Tech Support Guy banner
Cancel

Help with hijackthis

Jump to Latest Follow
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 8 of 8 Posts
D

· Registered
Joined
·
28 Posts
Discussion Starter · #1 ·
Hi, I have this virus that won't let me open my msconfig or admin services. I'm in safe mode right because I can't run hijackthis otherwise.

All of my other trojan and virus detection and removal programs either don't detect it or don't remove it when I try.

It also puts this install.exe on my desktop whenever I restart. Pop-ups occur and every now and then it changes my homepage to www.messengersite....something

Here is my scan and save file from HJT:

Logfile of HijackThis v1.99.1
Scan saved at 3:07:27 AM, on 1/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\David Porayko\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.messengersite.net/forum/portal.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: (no name) - {0344E14F-50AC-2A0E-897B-7412974EE6C6} - C:\WINDOWS\system32\xbf.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\bgaeii\winlogon.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\bgaeii\winlogon.exe
O1 - Hosts: 1.1.1.1 f-secure.com
O1 - Hosts: 1.1.1.1 www.f-secure.com
O1 - Hosts: 1.1.1.1 ftp.f-secure.com
O1 - Hosts: 1.1.1.1 ftp.sophos.com
O1 - Hosts: 1.1.1.1 liveupdate.symantec.com
O1 - Hosts: 1.1.1.1 customer.symantec.com
O1 - Hosts: 1.1.1.1 dispatch.mcafee.com
O1 - Hosts: 1.1.1.1 download.mcafee.com
O1 - Hosts: 1.1.1.1 rads.mcafee.com
O1 - Hosts: 1.1.1.1 mast.mcafee.com
O1 - Hosts: 1.1.1.1 my-etrust.com
O1 - Hosts: 1.1.1.1 www.my-etrust.com
O1 - Hosts: 1.1.1.1 nai.com
O1 - Hosts: 1.1.1.1 www.nai.com
O1 - Hosts: 1.1.1.1 networkassociates.com
O1 - Hosts: 1.1.1.1 secure.nai.com
O1 - Hosts: 1.1.1.1 securityresponse.symantec.com
O1 - Hosts: 1.1.1.1 service1.symantec.com
O1 - Hosts: 1.1.1.1 sophos.com
O1 - Hosts: 1.1.1.1 www.sophos.com
O1 - Hosts: 1.1.1.1 support.microsoft.com
O1 - Hosts: 1.1.1.1 symantec.com
O1 - Hosts: 1.1.1.1 www.symantec.com
O1 - Hosts: 1.1.1.1 update.symantec.com
O1 - Hosts: 1.1.1.1 updates.symantec.com
O1 - Hosts: 1.1.1.1 us.mcafee.com
O1 - Hosts: 1.1.1.1 vil.nai.com
O1 - Hosts: 1.1.1.1 viruslist.com
O1 - Hosts: 1.1.1.1 www.viruslist.com
O1 - Hosts: 1.1.1.1 grisoft.com
O1 - Hosts: 1.1.1.1 www.grisoft.com
O1 - Hosts: 1.1.1.1 free.grisoft.com
O1 - Hosts: 1.1.1.1 trendmicro.com
O1 - Hosts: 1.1.1.1 housecall.trendmicro.com
O1 - Hosts: 1.1.1.1 www.trendmicro.com
O1 - Hosts: 1.1.1.1 pandasoftware.com
O1 - Hosts: 1.1.1.1 www.pandasoftware.com
O1 - Hosts: 1.1.1.1 usa.kaspersky.com
O1 - Hosts: 1.1.1.1 ewido.net
O1 - Hosts: 1.1.1.1 www.ewido.net
O1 - Hosts: 1.1.1.1 zonelabs.com
O1 - Hosts: 1.1.1.1 www.zonelabs.com
O1 - Hosts: 1.1.1.1 bitdefender.com
O1 - Hosts: 1.1.1.1 www.bitdefender.com
O1 - Hosts: 1.1.1.1 download.bitdefender.com
O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
O1 - Hosts: 1.1.1.1 spywareinfo.com
O1 - Hosts: 1.1.1.1 www.spywareinfo.com
O1 - Hosts: 1.1.1.1 merijn.org
O1 - Hosts: 1.1.1.1 www.merijn.org
O1 - Hosts: 1.1.1.1 sysinternals.com
O1 - Hosts: 1.1.1.1 www.sysinternals.com
O1 - Hosts: 1.1.1.1 onguardonline.gov
O1 - Hosts: 1.1.1.1 www.onguardonline.gov
O1 - Hosts: 1.1.1.1 avast.com
O1 - Hosts: 1.1.1.1 www.avast.com
O1 - Hosts: 1.1.1.1 safety.live.com
O1 - Hosts: 1.1.1.1 www.paretologic.com
O1 - Hosts: 1.1.1.1 paretologic.com
O1 - Hosts: 1.1.1.1 virusscan.jotti.org
O1 - Hosts: 1.1.1.1 services.google.com
O2 - BHO: (no name) - {0344E14F-50AC-2A0E-897B-7412974EE6C6} - C:\WINDOWS\system32\xbf.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [{38410BDD-0BB2-1033-0609-030403040001}] "C:\Program Files\Common Files\{38410BDD-0BB2-1033-0609-030403040001}\Update.exe" te-110-12-0000282
O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe
O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\system32\vidmon\vidmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Vpap] C:\Documents and Settings\David Porayko\My Documents\F?nts\t?skmgr.exe
O4 - HKCU\..\Run: [WinService] c:\windows\apvxdwin.exe
O4 - HKCU\..\Run: [winupdate] c:\windows\sysact.exe
O4 - Startup: winlogon.lnk = ?
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab30149.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095065774031
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127287400625
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000282 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Thanks for any help you can provide
 
cybertech

· Retired Moderator
Joined
·
72,209 Posts
#4 ·
Hi, Welcome to TSG!!

Run HijackThis and click Open the Misc Tools section
Click Open Uninstall Manager, Save list and save the log to your Desktop.
A list of programs will open in Notepad. Post the contents of the log here in your next reply.
 
D

· Registered
Joined
·
28 Posts
Discussion Starter · #5 ·
Hi, thanks for the welcome :)

Here it is:



Ad-Aware SE Personal
Adobe Acrobat 4.0
Ahead Nero BurnRights
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Autodesk DWF Viewer
AVG Free Edition
BitTorrent 4.24.0
CCleaner (remove only)
DC++ 0.691
Diablo II
DivX Codec
DVD Solution
GPGNet
HijackThis 1.99.1
Hotfix for Windows XP (KB926239)
InterActual Player
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
LimeWire 4.9.30
Logitech Desktop Messenger
Logitech Print Service
Logitech QuickCam
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (1.5.0.9)
MPIO Manager 2
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
Nero 6 Ultra Edition
Nero Digital
Nero Mega Plugin Pack
NoAdware v5.0
Outerinfo
PcBugDoctor 1,0,0,3
PowerDVD
QuickTime
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB929969)
Sony Media Manager 2.0
Sound Blaster Audigy
SpyHunter
SpywareGuard v2.2
STOPzilla!
StuffPlug-NG (Messenger Plus! Plugins)
Symantec Network Driver Update
System Alert Popup
TeamSpeak 2 RC2
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Ventrilo Client
Video ActiveX Object 2.07
ViewSonic Monitor Drivers
Wave11 MSN
WebCam for MSN Messenger
WebDP 2.07
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinPcap 3.1 beta4
WinRAR archiver
World of Warcraft
 
cybertech

· Retired Moderator
Joined
·
72,209 Posts
#6 ·
Go to control panel, add/remove programs and remove these:
BitTorrent
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
LimeWire 4.9.30
Outerinfo

Download the Hoster and unzip it to your desktop.
www.funkytoad.com/download/hoster.zip

Next, open the Hoster
Make sure that you see "Your hosts file is editable" if not click the button in the upper right corner
Now, click on 'back up Host files'
then click on 'Restore Microsoft's orginal host files'
Finally, close the hoster.

Run HJT again and put a check in the following:

R3 - URLSearchHook: (no name) - {0344E14F-50AC-2A0E-897B-7412974EE6C6} - C:\WINDOWS\system32\xbf.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\bgaeii\winlogon.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\bgaeii\winlogon.exe
O2 - BHO: (no name) - {0344E14F-50AC-2A0E-897B-7412974EE6C6} - C:\WINDOWS\system32\xbf.dll
O4 - HKLM\..\Run: [{38410BDD-0BB2-1033-0609-030403040001}] "C:\Program Files\Common Files\{38410BDD-0BB2-1033-0609-030403040001}\Update.exe" te-110-12-0000282
O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe
O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\system32\vidmon\vidmon.exe
O4 - HKCU\..\Run: [WinService] c:\windows\apvxdwin.exe
O4 - HKCU\..\Run: [winupdate] c:\windows\sysact.exe
O4 - Startup: winlogon.lnk = ?
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000282 (file missing)

Close all applications and browser windows before you click "fix checked".

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy the entire contents of the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Folders to delete:
C:\WINDOWS\system32\bgaeii
C:\WINDOWS\system32\nfomon
C:\WINDOWS\system32\vidmon
C:\Program Files\Common Files\{38410BDD-0BB2-1033-0609-030403040001}
Click to expand...

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    Download and install AVG Anti-Spyware 7.5 AVG ANTI-SPYWARE IS ONLY FOR SYSTEMS RUNNING WIN 2K and XP
    (This is Ewdio 4.0 renamed. If you already have Ewido installed, please update to this version which has a special "clean driver" for removing persistent malware)
    1. After download, double click on the file to launch the install process.
    2. Choose a language, click "OK" and then click "Next".
    3. Read the "License Agreement" and click "I Agree".
    4. Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
    5. After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
    6. The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'.
    7. Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
    8. Go to Start > Run and type: services.msc
    • Press "OK".
    • Click the "Extended tab" and scroll down the list to find AVG Anti-Spyware guard.
    • When you find the guard service, double-click on it.
    • In the Properties Window > General Tab that opens, click the "Stop" button.
    • From the drop-down menu next to "Startup Type", click on "Manual".
    • Now click "Apply", then "OK" and close the Services window.
    9. Select the "Update" button and click "Start update". Wait until you see the "Update succesfull message. If you are having problems with the updater, manually update with the AVG Anti-Spyware Full database installer from here. Exit AVG Anti-Spyware when done - DO NOT perform a scan yet.

    Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

    Scan with AVG Anti-Spyware as follows:
    1. Launch AVG Anti-Spyware, click on the "Scanner" button and choose the "Settings" tab.
    • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
    • Under "How to Scan?" check all (default).
    • Under "Possibly unwanted software" check all (default).
    • Under "What to Scan?" make sure "Scan every file" is selected (default).
    • Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".
    2. Click the "Scan" tab to return to scanning options.
    3. Click "Complete System Scan" to start.
    4. When the scan has finished you will be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.

    IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button?

    5. Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
    6. Exit AVG Anti-Spyware when done, reboot normally and submit the log report in your next response.

    Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. If Explorer or other programs are open during the scan that means certain files will also be in use. Some malware will insert itself and hide in areas that are "protected" by Windows when the files are being used. This can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

    Note: If AVG Anti-Spyware "crashes" or "hangs" during the scan, try scanning again by doing this:
    1. Scan one sector of the system at a time by using the "Custom Scan" feature. To do this select Scanner > Custom Scan and click on Add drive/directory/file. Browse to C:\Windows > System, add this folder to the list and click on "Start Scan". When the scan is complete, repeat the Custom Scan but this time, browse to and add the System32 folder. Then keep repeating this procedure until all your folders have been scanned. Make sure you include the Documents & Settings folder.

    2. If this still does not help, then turn the ADS scanner off while making a Custom Scan. To do this select Scanner > Scan Settings and untick "Scan in NTFS Alternate Data Streams". Then repeat the steps above for performing a Custom Scan.
 
D

· Registered
Joined
·
28 Posts
Discussion Starter · #7 ·
Ok, did all that.

For the HJT step the following were not on the list:

R3 - URLSearchHook: (no name) - {0344E14F-50AC-2A0E-897B-7412974EE6C6} - C:\WINDOWS\system32\xbf.dll
O2 - BHO: (no name) - {0344E14F-50AC-2A0E-897B-7412974EE6C6} - C:\WINDOWS\system32\xbf.dll
O4 - HKLM\..\Run: [{38410BDD-0BB2-1033-0609-030403040001}] "C:\Program Files\Common Files\{38410BDD-0BB2-1033-0609-030403040001}\Update.exe" te-110-12-0000282
O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe
O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\system32\vidmon\vidmon.exe

and the following could not be deleted:

O4 - Startup: winlogon.lnk = ?

Other than that, here is my AVG Anti-Spyware log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:00:54 PM 1/15/2007

+ Scan result:

C:\Program Files\PeDevice\PeDev.dll -> Adware.Delfin : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Uninstall Information\RemoveWebDP.exe -> Adware.DelphinMediaViewer : Cleaned with backup (quarantined).
C:\avenger\backup.zip/avenger/nfomon/nfo.ocx -> Adware.DelphinMediaViewer : Cleaned with backup (quarantined).
C:\avenger\backup.zip/avenger/nfomon/nfom.dll -> Adware.DelphinMediaViewer : Cleaned with backup (quarantined).
C:\Program Files\Video ActiveX Object -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Video ActiveX Object\isamonitor.exe -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Video ActiveX Object\uninst.exe -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1123561945-789336058-682003330-1004\Software\Internet Security -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1123561945-789336058-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E1412445-4FF8-410E-8D24-F2CF86B171A4} -> Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Ipwindows\ipwins.dll -> Adware.Maxifiles : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\avenger\backup.zip/avenger/{38410BDD-0BB2-1033-0609-030403040001}/system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
HKU\S-1-5-21-1123561945-789336058-682003330-1004\Software\ToolBar -> Adware.WebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-21-1123561945-789336058-682003330-1004\Software\ToolBar\all -> Adware.WebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-21-1123561945-789336058-682003330-1004\Software\ToolBar\all\History -> Adware.WebSearch : Cleaned with backup (quarantined).
:mozilla.90:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.91:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.70:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.71:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.75:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.160:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.161:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.162:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.33:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.186:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.83:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.66:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.67:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.68:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.69:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.109:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.110:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.111:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.112:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.113:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.171:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.172:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.173:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.174:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.100:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Targetnet : Cleaned.
:mozilla.96:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Targetnet : Cleaned.
:mozilla.97:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Targetnet : Cleaned.
:mozilla.98:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Targetnet : Cleaned.
:mozilla.99:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Targetnet : Cleaned.
:mozilla.208:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.92:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.93:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.94:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.95:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.101:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.102:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.103:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.104:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.105:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.106:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.107:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.45:C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\tj5dzr6r.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.88:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.89:C:\Documents and Settings\David Porayko\Application Data\Mozilla\Firefox\Profiles\default.pyz\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\WINDOWS\SYSTEM32\wintsvsu.exe -> Trojan.Small : Cleaned with backup (quarantined).

::Report end

Thank you so much for the help. I'll keep you updated if any problems occur.
 
1 - 8 of 8 Posts
Status
Not open for further replies.
About this Discussion
7 Replies
3 Participants
Last post:
cybertech
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Windows XP Off Topic Lounge Thread Games & Discussion
Top