessID : 1988

ThreadCreationTime : 7-7-2006 9:28:40 AM

BasePriority : Normal

FileVersion : 5.2.0.91

ProductVersion : 5.2.0.91

ProductName : DirectCD

CompanyName : Roxio

FileDescription : DirectCD Application

InternalName : DirectCD

LegalCopyright : Copyright © 2001-2002, Roxio, Inc.

OriginalFilename : Directcd.exe

 

#:23 [rundll32.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1472

ThreadCreationTime : 7-7-2006 9:28:44 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Run a DLL as an App

InternalName : rundll

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : RUNDLL.EXE

 

#:24 [jusched.exe]

FilePath : C:\Program Files\Java\jre1.5.0_01\bin\

ProcessID : 1300

ThreadCreationTime : 7-7-2006 9:28:45 AM

BasePriority : Normal

 

 

#:25 [realsched.exe]

FilePath : C:\Program Files\Common Files\Real\Update_OB\

ProcessID : 1048

ThreadCreationTime : 7-7-2006 9:28:45 AM

BasePriority : Normal

FileVersion : 0.1.0.3249

ProductVersion : 0.1.0.3249

ProductName : RealPlayer (32-bit)

CompanyName : RealNetworks, Inc.

FileDescription : RealNetworks Scheduler

InternalName : schedapp

LegalCopyright : Copyright © RealNetworks, Inc. 1995-2004

LegalTrademarks : RealAudio is a trademark of RealNetworks, Inc.

OriginalFilename : realsched.exe

 

#:26 [ituneshelper.exe]

FilePath : C:\Program Files\iTunes\

ProcessID : 172

ThreadCreationTime : 7-7-2006 9:28:47 AM

BasePriority : Normal

FileVersion : 6.0.4.2

ProductVersion : 6.0.4.2

ProductName : iTunes

CompanyName : Apple Computer, Inc.

FileDescription : iTunesHelper Module

InternalName : iTunesHelper

LegalCopyright : © 2003-2006 Apple Computer, Inc. All Rights Reserved.

OriginalFilename : iTunesHelper.exe

 

#:27 [avgcc.exe]

FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\

ProcessID : 252

ThreadCreationTime : 7-7-2006 9:28:48 AM

BasePriority : Normal

FileVersion : 7,1,0,381

ProductVersion : 7.1.0.381

ProductName : AVG Anti-Virus System

CompanyName : GRISOFT, s.r.o.

FileDescription : AVG Control Center

InternalName : AvgCC

LegalCopyright : Copyright © 2006, GRISOFT, s.r.o.

OriginalFilename : AvgCC.EXE

 

#:28 [ipodservice.exe]

FilePath : C:\Program Files\iPod\bin\

ProcessID : 416

ThreadCreationTime : 7-7-2006 9:28:49 AM

BasePriority : Normal

FileVersion : 6.0.4.2

ProductVersion : 6.0.4.2

ProductName : iTunes

CompanyName : Apple Computer, Inc.

FileDescription : iPodService Module

InternalName : iPodService

LegalCopyright : © 2003-2006 Apple Computer, Inc. All Rights Reserved.

OriginalFilename : iPodService.exe

 

#:29 [wcescomm.exe]

FilePath : C:\Program Files\Microsoft ActiveSync\

ProcessID : 436

ThreadCreationTime : 7-7-2006 9:28:49 AM

BasePriority : Normal

FileVersion : 3.5.0.12007

ProductVersion : 3.5.12007

ProductName : Microsoft ActiveSync

CompanyName : Microsoft Corporation

FileDescription : Connection Manager

InternalName : wcescomm

LegalCopyright : Copyright © 1995-2001 Microsoft Corp. All rights reserved.

LegalTrademarks : Microsoft® and Windows® are registered trademarks of Microsoft Corporation.

OriginalFilename : WCESCOMM.EXE

 

#:30 [teatimer.exe]

FilePath : C:\Program Files\Spybot - Search & Destroy\

ProcessID : 460

ThreadCreationTime : 7-7-2006 9:28:50 AM

BasePriority : Idle

FileVersion : 1, 4, 0, 2

ProductVersion : 1, 4, 0, 3

ProductName : Spybot - Search & Destroy

CompanyName : Safer Networking Limited

FileDescription : System settings protector

InternalName : TeaTimer

LegalCopyright : © 2000-2005 Patrick M. Kolla / Safer Networking Limited. Alle Rechte vorbehalten.

LegalTrademarks : "Spybot" und "Spybot - Search & Destroy" sind registrierte Warenzeichen.

OriginalFilename : TeaTimer.exe

Comments : Schützt Systemeinstellungen vor ungewollten Änderungen.

 

#:31 [wkcalrem.exe]

FilePath : C:\Program Files\Common Files\Microsoft Shared\Works Shared\

ProcessID : 1560

ThreadCreationTime : 7-7-2006 9:29:15 AM

BasePriority : Normal

FileVersion : 6.00.1911.0

ProductVersion : 6.00.1911.0

ProductName : Microsoft® Works 6.0

CompanyName : Microsoft® Corporation

FileDescription : Microsoft® Works Calendar Reminder Service

InternalName : WkCalRem

LegalCopyright : Copyright © Microsoft Corporation 1987-2000. All rights reserved.

OriginalFilename : WKCALREM.EXE

 

#:32 [firefox.exe]

FilePath : C:\Program Files\Mozilla Firefox\

ProcessID : 2772

ThreadCreationTime : 7-7-2006 9:36:18 AM

BasePriority : Normal

 

 

#:33 [spybotsd.exe]

FilePath : C:\Program Files\Spybot - Search & Destroy\

ProcessID : 2856

ThreadCreationTime : 7-7-2006 9:37:14 AM

BasePriority : Normal

FileVersion : 1.4.0.3

ProductVersion : 1, 4, 0, 3

ProductName : SpyBot-S&D

CompanyName : Safer Networking Limited

FileDescription : Spybot - Search & Destroy

InternalName : SpybotSD

LegalCopyright : © 2000-2005 Patrick M. Kolla / Safer Networking Limited. Alle Rechte vorbehalten.

LegalTrademarks : "Spybot" und "Spybot - Search & Destroy" sind registrierte Warenzeichen.

OriginalFilename : SpyBotSD.exe

Comments : Software zum Entfernen von Spyware und ähnlichen Bedrohungen.

 

#:34 [ad-aware.exe]

FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\

ProcessID : 2884

ThreadCreationTime : 7-7-2006 9:37:33 AM

BasePriority : Normal

FileVersion : 6.2.0.236

ProductVersion : SE 106

ProductName : Lavasoft Ad-Aware SE

CompanyName : Lavasoft Sweden

FileDescription : Ad-Aware SE Core application

InternalName : Ad-Aware.exe

LegalCopyright : Copyright © Lavasoft AB Sweden

OriginalFilename : Ad-Aware.exe

Comments : All Rights Reserved

 

Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 20

 

 

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Malware.SpyAxe Object Recognized!

Type : Regkey

Data :

TAC Rating : 4

Category : Malware

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : appid\{70f17c8c-1744-41b6-9d07-575db448dcc5}

 

MalwareWipe Object Recognized!

Type : Regkey

Data :

TAC Rating : 3

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : appid\malwarewipe.exe

 

MalwareWipe Object Recognized!

Type : Regkey

Data :

TAC Rating : 3

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : clsid\{a5c70510-5a01-b2a5-cf84-d6dc13859967}

 

MalwareWipe Object Recognized!

Type : Regkey

Data :

TAC Rating : 3

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{0b595e3d-27be-4da1-a278-ca4d904b5823}

 

MalwareWipe Object Recognized!

Type : Regkey

Data :

TAC Rating : 3

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{1d1e9b3d-5a4c-4c70-a9b4-5a19e0c625dc}

 

MalwareWipe Object Recognized!

Type : Regkey

Data :

TAC Rating : 3

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{2a34546c-c437-460a-88af-d4703a548ea9}

 

MalwareWipe Object Recognized!

Type : Regkey

Data :

TAC Rating : 3

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{3d9fd47c-e0b5-4005-9ade-552980d3761f}

 

MalwareWipe Object Recognized!

Type : Regkey

Data :

TAC Rating : 3

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{3e5b0894-fe91-4063-bb41-d885c7691581}

 

MalwareWipe Object Recognized!

Type : Regkey

Data :

TAC Rating : 3

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{479b1aea-4414-4e43-8cbf-94bfc7c69b56}

 

MalwareWipe Object Recognized!

Type : Regkey

Data :

TAC Rating : 3

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{4a2ecc12-46ba-4c52-9749-c0faf38d507b}

 

MalwareWipe Object Recognized!

Type : Regkey

Data :

TAC Rating : 3

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{4d6079cb-fd9e-46af-a896-6e8582e52827}

 

MalwareWipe Object Recognized!

Type : Regkey

Data :

TAC Rating : 3

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{511a9bb1-917a-414a-88fd-3128e37032a1}

 

MalwareWipe Object Recognized!

Type : Regkey

Data :

TAC Rating : 3

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{8cbed98f-8ddd-4af0-a9ea-c75e10c937bc}

 

MalwareWipe Object Recognized!

Type : Regkey

Data :

TAC Rating : 3

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{a44cab15-6b7e-406b-9d9b-b1c1c6ba8cdb}

 

MalwareWipe Object Recognized!

Type : Regkey

Data :

TAC Rating : 3

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{a99ac77f-4de5-4aa2-810a-35fab5fc114b}

 

MalwareWipe Object Recognized!

Type : Regkey

Data :

TAC Rating : 3

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{b74b2b6c-9b8d-47d9-872f-e83d475aaf34}

 

MalwareWipe Object Recognized!

Type : Regkey

Data :

TAC Rating : 3

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{ce5ecf63-6065-4b92-8b7e-72b5042c2f25}

 

MalwareWipe Object Recognized!

Type : Regkey

Data :

TAC Rating : 3

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{d4bfbb89-4bc5-4d13-8d3a-75edcc0cf50c}

 

MalwareWipe Object Recognized!

Type : Regkey

Data :

TAC Rating : 3

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : interface\{e86d0281-fa5a-4e36-b993-84fd87da9df1}

 

MalwareWipe Object Recognized!

Type : Regkey

Data :

TAC Rating : 3

Category : Misc

Comment :

Rootkey : HKEY_CLASSES_ROOT

Object : typelib\{177e74d6-e1d1-4d15-9d36-85399ba00729}

 

Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 20

Objects found so far: 40

 

 

Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 40

 

 

Started Tracking Cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:11

Value : Cookie:[email protected]/

Expires : 1-1-2010 8:00:00 AM

LastSync : Hits:11

UseCount : 0

Hits : 11

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:1

Value : Cookie:[email protected]/cgi-bin

Expires : 2-28-2015 8:00:00 AM

LastSync : Hits:1

UseCount : 0

Hits : 1

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:37

Value : Cookie:[email protected]/

Expires : 8-9-2006 10:35:44 AM

LastSync : Hits:37

UseCount : 0

Hits : 37

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:6

Value : Cookie:[email protected]/cgi-bin

Expires : 6-19-2016 10:59:58 PM

LastSync : Hits:6

UseCount : 0

Hits : 6

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:7

Value : Cookie:[email protected]/

Expires : 12-22-2006 2:12:28 PM

LastSync : Hits:7

UseCount : 0

Hits : 7

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][3].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:1

Value : Cookie:[email protected]/cgi-bin

Expires : 2-28-2015 8:00:00 AM

LastSync : Hits:1

UseCount : 0

Hits : 1

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:3

Value : Cookie:[email protected]/

Expires : 9-20-2006 2:14:30 AM

LastSync : Hits:3

UseCount : 0

Hits : 3

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:4

Value : Cookie:[email protected]/

Expires : 6-10-2022 1:05:42 PM

LastSync : Hits:4

UseCount : 0

Hits : 4

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:2

Value : Cookie:[email protected]/

Expires : 6-25-2016 6:34:40 PM

LastSync : Hits:2

UseCount : 0

Hits : 2

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:5

Value : Cookie:[email protected]/

Expires : 1-1-2021 8:00:00 AM

LastSync : Hits:5

UseCount : 0

Hits : 5

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:3

Value : Cookie:[email protected]/

Expires : 1-1-2038 8:00:00 AM

LastSync : Hits:3

UseCount : 0

Hits : 3

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:6

Value : Cookie:[email protected]/

Expires : 8-1-2006 10:54:48 AM

LastSync : Hits:6

UseCount : 0

Hits : 6

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:2

Value : Cookie:[email protected]/

Expires : 6-23-2011 10:33:56 AM

LastSync : Hits:2

UseCount : 0

Hits : 2

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:1

Value : Cookie:[email protected]/

Expires : 6-22-2007 11:32:38 PM

LastSync : Hits:1

UseCount : 0

Hits : 1

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][2].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:6

Value : Cookie:[email protected]/

Expires : 6-24-2011 6:44:02 PM

LastSync : Hits:6

UseCount : 0

Hits : 6

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:1

Value : Cookie:[email protected]/

Expires : 6-19-2016 2:14:26 AM

LastSync : Hits:1

UseCount : 0

Hits : 1

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][1].txt

TAC Rating : 3

Category : Data Miner

Comment : Hits:1

Value : Cookie:[email protected]/

Expires : 6-24-2007 10:49:46 AM

LastSync : Hits:1

UseCount : 0

Hits : 1

 

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 17

Objects found so far: 57

 

 

 

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Tracking Cookie Object Recognized!

Type : IECache Entry

Data : [email protected][2].txt

TAC Rating : 3

Category : Data Miner

Comment :

Value : C:\Documents and Settings\Administrator1\Cookies\[email protected][2].txt

 

MalwareWipe Object Recognized!

Type : File

Data : A0084666.exe

TAC Rating : 3

Category : Misc

Comment :

Object : C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP368\

FileVersion : 4.0.0.0

ProductVersion : 4.0.0.0

ProductName : MalwareWipe

CompanyName : MalwareWipe.com

FileDescription : Anti-spyware software

InternalName : MalwareWipe

LegalCopyright : © MalwareWipe.com. All rights reserved.

OriginalFilename : MalwareWipe.exe

 

 

Disk Scan Result for C:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 59

 

 

Scanning Hosts file......

Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Hosts file scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

1 entries scanned.

New critical objects:0

Objects found so far: 59

 

 

 

 

Performing conditional scans...

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Conditional scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 59

 

6:19:27 PM Scan Complete

 

Summary Of This Scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Total scanning time:00:37:14.328

Objects scanned:160663

Objects identified:39

Objects ignored:0

New critical objects:39

Share this post


Link to post
Share on other sites

Hi avbferry,

 

Adaware updated yesterday with new detections for some of these variants of Smitfraud that cause the hijack you have. Would you please first update your Adaware program and rescan (full system scan) to let clean anything it finds.

 

Then post a fresh Hijackthis log and the new Adaware scan log? I'll be happy help with whatever may be left.

 

Please can you make sure that you are using

Ad-aware SE Build 106r1

Note: If your version is 6.0 and not the SE, you need to uninstall and get the latest version from the above link.

 

[if not Uninstall your old Ad-aware first then install SE]

Then use the WebUpDate

to get the latest Definition file

SE1R114 08.07.2006

To do this Open Ad-aware

Click the WebUpDate

button at the top right hand side of the Ad-aware screen (The world globe).

Click "Connect"

Ad-aware will then download the latest Definition file for you.

To make sure it is updated , look at the main

Ad-aware screen, and look under "Initialization Status"

It should say the Latest Definition file.

then scan doing a "Full Scan"

and then post your logfile here by using the Add-Reply Feature .

As Logs are stored in :

C:\Documents and Settings\USERNAME\Application Data\Lavasoft\Ad-aware\Logs\.

An easy way to get there is to

click Start,

click Run

And type in and press ENTER: %appdata%

then click Lavasoft

then Ad-Aware

and then Logs.

scroll down to find the latest one that you have

(by date & time)

and open it right Click select all

copy and then paste the contents of it here.

Share this post


Link to post
Share on other sites

Hi CalamityJane, Thanks for the reply. Attached below is my Ad-Aware log.

 

 

Ad-Aware SE Build 1.06r1

Logfile Created on:Thursday, July 13, 2006 7:50:41 PM

Created with Ad-Aware SE Personal, free for private use.

Using definitions file:SE1R114 08.07.2006

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

References detected during the scan:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

None

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Ad-Aware SE Settings

===========================

Set : Search for negligible risk entries

Set : Safe mode (always request confirmation)

Set : Scan active processes

Set : Scan registry

Set : Deep-scan registry

Set : Scan my IE Favorites for banned URLs

Set : Scan my Hosts file

 

Extended Ad-Aware SE Settings

===========================

Set : Unload recognized processes & modules during scan

Set : Scan registry for all users instead of current user only

Set : Always try to unload modules before deletion

Set : During removal, unload Explorer and IE if necessary

Set : Let Windows remove files in use at next reboot

Set : Delete quarantined objects after restoring

Set : Include basic Ad-Aware settings in log file

Set : Include additional Ad-Aware settings in log file

Set : Include reference summary in log file

Set : Include alternate data stream details in log file

Set : Play sound at scan completion if scan locates critical objects

 

 

7-13-2006 7:50:41 PM - Scan started. (Full System Scan)

 

Listing running processes

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

#:1 [smss.exe]

FilePath : \SystemRoot\System32\

ProcessID : 452

ThreadCreationTime : 7-13-2006 11:39:14 AM

BasePriority : Normal

 

 

#:2 [csrss.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 500

ThreadCreationTime : 7-13-2006 11:39:16 AM

BasePriority : Normal

 

 

#:3 [winlogon.exe]

FilePath : \??\C:\WINDOWS\system32\

ProcessID : 524

ThreadCreationTime : 7-13-2006 11:39:16 AM

BasePriority : High

 

 

#:4 [services.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 568

ThreadCreationTime : 7-13-2006 11:39:16 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Services and Controller app

InternalName : services.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : services.exe

 

#:5 [lsass.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 580

ThreadCreationTime : 7-13-2006 11:39:16 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : LSA Shell (Export Version)

InternalName : lsass.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : lsass.exe

 

#:6 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 752

ThreadCreationTime : 7-13-2006 11:39:18 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:7 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 820

ThreadCreationTime : 7-13-2006 11:39:18 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:8 [svchost.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 868

ThreadCreationTime : 7-13-2006 11:39:18 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:9 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 920

ThreadCreationTime : 7-13-2006 11:39:18 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:10 [svchost.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1028

ThreadCreationTime : 7-13-2006 11:39:19 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Generic Host Process for Win32 Services

InternalName : svchost.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : svchost.exe

 

#:11 [vsmon.exe]

FilePath : C:\WINDOWS\SYSTEM32\ZoneLabs\

ProcessID : 1092

ThreadCreationTime : 7-13-2006 11:39:19 AM

BasePriority : Normal

FileVersion : 6.5.722.000

ProductVersion : 6.5.722.000

ProductName : TrueVector Service

CompanyName : Zone Labs, LLC

FileDescription : TrueVector Service

InternalName : vsmon

LegalCopyright : Copyright © 1998-2006, Zone Labs, LLC

OriginalFilename : vsmon.exe

 

#:12 [spoolsv.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1272

ThreadCreationTime : 7-13-2006 11:39:29 AM

BasePriority : Normal

FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)

ProductVersion : 5.1.2600.2696

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Spooler SubSystem App

InternalName : spoolsv.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : spoolsv.exe

 

#:13 [avgamsvr.exe]

FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\

ProcessID : 1384

ThreadCreationTime : 7-13-2006 11:39:29 AM

BasePriority : Normal

FileVersion : 7,1,0,365

ProductVersion : 7.1.0.365

ProductName : AVG Anti-Virus System

CompanyName : GRISOFT, s.r.o.

FileDescription : AVG Alert Manager

InternalName : avgamsvr

LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.

OriginalFilename : avgamsvr.EXE

 

#:14 [avgupsvc.exe]

FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\

ProcessID : 1400

ThreadCreationTime : 7-13-2006 11:39:30 AM

BasePriority : Normal

FileVersion : 7,1,0,349

ProductVersion : 7.1.0.349

ProductName : AVG 7.0 Anti-Virus System

CompanyName : GRISOFT, s.r.o.

FileDescription : AVG Update Service

InternalName : avgupsvc

LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.

OriginalFilename : avgupdsvc.EXE

 

#:15 [avgemc.exe]

FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\

ProcessID : 1436

ThreadCreationTime : 7-13-2006 11:39:30 AM

BasePriority : Normal

FileVersion : 7,1,0,371

ProductVersion : 7.1.0.371

ProductName : AVG Anti-Virus System

CompanyName : GRISOFT, s.r.o.

FileDescription : AVG E-Mail Scanner

InternalName : avgemc

LegalCopyright : Copyright © 2005, GRISOFT, s.r.o.

OriginalFilename : avgemc.exe

 

#:16 [ctsvccda.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1460

ThreadCreationTime : 7-13-2006 11:39:30 AM

BasePriority : Normal

FileVersion : 1.0.1.0

ProductVersion : 1.0.0.0

ProductName : Creative Service for CDROM Access

CompanyName : Creative Technology Ltd

FileDescription : Creative Service for CDROM Access

InternalName : CTsvcCDAEXE

LegalCopyright : Copyright © Creative Technology Ltd., 1999. All rights reserved.

OriginalFilename : CTsvcCDA.EXE

 

#:17 [appservices.exe]

FilePath : C:\PROGRA~1\Iomega\System32\

ProcessID : 1496

ThreadCreationTime : 7-13-2006 11:39:30 AM

BasePriority : Normal

FileVersion : 2, 0, 1, 0

ProductVersion : 2, 0, 1, 0

ProductName : Iomega App Services

CompanyName : Iomega Corporation

FileDescription : AppServices

InternalName : AppServices

LegalCopyright : Copyright © 2000

OriginalFilename : AppService.exe

Comments : Iomega App Services For Windows 2000/NT

 

#:18 [nvsvc32.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1544

ThreadCreationTime : 7-13-2006 11:39:31 AM

BasePriority : Normal

FileVersion : 6.14.10.5216

ProductVersion : 6.14.10.5216

ProductName : NVIDIA Driver Helper Service, Version 52.16

CompanyName : NVIDIA Corporation

FileDescription : NVIDIA Driver Helper Service, Version 52.16

InternalName : NVSVC

LegalCopyright : © NVIDIA Corporation. All rights reserved.

OriginalFilename : nvsvc32.exe

 

#:19 [mspmspsv.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1636

ThreadCreationTime : 7-13-2006 11:39:33 AM

BasePriority : Normal

FileVersion : 7.00.00.1954

ProductVersion : 7.00.00.1954

ProductName : Microsoft ® DRM

CompanyName : Microsoft Corporation

FileDescription : WMDM PMSP Service

InternalName : MSPMSPSV.EXE

LegalCopyright : Copyright © Microsoft Corp. 1981-2000

OriginalFilename : MSPMSPSV.EXE

 

#:20 [alg.exe]

FilePath : C:\WINDOWS\System32\

ProcessID : 1984

ThreadCreationTime : 7-13-2006 11:39:39 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Application Layer Gateway Service

InternalName : ALG.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : ALG.exe

 

#:21 [wuauclt.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 380

ThreadCreationTime : 7-13-2006 11:40:23 AM

BasePriority : Normal

FileVersion : 5.8.0.2469 built by: lab01_n(wmbla)

ProductVersion : 5.8.0.2469

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Automatic Updates

InternalName : wuauclt.exe

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : wuauclt.exe

 

#:22 [devldr32.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1616

ThreadCreationTime : 7-13-2006 11:42:04 AM

BasePriority : Normal

FileVersion : 1, 0, 0, 22

ProductVersion : 1, 0, 0, 22

ProductName : Creative Ring3 NT Inteface

CompanyName : Creative Technology Ltd.

FileDescription : DevLdr32

InternalName : DevLdr

LegalCopyright : Copyright © 1997-2001 Creative Technology Ltd.

OriginalFilename : DevLdr32.exe

 

#:23 [explorer.exe]

FilePath : C:\WINDOWS\

ProcessID : 1576

ThreadCreationTime : 7-13-2006 11:42:04 AM

BasePriority : Normal

FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 6.00.2900.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Windows Explorer

InternalName : explorer

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : EXPLORER.EXE

 

#:24 [rundll32.exe]

FilePath : C:\WINDOWS\system32\

ProcessID : 1908

ThreadCreationTime : 7-13-2006 11:42:20 AM

BasePriority : Normal

FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)

ProductVersion : 5.1.2600.2180

ProductName : Microsoft® Windows® Operating System

CompanyName : Microsoft Corporation

FileDescription : Run a DLL as an App

InternalName : rundll

LegalCopyright : © Microsoft Corporation. All rights reserved.

OriginalFilename : RUNDLL.EXE

 

#:25 [jusched.exe]

FilePath : C:\Program Files\Java\jre1.5.0_01\bin\

ProcessID : 1892

ThreadCreationTime : 7-13-2006 11:42:20 AM

BasePriority : Normal

 

 

#:26 [realsched.exe]

FilePath : C:\Program Files\Common Files\Real\Update_OB\

ProcessID : 1392

ThreadCreationTime : 7-13-2006 11:42:21 AM

BasePriority : Normal

FileVersion : 0.1.0.3249

ProductVersion : 0.1.0.3249

ProductName : RealPlayer (32-bit)

CompanyName : RealNetworks, Inc.

FileDescription : RealNetworks Scheduler

InternalName : schedapp

LegalCopyright : Copyright © RealNetworks, Inc. 1995-2004

LegalTrademarks : RealAudio is a trademark of RealNetworks, Inc.

OriginalFilename : realsched.exe

 

#:27 [avgcc.exe]

FilePath : C:\PROGRA~1\Grisoft\AVGFRE~1\

ProcessID : 240

ThreadCreationTime : 7-13-2006 11:42:24 AM

BasePriority : Normal

FileVersion : 7,1,0,381

ProductVersion : 7.1.0.381

ProductName : AVG Anti-Virus System

CompanyName : GRISOFT, s.r.o.

FileDescription : AVG Control Center

InternalName : AvgCC

LegalCopyright : Copyright © 2006, GRISOFT, s.r.o.

OriginalFilename : AvgCC.EXE

 

#:28 [zlclient.exe]

FilePath : C:\Program Files\Zone Labs\ZoneAlarm\

ProcessID : 372

ThreadCreationTime : 7-13-2006 11:42:25 AM

BasePriority : Normal

FileVersion : 6.5.722.000

ProductVersion : 6.5.722.000

ProductName : Zone Labs Client

CompanyName : Zone Labs, LLC

FileDescription : Zone Labs Client

InternalName : zlclient

LegalCopyright : Copyright © 1998-2006, Zone Labs, LLC

OriginalFilename : zlclient.exe

 

#:29 [wcescomm.exe]

FilePath : C:\Program Files\Microsoft ActiveSync\

ProcessID : 252

ThreadCreationTime : 7-13-2006 11:42:28 AM

BasePriority : Normal

FileVersion : 3.5.0.12007

ProductVersion : 3.5.12007

ProductName : Microsoft ActiveSync

CompanyName : Microsoft Corporation

FileDescription : Connection Manager

InternalName : wcescomm

LegalCopyright : Copyright © 1995-2001 Microsoft Corp. All rights reserved.

LegalTrademarks : Microsoft® and Windows® are registered trademarks of Microsoft Corporation.

OriginalFilename : WCESCOMM.EXE

 

#:30 [teatimer.exe]

FilePath : C:\Program Files\Spybot - Search & Destroy\

ProcessID : 780

ThreadCreationTime : 7-13-2006 11:42:31 AM

BasePriority : Idle

FileVersion : 1, 4, 0, 2

ProductVersion : 1, 4, 0, 3

ProductName : Spybot - Search & Destroy

CompanyName : Safer Networking Limited

FileDescription : System settings protector

InternalName : TeaTimer

LegalCopyright : © 2000-2005 Patrick M. Kolla / Safer Networking Limited. Alle Rechte vorbehalten.

LegalTrademarks : "Spybot" und "Spybot - Search & Destroy" sind registrierte Warenzeichen.

OriginalFilename : TeaTimer.exe

Comments : Schützt Systemeinstellungen vor ungewollten Änderungen.

 

#:31 [wkcalrem.exe]

FilePath : C:\Program Files\Common Files\Microsoft Shared\Works Shared\

ProcessID : 1248

ThreadCreationTime : 7-13-2006 11:42:41 AM

BasePriority : Normal

FileVersion : 6.00.1911.0

ProductVersion : 6.00.1911.0

ProductName : Microsoft® Works 6.0

CompanyName : Microsoft® Corporation

FileDescription : Microsoft® Works Calendar Reminder Service

InternalName : WkCalRem

LegalCopyright : Copyright © Microsoft Corporation 1987-2000. All rights reserved.

OriginalFilename : WKCALREM.EXE

 

#:32 [realplay.exe]

FilePath : C:\Program Files\Real\RealOne Player\

ProcessID : 2332

ThreadCreationTime : 7-13-2006 11:44:31 AM

BasePriority : Idle

FileVersion : 6.0.12.1059

ProductVersion : 6.0.12.1059

ProductName : RealPlayer (32-bit)

CompanyName : RealNetworks, Inc.

FileDescription : RealPlayer

InternalName : REALPLAY

LegalCopyright : Copyright © RealNetworks, Inc. 1995-2004

LegalTrademarks : RealAudio is a trademark of RealNetworks, Inc.

OriginalFilename : REALPLAY.EXE

 

#:33 [firefox.exe]

FilePath : C:\Program Files\Mozilla Firefox\

ProcessID : 2388

ThreadCreationTime : 7-13-2006 11:44:34 AM

BasePriority : Normal

 

 

#:34 [ad-aware.exe]

FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~2\

ProcessID : 2808

ThreadCreationTime : 7-13-2006 11:50:14 AM

BasePriority : Normal

FileVersion : 6.2.0.236

ProductVersion : SE 106

ProductName : Lavasoft Ad-Aware SE

CompanyName : Lavasoft Sweden

FileDescription : Ad-Aware SE Core application

InternalName : Ad-Aware.exe

LegalCopyright : Copyright © Lavasoft AB Sweden

OriginalFilename : Ad-Aware.exe

Comments : All Rights Reserved

 

Memory scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 0

 

 

Started registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Registry Scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 0

 

 

Started deep registry scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Deep registry scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 0

 

 

Started Tracking Cookie scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

 

Tracking cookie scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 0

 

 

 

Deep scanning and examining files (C:)

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Disk Scan Result for C:\

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

New critical objects: 0

Objects found so far: 0

 

 

Scanning Hosts file......

Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

 

Hosts file scan result:

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

1 entries scanned.

New critical objects:0

Objects found so far: 0

 

 

8:24:22 PM Scan Complete

 

Summary Of This Scan

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Total scanning time:00:33:40.625

Objects scanned:163378

Objects identified:0

Objects ignored:0

New critical objects:0

Share this post


Link to post
Share on other sites

Attached below is my Hijackthis log. Thanks for your help once again.

 

Logfile of HijackThis v1.99.1

Scan saved at 8:31:09 PM, on 7/13/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Microsoft Money\System\urlmap.exe

C:\Documents and Settings\Brave\Desktop\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.kazaa.com/

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\userinit32.exe,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {38fec3d6-4318-4b26-bba0-7617b00e8c77} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: (no name) - {480B42DC-5182-4481-AC1E-5A149A3878C3} - (no file)

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - (no file)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\RunServices: [CMD] cmd32.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: GetRight - Tray Icon.lnk.disabled

O4 - Global Startup: KYESCAN.lnk = C:\Program Files\ScannerU\KYESCAN.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm

O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {023A3744-EA13-4C8A-8B23-ABF98974A9F5} (JoyOnPack Control) - http://gunbound.joyon.com/joyonpack.cab

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-arab.com/flashcab/ipix/ipixx.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab

O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB

O16 - DPF: {652524F4-F52B-4951-9C1E-30DB62B2B34D} - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_1sg.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {84B7AC1D-9AD1-474F-B6B0-FE1641DBFDFA} - http://www.contentpurity.com/xp/ScanFilexp.CAB

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -

O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -

O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...427/mcfscan.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7FDC0D07-BFDD-4470-AD95-9571F61787A2}: NameServer = 165.21.100.88 165.21.83.88

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: winhdn32 - winhdn32.dll (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Share this post


Link to post
Share on other sites

Something you did got it, but there remains more to do. You can thank Kazaa for this mess. Not only is the free Kazaa client bundled with malware, downloading files from p2p networks is probably the number one way to get your computer infected, as most of those traded files are infected with all sorts of nasties.

 

You have evidence of a very very nasty trojan on there. It has a backdoor remote access capability meaning you computer may well have been comprised. There are a number of trojans that use the cmd32.exe file name, this is just one example:

 

http://www.viruslibrary.com/virusinfo/Worm.P2P.Tanked.htm

Worm.P2P.Tanked.a

 

Last Modified: June 16, 2004

 

Tanked is a worm virus spreading via the Kazaa file sharing network.

 

The worm has a powerful backdoor routine that connects to an IRC channel and listens to commands from its "master".

 

The worm itself is a Windows PE EXE file about 100KB in length and written in Microsoft Visual C++. The worm is compressed by the UPX file compression utility and then encrypted with the "Krypton" Win EXE file encryptor.

 

When the infected file is run, the installation routine gains control.

 

Installation

While installing the worm copies itself to the Windows system directory under different names (see below) and registers the file in two system registry auto-run keys.

 

Worm-copy names are:

 

"Tanked.11": "system32.exe" "Tanked.13": "winsys.exe" "Tanked.14": "cmd32.exe"

 

The registry keys are:

 

"Tanked.11": HKLM\Software\Microsoft\Windows\CurrentVersion\Run SystemSAS = system32.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices SystemSAS = system32.exe "Tanked.13": HKLM\Software\Microsoft\Windows\CurrentVersion\Run WinSys = winsys.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices WinSys = winsys.exe "Tanked.14": HKLM\Software\Microsoft\Windows\CurrentVersion\Run CMD = cmd32.exe HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices CMD = cmd32.exe

 

Spreading

The worm copies itself to the Kazaa directory with following names:

 

'Battlefield1942_bloodpatch.exe' 'Unreal2_bloodpatch.exe' 'UT2003_bloodpatch.exe' 'AquaNox2 Crack.exe' 'NBA2003_crack.exe' 'FIFA2003 crack.exe' 'C&C Generals_crack.exe' 'UT2003_keygen.exe' 'UT2003_no cd (crack).exe' 'Age of Empires 2 crack.exe' 'Anno 1503_crack.exe' 'C&C Renegade_crack.exe' 'Diablo 2 Crack.exe' 'Gothic 2 licence.exe' 'GTA 3 Crack.exe' 'GTA 3 patch (no cd).exe' 'Hitman_2_no_cd_crack.exe' 'Mafia_crack.exe' 'Neverwinter_Nights_licence.exe' 'NHL 2003 crack.exe' 'WarCraft_3_crack.exe' 'Splinter_Cell_Crack.exe' 'Battlefield1942_keygen.exe' 'Winamp 3.8.exe' 'MediaPlayer Update.exe' 'UT2003_patch.exe' 'ACDSee 5.5.exe' 'DivX Video Bundle 6.5.exe' 'Global DiVX Player 3.0.exe' 'QuickTime_Pro_Crack.exe' 'KaZaA Lite (New).exe' 'iMesh 3.7b (beta).exe' 'iMesh 3.6.exe' 'KaZaA Hack 2.5.0.exe' 'DirectDVD 5.0.exe' 'Flash MX crack (trial).exe' 'Ad-aware 6.5.exe' 'WinZip 9.0b.exe' 'SmartFTP 2.0.0.exe' 'ICQ Lite (new).exe' 'ICQ Pro 2003b (new beta).exe' 'ICQ Pro 2003a.exe' 'AOL Instant Messenger.exe' 'Download Accelerator Plus 6.1.exe' 'Trillian 0.85 (free).exe' 'MSN Messenger 5.2.exe' 'Network Cable e ADSL Speed 2.0.5.exe' 'mIRC 6.40.exe' 'GetRight 5.0a.exe' 'Pop-Up Stopper 3.5.exe' 'Yahoo Messenger 6.0.exe' 'KaZaA Speedup 3.6.exe' 'Nero Burning ROM crack.exe' 'WindowBlinds 4.0.exe' 'Animated Screen 7.0b.exe' 'Living Waterfalls 1.3.exe' 'Matrix Screensaver 1.5.exe' 'Popup Defender 6.5.exe' 'Space Invaders 1978.exe' 'SmartRipper v2.7.exe' 'TweakAll 3.8.exe' 'DVD Copy Plus v5.0.exe' 'Serials 2003 v.8.0 Full.exe' 'Zelda Classic 2.00.exe' 'Need 4 Speed crack.exe' 'Links 2003 Golf game (crack).exe' 'Netfast 1.8.exe' 'Guitar Chords Library 5.5.exe' 'DVD Region-Free 2.3.exe' 'Cool Edit Pro v2.55.exe' 'Coffee Cup Free HTML 7.0b.exe' 'Clone CD 5.0.0.3.exe' 'Clone CD 5.0.0.3 (crack).exe' 'Nimo CodecPack (new) 8.0.exe' 'Business Card Designer Plus 7.9.exe' 'Steinberg_WaveLab_5_crack.exe' 'Hot Babes XXX Screen Saver.exe' 'FreeRAM XP Pro 1.9.exe' 'IrfanView 4.5.exe' 'Audiograbber 2.05.exe' 'WinOnCD 4 PE_crack.exe' 'Final Fantasy VII XP Patch 1.5.exe' 'BabeFest 2003 ScreenSaver 1.5.exe' 'PalTalk 5.01b.exe' 'DirectX Buster (all versions).exe' 'DirectX InfoTool.exe' 'Unreal2_crack.exe' 'FlashGet 1.5.exe' 'Babylon 3.50b reg_crack.exe' 'mp3Trim PRO 2.5.exe'

 

Other

'Tanked' has "copyright" text strings:

 

"Tanked.11": T~Drone.11 t69 [sd]v0.5b TankEd.11 [sd]v0.5b TankEd.11 by [sd] "Tanked.13": T~Drone.13 t69 [sd]v0.5b TankEd.13 [sd]v0.5b TankEd.13 by [sd] "Tanked.14": T~Drone.14 t69 [sd]v0.5b TankEd.14 [sd]v0.5b TankEd.14 by [sd]

 

I'll come right back in a separate response with the next steps to take for cleaning up your computer, but I thought you would need the above information to make a decision or not on whether you need to think about a reformat/reinstall and protecting any valuable or sensitive data you may have stored on your PC

Share this post


Link to post
Share on other sites

You'll need to disable Spybot's teatimer during this fix or else it will block any changes we are trying to make.

 

1) Open Spybot-S&D

2) Go to the Mode menu and make sure "Advanced Mode" is selected

3) On the left hand side, choose Tools -> Resident

4) Uncheck "Resident TeaTimer" and OK any prompts

5) Restart your computer.

 

Once your computer is clean you can re-enable teatimer.

................

After reboot, open HijackThis

Select *system scan only*

When it finishes, place a checkmark next to each of these, and then press the *fix checked* button after all have been checkmarked.

 

 

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\userinit32.exe,

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.kazaa.com/

 

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\userinit32.exe,

 

O2 - BHO: (no name) - {38fec3d6-4318-4b26-bba0-7617b00e8c77} - (no file)

 

O3 - Toolbar: (no name) - {480B42DC-5182-4481-AC1E-5A149A3878C3} - (no file)

 

O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - (no file)

 

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

 

O4 - HKLM\..\RunServices: [CMD] cmd32.exe

 

O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -

 

O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -

 

O20 - Winlogon Notify: winhdn32 - winhdn32.dll (file missing)

 

Delete this file (if found)

cmd32.exe

 

Reboot your PC.

 

Scan once more with HijackThis and post a fresh log please :)

Share this post


Link to post
Share on other sites

Hi CalamityJane, shown below is my new log file. Would it still be necessary to format my computer as you have mentioned in your previous reply? Thanks once again.

 

 

Logfile of HijackThis v1.99.1

Scan saved at 12:54:51 AM, on 7/14/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Real\RealOne Player\RealPlay.exe

C:\Program Files\Microsoft Money\System\urlmap.exe

C:\Documents and Settings\Brave\Desktop\hijackthis\HijackThis.exe

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: GetRight - Tray Icon.lnk.disabled

O4 - Global Startup: KYESCAN.lnk = C:\Program Files\ScannerU\KYESCAN.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm

O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {023A3744-EA13-4C8A-8B23-ABF98974A9F5} (JoyOnPack Control) - http://gunbound.joyon.com/joyonpack.cab

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-arab.com/flashcab/ipix/ipixx.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab

O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB

O16 - DPF: {652524F4-F52B-4951-9C1E-30DB62B2B34D} - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_1sg.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {84B7AC1D-9AD1-474F-B6B0-FE1641DBFDFA} - http://www.contentpurity.com/xp/ScanFilexp.CAB

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...427/mcfscan.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7FDC0D07-BFDD-4470-AD95-9571F61787A2}: NameServer = 165.21.100.88 165.21.83.88

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Share this post


Link to post
Share on other sites

post-6024-1152810216_thumb.jpg

Hi CalamityJane, after following your instructions and then turning on my TeaTimer, there were many windows that popped up and I clicked deny change. Was this correct? Above is the screen which shows what registry changes I denied. thx.

Share this post


Link to post
Share on other sites

Were you able to find and delete this file?

 

cmd32.exe

 

Get an online AV scan at one (prefereably both) of the following. Please save the log at the end and post the results back here:

 

eTrust Antivirus Web Scanner

http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

(if prompted, please *allow* Active X and the install of software - this is needed to scan your system)

It will take a while to download the updates needed, and then you'll be presented with a screen to scan your system.

 

 

Panda's Active Scan

http://www.pandasoftware.com/products/activescan.htm

Share this post


Link to post
Share on other sites

Hi CalamityJane, I have done a search for cmd32.exe but it returned no results. I couldn't find it.

 

For the scan using eTrust Antivirus, I couldn't find a button to produce the log. However, the below two infected files were found.

 

 

First infection

File: Online Security Guide.url

Infection: Win32/Moisho

Status: deleted

Path: C:\Do######ents and Settings\All Users\Start Menu\

Second infection

File: Security Trouble######ing.url

Infection: Win32/Moisho

Status: deleted

Path: C:\Do######ents and Settings\All Users\Start Menu\

 

 

As for the Panda scan, the log report is shown below:

 

Incident Status Location

 

Dialer:Dialer.Y Not disinfected

C:\dialler.exe

 

Spyware:Cookie/Tradedoubler Not disinfected

C:\Do######ents and Settings\Administrator1\Application

Data\Mozilla\Firefox\Profiles\cmmf0qwp.default\cookies.txt[.tradedoubler.com/]

 

Spyware:Cookie/Casalemedia Not disinfected

C:\Do######ents and Settings\Administrator1\Application

Data\Mozilla\Firefox\Profiles\cmmf0qwp.default\cookies.txt[.casalemedia.com/]

 

Spyware:Cookie/Overture Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Firefox\Profiles\cmmf0qwp.default\cookies.txt[.overture.com/]

 

Spyware:Cookie/FastClick Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Firefox\Profiles\cmmf0qwp.default\cookies.txt[.fastclick.net/]

 

Spyware:Cookie/Advertising Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Firefox\Profiles\cmmf0qwp.default\cookies.txt[servedby.advertising.com/]

 

Spyware:Cookie/Advertising Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Firefox\Profiles\cmmf0qwp.default\cookies.txt[.advertising.com/]

 

Spyware:Cookie/Hitbox Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Firefox\Profiles\cmmf0qwp.default\cookies.txt[.hitbox.com/]

 

Spyware:Cookie/Doubleclick Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Firefox\Profiles\cmmf0qwp.default\cookies.txt[.doubleclick.net/]

 

Spyware:Cookie/Statcounter Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Firefox\Profiles\cmmf0qwp.default\cookies.txt[.statcounter.com/]

 

Spyware:Cookie/YieldManager Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Firefox\Profiles\cmmf0qwp.default\cookies.txt[ad.yieldmanager.com/]

 

Spyware:Cookie/Go Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Firefox\Profiles\cmmf0qwp.default\cookies.txt[.go.com/]

 

Spyware:Cookie/Zedo Not disinfected

C:\Do######ents and Settings\Administrator1\Application

Data\Mozilla\Firefox\Profiles\cmmf0qwp.default\cookies.txt[.zedo.com/]

 

Spyware:Cookie/Hitbox Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Firefox\Profiles\cmmf0qwp.default\cookies.txt[.ehg-dig.hitbox.com/]

 

Spyware:Cookie/Zedo Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Firefox\Profiles\cmmf0qwp.default\cookies.txt[.zedo.com/]

 

Spyware:Cookie/Tribalfusion Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Firefox\Profiles\cmmf0qwp.default\cookies.txt[.tribalfusion.com/]

 

Spyware:Cookie/Atlas DMT Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Firefox\Profiles\cmmf0qwp.default\cookies.txt[.atdmt.com/]

 

Spyware:Cookie/2o7 Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Firefox\Profiles\cmmf0qwp.default\cookies.txt[.2o7.net/]

 

Spyware:Cookie/Mammamediasolutions Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Firefox\Profiles\cmmf0qwp.default\cookies.txt[.targetnet.com/]

 

Spyware:Cookie/Com.com Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Firefox\Profiles\cmmf0qwp.default\cookies.txt[.com.com/]

 

Spyware:Cookie/WebtrendsLive Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Firefox\Profiles\cmmf0qwp.default\cookies.txt[statse.webtrendslive.com/]

 

Spyware:Cookie/Hitbox Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Firefox\Profiles\cmmf0qwp.default\cookies.txt[.ehg.hitbox.com/]

 

Spyware:Cookie/Belnk Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Firefox\Profiles\cmmf0qwp.default\cookies.txt[.belnk.com/]

 

Spyware:Cookie/RealMedia Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Firefox\Profiles\cmmf0qwp.default\cookies.txt[.realmedia.com/]

 

Spyware:Cookie/BurstNet Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Firefox\Profiles\cmmf0qwp.default\cookies.txt[.burstnet.com/]

 

Spyware:Cookie/Hbmediapro Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Firefox\Profiles\cmmf0qwp.default\cookies.txt[.adopt.hbmediapro.com/]

 

Spyware:Cookie/Adserver Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Firefox\Profiles\cmmf0qwp.default\cookies.txt[.z1.adserver.com/]

 

Spyware:Cookie/WUpd Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Firefox\Profiles\cmmf0qwp.default\cookies.txt[.revenue.net/]

 

Spyware:Cookie/Valueclick Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Firefox\Profiles\cmmf0qwp.default\cookies.txt[.valueclick.com/]

 

Spyware:Cookie/888 Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Firefox\Profiles\cmmf0qwp.default\cookies.txt[.888.com/]

 

Spyware:Cookie/PointRoll Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Firefox\Profiles\cmmf0qwp.default\cookies.txt[.ads.pointroll.com/]

 

Spyware:Cookie/Server.iad.Liveperson Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Firefox\Profiles\cmmf0qwp.default\cookies.txt[server.iad.liveperson.net/]

 

Spyware:Cookie/Adtech Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Firefox\Profiles\cmmf0qwp.default\cookies.txt[.adtech.de/]

 

Spyware:Cookie/WebtrendsLive Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Firefox\Profiles\cmmf0qwp.default\cookies.txt[statse.webtrendslive.com/dcs5jfw6yerp17rsx1wty26pa_1j9i]

 

Spyware:Cookie/PayCounter Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Firefox\Profiles\cmmf0qwp.default\cookies.txt[.paycounter.com/]

 

Spyware:Cookie/Doubleclick Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Profiles\default\6fkv0g2g.slt\cookies.txt[.doubleclick.net/]

 

Spyware:Cookie/Atlas DMT Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Profiles\default\6fkv0g2g.slt\cookies.txt[.atdmt.com/]

 

Spyware:Cookie/Atwola Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Profiles\default\6fkv0g2g.slt\cookies.txt[.atwola.com/]

 

Spyware:Cookie/2o7 Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Profiles\default\6fkv0g2g.slt\cookies.txt[.2o7.net/]

 

Spyware:Cookie/Statcounter Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Profiles\default\6fkv0g2g.slt\cookies.txt[.statcounter.com/]

 

Spyware:Cookie/Mediaplex Not disinfected

C:\Do######ents and Settings\Administrator1\Application Data\Mozilla\Profiles\default\6fkv0g2g.slt\cookies.txt[.mediaplex.com/]

 

Spyware:Cookie/2o7 Not disinfected

C:\Do######ents and Settings\Administrator1\Cookies\[email protected][2].txt

 

Spyware:Cookie/YieldManager Not disinfected

C:\Do######ents and Settings\Administrator1\Cookies\[email protected][2].txt

 

Spyware:Cookie/NewMedia Not disinfected

C:\Do######ents and Settings\Administrator1\Cookies\[email protected][2].txt

 

Spyware:Cookie/Belnk Not disinfected

C:\Do######ents and Settings\Administrator1\Cookies\[email protected][1].txt

Spyware:Cookie/BurstNet Not disinfected

C:\Do######ents and Settings\Administrator1\Cookies\[email protected][2].txt

 

Spyware:Cookie/Com.com Not disinfected

C:\Do######ents and Settings\Administrator1\Cookies\[email protected][1].txt

 

Spyware:Cookie/Belnk Not disinfected

C:\Do######ents and Settings\Administrator1\Cookies\[email protected][2].txt

 

Spyware:Cookie/Screensavers Not disinfected

C:\Do######ents and Settings\Administrator1\Cookies\[email protected][1].txt

 

Spyware:Cookie/MediaTickets Not disinfected

C:\Do######ents and Settings\Administrator1\Cookies\[email protected][1].txt

 

Spyware:Cookie/Searchportal Not disinfected

C:\Do######ents and Settings\Administrator1\Cookies\[email protected][1].txt

 

Spyware:Cookie/Mp3s Hits Not disinfected

C:\Do######ents and Settings\Administrator1\Cookies\[email protected]######s[1].txt

 

 

THANKS FOR YOUR HELP!

[/u]

Share this post


Link to post
Share on other sites

Interesting report from eTrust. Those items it found suggest a Smitfraud infection.

 

Let's try this free specialized tool

 

(this tool will reset your desktop to a default setting, but you will be able to change it to your preference afterwards)

 

1. Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).

http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

 

How to extract (decompress) zipped or compressed files

http://www.lvsonline.com/compresstut/index.shtml

 

Note : process.exe is part of the SmitFraudFix tool and is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky, Panda) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

 

 

2. Reboot into Safe Mode

You can usually do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

 

How to start the computer in Safe mode

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

 

3. Once in Safe mode, open the SmitfraudFix folder and double-click smitfraudfix.cmd

 

Select option #2 - Clean by typing 2 and press Enter.

Wait for the tool to complete and disk cleanup to finish.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

 

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually.

 

4. Once back into normal mode, please scan with HijackThis to produce a log. Post that log into your topic along with the other requested logs named below.

 

Logs needed in your next post are:

 

rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed

 

Fresh HijackThis log

.....................................

I would also like to take a closer look at the file found by Panda:

C:\dialler.exe

 

Go here to upload the file as an attachment

http://www.thespykiller.co.uk/forum/index.php?board=1.0

Just press new topic (Make the subject: For CalamityJane from avbferry at LS ),

fill in a short message & then press the browse button and then navigate to & select this file on your computer, then press the *Post* button to upload the file

 

File to upload:

 

C:\dialler.exe

 

(Do not post HJT logs there as they will not get dealt with)

 

You DO NOT need to be a member to upload, anybody can upload the files

 

You will not see the files that have been uploaded as they only show to the authorized users who can download them. I will be able to collect the file from there and will reply back here to you in this topic with steps to remove it, if necessary.

Share this post


Link to post
Share on other sites

Hi CalamityJane, have done as you have said. The two reports you mentioned are below.

 

Logfile of HijackThis v1.99.1

Scan saved at 9:08:27 PM, on 7/20/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Real\RealOne Player\RealPlay.exe

C:\Program Files\Real\RealOne Player\RealPlay.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Microsoft Money\System\urlmap.exe

C:\Documents and Settings\Brave\Desktop\hijackthis\HijackThis.exe

 

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\userinit32.exe,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {38fec3d6-4318-4b26-bba0-7617b00e8c77} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: (no name) - {480B42DC-5182-4481-AC1E-5A149A3878C3} - (no file)

O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - (no file)

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\RunServices: [CMD] cmd32.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: GetRight - Tray Icon.lnk.disabled

O4 - Global Startup: KYESCAN.lnk = C:\Program Files\ScannerU\KYESCAN.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm

O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {023A3744-EA13-4C8A-8B23-ABF98974A9F5} (JoyOnPack Control) - http://gunbound.joyon.com/joyonpack.cab

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-arab.com/flashcab/ipix/ipixx.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab

O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB

O16 - DPF: {652524F4-F52B-4951-9C1E-30DB62B2B34D} - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_1sg.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {84B7AC1D-9AD1-474F-B6B0-FE1641DBFDFA} - http://www.contentpurity.com/xp/ScanFilexp.CAB

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} -

O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} -

O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...427/mcfscan.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7FDC0D07-BFDD-4470-AD95-9571F61787A2}: NameServer = 165.21.100.88 165.21.83.88

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O20 - Winlogon Notify: winhdn32 - C:\WINDOWS\

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

 

 

 

 

 

 

SmitFraudFix v2.74

 

Scan done at 20:55:26.04, Thu 07/20/2006

Run from C:\Documents and Settings\Brave\Desktop\SmitfraudFix\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

Fix ran in safe mode

 

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

THANKS FOR YOUR HELP!

Share this post


Link to post
Share on other sites

Thanks for uploading the dialler.exe file. It's infected (a porn dialer). You can delete this file:

C:\dialler.exe

 

Spybot's teatimer is still running and that is blocking the fixes we are trying to make with HijackThis. Could you please scroll up to follow my instructions to temporarily shut it down so that these fixes can be made?

 

Then, open HijackThis and do a *system scan only*

When it finishes, checkmark these items in the list and then press the *fix checked* button:

 

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\userinit32.exe,

 

O2 - BHO: (no name) - {38fec3d6-4318-4b26-bba0-7617b00e8c77} - (no file)

 

O3 - Toolbar: (no name) - {480B42DC-5182-4481-AC1E-5A149A3878C3} - (no file)

 

O3 - Toolbar: ReGet Bar - {17939A30-18E2-471E-9D3A-56DD725F1215} - (no file)

 

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

 

O4 - HKLM\..\RunServices: [CMD] cmd32.exe

 

O20 - Winlogon Notify: winhdn32 - C:\WINDOWS\

 

Reboot your PC.

 

Scan once more with HijackThis and post a fresh log please. Let's make sure those above items are now gone. If not, some security software you have running is blocking the fix.

Share this post


Link to post
Share on other sites

Hi CalamityJane, Attached below is the HJT logfile.

 

Logfile of HijackThis v1.99.1

Scan saved at 1:13:31 AM, on 7/21/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\dumprep.exe

C:\WINDOWS\system32\dumprep.exe

C:\WINDOWS\system32\dumprep.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Microsoft Money\System\urlmap.exe

C:\Documents and Settings\Brave\Desktop\hijackthis\HijackThis.exe

C:\WINDOWS\system32\dumprep.exe

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [iMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE

O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: GetRight - Tray Icon.lnk.disabled

O4 - Global Startup: KYESCAN.lnk = C:\Program Files\ScannerU\KYESCAN.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Do&wnload by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_Link.htm

O8 - Extra context menu item: Download A&ll by ReGet Deluxe - C:\Program Files\Common Files\ReGet Shared\CC_All.htm

O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INETREPL.DLL

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {023A3744-EA13-4C8A-8B23-ABF98974A9F5} (JoyOnPack Control) - http://gunbound.joyon.com/joyonpack.cab

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.burj-al-arab.com/flashcab/ipix/ipixx.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab

O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB

O16 - DPF: {652524F4-F52B-4951-9C1E-30DB62B2B34D} - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_1sg.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {84B7AC1D-9AD1-474F-B6B0-FE1641DBFDFA} - http://www.contentpurity.com/xp/ScanFilexp.CAB

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} -

O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} -

O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...427/mcfscan.cab

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion....ebio5_1_6_0.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{7FDC0D07-BFDD-4470-AD95-9571F61787A2}: NameServer = 165.21.100.88 165.21.83.88

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcsvc.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Thanks for your help!

Share this post


Link to post
Share on other sites

I think you got it! ;)

 

Your Sun Java is out of date and old versions left on your pc, even after updating can be vulnerable to malware exploit. Go to Start / Control Panel and look in Add/Remove programs. Remove all old versions of Sun Java.

They will appear in the "J's" something similar to:

 

j2re1.4.2_05 or

 

JAVA 2 RUNTIME ENVIROMENT SE V1.4.2_03

 

JAVA 2 RUNTIME ENVIROMENT SE V.14.2_06

 

(or similar, and there may be more than one. Remove them all)

 

Then go get the latest up to date version here:

http://www.java.com/en/download/manual.jsp

 

Here's why removing old versions of Sun Java is important:

Potential Vulnerability with Sun Java auto update

http://www.dslreports.com/forum/remark,14738046

................................

Some final cleanup and prevention recomendations follow.

 

If you haven't updated your Adaware SE since we started this topic, you should do that now as there was a large update on the 17th which addressed some of the newer variants of Smitfraud, so additional remnants may be found when you do a full system scan (don't be surprised if future updates continue to find anything left over - Adaware scans deeper than the tools we have been using here)

 

Do a disk cleanup. Go to Start > Run and type in the box: Cleanmgr

Wait while Windows scans your system for files to delete.

Make sure these 3 are checkmarked and press *ok* to delete them.

 

Temporary Files

Temporary Internet Files

Recycle Bin

 

Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

 

One of the best features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after malware removal.

 

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

 

(winXP)

 

1. Turn off System Restore.

Go to Start and right-click on *My Computer*.

Click Properties.

Click the System Restore tab.

Put a Checkmark in the box next to "Turn off System Restore".

Click Apply, and then click OK.

 

2. Reboot.

 

3. Turn ON System Restore.

Go to Start and right-click on *My Computer*.

Click Properties.

Click the System Restore tab.

Remove the checkmark next to "Turn off System Restore".

Click Apply, and then click OK.

 

How to Turn On and Turn Off System Restore in Windows XP

http://support.microsoft.com/default.aspx?...kb;en-us;310405

 

Next, I highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).

How do I prevent Browser Hijacks and Spyware?

http://www.dslreports.com/faq/13620

 

I'm happy to see you have SP2 installed. That will address numerous security issues in your Operating System and IE

Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month. This is the first step in malware prevention, as many nasties now take advantage of new exploits and if not patched, you are vulnerable!

Windows Update

http://update.microsoft.com/microsoftupdate/

 

And see this link for instructions on how to configure the enhanced security features in SP2:

http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

 

I also highly recommend to get the free tool, Microsoft Baseline Security Analyzer (MBSA) from Microsoft to analyze your PC security for prevention purposes.

 

MBSA Version 2.0 will scan for common system misconfigurations on Windows 2000, Windows XP, and Windows Server 2003 systems. This program will identify the system security weaknesses in your browser and operating system and provides easy instructions to correct them. This includes any missing critical Windows security updates, system vulnerabilities and your IE Browser security settings. Get the download here:

Microsoft Baseline Security Analyzer

http://www.microsoft.com/technet/security/...s/mbsahome.mspx

Choose MBSAsetup-EN.msi = (English Version) or the language appropriate for you.

 

Also visit this Free Online Scanner from Microsoft for PC Health and Safety

http://safety.live.com/site/en-US/default.htm

and Microsoft Security At Home

http://www.microsoft.com/athome/security/default.mspx

for tips to Protect your Pc, Protect yourself and Protect your Family.

Share this post


Link to post
Share on other sites

Hi CalamityJane, in the link you provided on how to prevent hijacks and so on, there were many programs that were suggested for download there. Would it be sufficient to just have the following?

 

(1) Spybot S&D

(2) Adaware

(3) Spyware Blaster

(4) Microsoft Baseline Security Analyzer 2.0

 

Thanks for your help. =)

Share this post


Link to post
Share on other sites

Those are good software programs, but you need also to keep your operating system up to date (Windows Critical Security updates - check every month for new updates) and practice safe surfing habits.

Share this post


Link to post
Share on other sites

You're quite welcoem, avbferry

 

Glad we could help :D

 

Since your issues appear to be resolved, I'll go ahead and move this to the archives of Resolved problems. If you should have any further issues, please feel free to start a new topic :D

Share this post


Link to post
Share on other sites
Sign in to follow this