Tech Support Guy banner
Cancel

Solved: clean up

Jump to Latest Follow
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 19 of 19 Posts
B

· Registered
Joined
·
23 Posts
Discussion Starter · #1 ·
hi
i am cleaning a computer 4 a freind . Have downloaded AVG free, spybot S&D. zone alarms.
Have scanned with Avg , spybot, ad aware. and found several trojans, most of which where healed . could someone have a look at the hijack this log and tell me if there is anything still remaining that needs attention

thank you

Logfile of HijackThis v1.99.1
Scan saved at 10:47:07 a.m., on 13/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\sistray.EXE
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Ultimate Defender\App.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\documents and settings\coral\application data\winantiviruspro2006freeinstall[1].exe
C:\DOCUME~1\Coral\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R3 - URLSearchHook: (no name) - {15651C7C-E812-44a2-A9AC-B467A2233E7D} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {41F328E2-5E46-F5B8-0160-020188931F32} - C:\WINDOWS\system32\imtqodk.dll
O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-nz\msntb.dll
O3 - Toolbar: xtramsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-nz\msntb.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [wdokbye.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Coral\Local Settings\Application Data\wdokbye.dll",bpzgoi
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Ultimate Defender] "C:\Program Files\Ultimate Defender\App.exe" hide
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: .protected
O4 - Global Startup: .protected
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {266B9238-31A5-4B53-9039-272FE846DF9D} (DiameterTransfer Control) - http://www.sis.com/download/SISTransfer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133574571625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146864049046
O16 - DPF: {B590F5BC-5774-47D8-859E-727E25E017AA} (DriverDetectiveMembers.members) - http://www.drivershq.com/files/cab/member/DriverDetective-m.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by17fd.bay17.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: faxvss - C:\WINDOWS\Registration\faxvss.dll (file missing)
O20 - Winlogon Notify: oleftp - C:\WINDOWS\system\oleftp.dll (file missing)
O20 - Winlogon Notify: openglwx - openglwx.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: PavProt - Unknown owner - (no file)
O23 - Service: PavPrSrv - Unknown owner - (no file)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
 
Chicon

· Registered
Joined
·
6,693 Posts
#2 ·
Hi Beau-nz,

There are nasties installed on your system.
I'm asking a moderator to move your thread in the security forum.
 
Save Share
Flrman1

· Registered
Joined
·
46,465 Posts
#3 ·
I've moved your thread to the Security forum. I'll post directions for you in a new reply after I look through the log.
 
Save Share
Flrman1

· Registered
Joined
·
46,465 Posts
#4 ·
* Before we do anything else, please post an uninstall list for me using the HijckThis Uninstall Manager:

  • Open HijackThis and click on the Open the Misc Tools section button.
  • Click on the Open Uninstall Manager button.
  • Click the Save List button.
  • After you click the "Save List" button, you will be asked where to save the file.
  • Pick a place to save it then the list should open in notepad.
  • Copy and paste that list in your next reply to this thread.
 
Save Share
B

· Registered
Joined
·
23 Posts
Discussion Starter · #5 ·
Here is the list u requested. Thanks 4 your time. My freind did say she got a toll bil and was advised to put a toll bar on her line.


´cÆF¥j³ù¢±
AC3Filter (remove only)
Actions MP3 Player Utilities
Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Adobe Reader 6.0.1
AVG Free Edition
Battlefield 1942
BJ Printer
CardRd81
CCHelp
CCScore
Chicken Invaders v1.30
C-Media 3D Audio
C-Media WDM Audio Driver
CR2
desperate_housewives Screen Saver
Diamond Caves II
Dirt Track Racing 2
Dragon Ninja Saga v2.0
DTR Pinball 1.0
Dynalink ADSL Router USB Driver
ESSAdpt
ESSANUP
ESSBrwr
ESSCAM
ESSCDBK
ESScore
ESSCT
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTUTOR
ESSvpaht
ESSvpot
Ford Racing 2
Global Operations
Grey Olltwit's Bowling Game
Grey Olltwit's Crazy Golf
Grey Olltwit's Potty Pool
HijackThis 1.99.1
HLPCCTR
HLPIndex
HLPPDOCK
HLPRFO
Icy Tower 1.1
ImageMixer
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_05
Kodak EasyShare software
KSU
Leadfoot
Logical Journey of the Zoombinis V1.1.0
LOTR The Return of the King tm
Macromedia Shockwave Player
MicroStaff WINASPI
Monsters, Inc. Wreck Room Arcade
Motorola SM56 Speakerphone Modem
Mozilla Firefox (1.0.7)
MP3 Player Utilities
MS Access 97 SP2
MSN
MSN Messenger 7.5
MSXML 4.0 SP2 (KB927978)
Need For Speed Hot Pursuit 2
Need2Find Bar
Nero OEM
Notifier
OnTarget
OTtBP
OTtBPSDK
Over 1000 Games for Windows
Pac-Man Adventures in Time
PCDLNCH
PCI Fax Modem
QuickTime
SciTech Display Doctor
Scooby-Doo(TM), Jinx At The Sphinx(TM)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB929969)
Settlers3
SFR
SFR2
SHARP GSM GPRS USB Driver Ver2.1.0
Shockwave
SimCity 3000 Unlimited
SiS 661FX_760_741_M661FX_M760_M741
SiS 900 PCI Fast Ethernet Adapter Driver
Spybot - Search & Destroy 1.4
The Sims 2
The Sims Deluxe Edition
Update for Windows XP (KB894391)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
VCAMCEN
VPRINTOL
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
World of Outlaws Sprint Cars
xtramsn Toolbar
Yahoo! Internet Mail
Yahoo! Messenger Explorer Bar
ZoneAlarm
 
Flrman1

· Registered
Joined
·
46,465 Posts
#6 ·
* Go to Add/Remove programs and uninstall these:

J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_05
Need2Find Bar

* Now go here and install the latest version of Java.

* I just noticed that you have HijackThis in a temp folder still zipped. It will not function properly that way. Please redownload HijackThis like so:

* Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

*** Before you post the new log, please do the following:

* Click here to download Dr.Web CureIt and save it to your desktop.
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new Hijack This log.
 
Save Share
B

· Registered
Joined
·
23 Posts
Discussion Starter · #7 ·
Hi
have done all that and will now post both logs.
thanks

Logfile of HijackThis v1.99.1
Scan saved at 9:36:13 p.m., on 16/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\sistray.EXE
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\sm56hlpr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R3 - URLSearchHook: (no name) - {15651C7C-E812-44a2-A9AC-B467A2233E7D} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {41F328E2-5E46-F5B8-0160-020188931F32} - C:\WINDOWS\system32\imtqodk.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-nz\msntb.dll
O3 - Toolbar: xtramsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-nz\msntb.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [wdokbye.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Coral\Local Settings\Application Data\wdokbye.dll",bpzgoi
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: .protected
O4 - Global Startup: .protected
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {266B9238-31A5-4B53-9039-272FE846DF9D} (DiameterTransfer Control) - http://www.sis.com/download/SISTransfer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133574571625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146864049046
O16 - DPF: {B590F5BC-5774-47D8-859E-727E25E017AA} (DriverDetectiveMembers.members) - http://www.drivershq.com/files/cab/member/DriverDetective-m.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by17fd.bay17.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: faxvss - C:\WINDOWS\Registration\faxvss.dll (file missing)
O20 - Winlogon Notify: oleftp - C:\WINDOWS\system\oleftp.dll (file missing)
O20 - Winlogon Notify: openglwx - openglwx.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: PavProt - Unknown owner - (no file)
O23 - Service: PavPrSrv - Unknown owner - (no file)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Dr Web log

uninstall need2find bar.dll;c:\program files;Adware.IESearch;Incurable.Moved.;
(Better Version) sunshineday matafix 38.wma;C:\Documents and Settings\Alana\Desktop\My Audio CD;Trojan.Isbar.389;Deleted.;
(Better Version) sunshineday matafix 38.wma;C:\Documents and Settings\Alana\Local Settings\Application Data\Microsoft\CD Burning\Documents\Copy of My Music;Trojan.Isbar.389;Deleted.;
(Better Version) sunshineday matafix 38.wma;C:\Documents and Settings\Alana\Local Settings\Application Data\Microsoft\CD Burning\Documents\Music\My Music;Trojan.Isbar.389;Deleted.;
(Better Version) sunshineday matafix 38.wma;C:\Documents and Settings\Alana\Local Settings\Application Data\Microsoft\CD Burning\My Audio CD;Trojan.Isbar.389;Deleted.;
(Better Version) sunshineday matafix 38.wma;C:\Documents and Settings\All Users\Documents\Copy of My Music;Trojan.Isbar.389;Deleted.;
(Better Version) sunshineday matafix 38.wma;C:\Documents and Settings\All Users\Documents\Music\My Music;Trojan.Isbar.389;Deleted.;
ml[1].exe;C:\Documents and Settings\Coral\Local Settings\Temporary Internet Files\Content.IE5\CDEFKDEJ;Probably DLOADER.Trojan;Incurable.Moved.;
WinAntiVirusPro2006FreeInstall[1].exe;C:\Documents and Settings\Coral\Local Settings\Temporary Internet Files\Content.IE5\GLMRSTQN;Trojan.DownLoader.10963;Deleted.;
her.pt;C:\Documents and Settings\Nathan\Local Settings\Temp;Dialer.Maxd;Deleted.;
p2psetup[1].exe\data001;C:\Documents and Settings\Troy\Local Settings\Temporary Internet Files\Content.IE5\XXDENVTI\p2psetup[1].exe;Adware.PeerNet;;
p2psetup[1].exe;C:\Documents and Settings\Troy\Local Settings\Temporary Internet Files\Content.IE5\XXDENVTI;Archive contains infected objects;Moved.;
(Better Version) sunshineday matafix 38.wma;C:\Documents and Settings\Troy\My Documents\My Music;Trojan.Isbar.389;Deleted.;
(Better Version) sunshineday matafix 38.wma;C:\Documents and Settings\Troy\Shared;Trojan.Isbar.389;Deleted.;
Uninstall Need2Find Bar.dll;C:\Program Files;Adware.IESearch;;
03679336-2E1E-4D01-8BD8-752C88;C:\Program Files\Microsoft AntiSpyware\Quarantine\7743D8E8-195C-4FC2-9325-7E8ED4;Probably BACKDOOR.Trojan;Incurable.Moved.;
ND2FNBAR.DLL;C:\Program Files\Need2Find\bar\1.bin;Adware.IESearch;Incurable.Moved.;
A0005882.dll;C:\System Volume Information\_restore{C2BDE191-173E-4792-B8F6-E85E9CEA4A56}\RP10;Adware.InstaFinder;Incurable.Moved.;
A0005885.exe;C:\System Volume Information\_restore{C2BDE191-173E-4792-B8F6-E85E9CEA4A56}\RP10;Dialer.Maxd;Deleted.;
A0006975.exe;C:\System Volume Information\_restore{C2BDE191-173E-4792-B8F6-E85E9CEA4A56}\RP12;Probably DLOADER.Trojan;Incurable.Moved.;
A0006979.exe;C:\System Volume Information\_restore{C2BDE191-173E-4792-B8F6-E85E9CEA4A56}\RP12;Trojan.DownLoader.10963;Deleted.;
A0007302.DLL;C:\System Volume Information\_restore{C2BDE191-173E-4792-B8F6-E85E9CEA4A56}\RP15;Adware.Msearch;Incurable.Moved.;
A0002276.exe\data001;C:\System Volume Information\_restore{C2BDE191-173E-4792-B8F6-E85E9CEA4A56}\RP4\A0002276.exe;Adware.PeerNet;;
A0002276.exe;C:\System Volume Information\_restore{C2BDE191-173E-4792-B8F6-E85E9CEA4A56}\RP4;Archive contains infected objects;Moved.;
A0003257.dll;C:\System Volume Information\_restore{C2BDE191-173E-4792-B8F6-E85E9CEA4A56}\RP4;Adware.RXToolbar;Incurable.Moved.;
A0005524.dll;C:\System Volume Information\_restore{C2BDE191-173E-4792-B8F6-E85E9CEA4A56}\RP9;Adware.Altnet;Incurable.Moved.;
A0005525.dll;C:\System Volume Information\_restore{C2BDE191-173E-4792-B8F6-E85E9CEA4A56}\RP9;Adware.Altnet;Incurable.Moved.;
A0005526.exe;C:\System Volume Information\_restore{C2BDE191-173E-4792-B8F6-E85E9CEA4A56}\RP9;Adware.Altnet;Incurable.Moved.;
A0005528.dll;C:\System Volume Information\_restore{C2BDE191-173E-4792-B8F6-E85E9CEA4A56}\RP9;Adware.Altnet;Incurable.Moved.;
A0005529.dll;C:\System Volume Information\_restore{C2BDE191-173E-4792-B8F6-E85E9CEA4A56}\RP9;Adware.Altnet;Incurable.Moved.;
A0005530.dll;C:\System Volume Information\_restore{C2BDE191-173E-4792-B8F6-E85E9CEA4A56}\RP9;Adware.Altnet;Incurable.Moved.;
A0005531.exe;C:\System Volume Information\_restore{C2BDE191-173E-4792-B8F6-E85E9CEA4A56}\RP9;Adware.Altnet;Incurable.Moved.;
A0005532.exe;C:\System Volume Information\_restore{C2BDE191-173E-4792-B8F6-E85E9CEA4A56}\RP9;Adware.Altnet;Incurable.Moved.;
A0005534.dll;C:\System Volume Information\_restore{C2BDE191-173E-4792-B8F6-E85E9CEA4A56}\RP9;Adware.Altnet;Incurable.Moved.;
Install.dll;C:\WINDOWS\Downloaded Program Files\CONFLICT.1;Adware.SpywareStorm;Incurable.Moved.;
 
Flrman1

· Registered
Joined
·
46,465 Posts
#8 ·
* Click here to download ATF Cleaner by Atribune and save it to your desktop.

* Click Here and download Killbox and save it to your desktop.

* Click here for info on how to boot to safe mode if you don't already know how.

* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to.

* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

R3 - URLSearchHook: (no name) - {15651C7C-E812-44a2-A9AC-B467A2233E7D} - (no file)

O2 - BHO: (no name) - {41F328E2-5E46-F5B8-0160-020188931F32} - C:\WINDOWS\system32\imtqodk.dll (file missing)

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O4 - HKLM\..\Run: [wdokbye.dll] C:\WINDOWS\system32\rundll32.exe "C:\Documents and Settings\Coral\Local Settings\Application Data\wdokbye.dll",bpzgoi

O4 - Startup: .protected

O4 - Global Startup: .protected

O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL

O20 - Winlogon Notify: faxvss - C:\WINDOWS\Registration\faxvss.dll (file missing)

O20 - Winlogon Notify: oleftp - C:\WINDOWS\system\oleftp.dll (file missing)

O20 - Winlogon Notify: openglwx - openglwx.dll (file missing)

O23 - Service: PavProt - Unknown owner - (no file)

O23 - Service: PavPrSrv - Unknown owner - (no file)

* Restart your computer into safe mode now. Perform the following steps in safe mode:

* Double-click on Killbox.exe to run it.
  • Put a tick by Standard File Kill.
  • In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

    C:\Documents and Settings\Coral\Local Settings\Application Data\wdokbye.dll

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\.protected
  • Click on the button that has the red circle with the X in the middle after you enter each file.
  • It will ask for confimation to delete the file.
  • Click Yes.
  • Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
  • Killbox may tell you that one or more files do not exist.
  • If that happens, just continue on with all the files. Be sure you don't miss any.
  • Exit the Killbox.

* Run ATF Cleaner:
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
    • If you use Firefox:
      • Click Firefox at the top and choose: Select All
      • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    • If you use Opera:
      • Click Opera at the top and choose: Select All
      • Click the Empty Selected button.
        [*]NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.

* Restart back into Windows normally now.

* Run ActiveScan online virus scan here

When the scan is finished, click on the "Save Report" button an save the results of the scan to your desktop.

Note: You have to use Internet Explorer to do the online scan.

Post a new HiJackThis log along with the results from ActiveScan
 
Save Share
B

· Registered
Joined
·
23 Posts
Discussion Starter · #9 ·
hi
Here is the hjt log.
Could not delete 04-startup; protected.
recieved message " the file maybe in use. Use task manager to shut down programe and run HJT again to delete file. I have no idea what program to shut down.
Also 023 service: pavprot & service pavprsrv.
HJT appears to delete them but on rescan they appears to still be there.

Logfile of HijackThis v1.99.1
Scan saved at 8:39:06 p.m., on 17/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\sistray.EXE
C:\WINDOWS\system32\keyhook.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\sm56hlpr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-nz\msntb.dll
O3 - Toolbar: xtramsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-nz\msntb.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: .protected
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {266B9238-31A5-4B53-9039-272FE846DF9D} (DiameterTransfer Control) - http://www.sis.com/download/SISTransfer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133574571625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146864049046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B590F5BC-5774-47D8-859E-727E25E017AA} (DriverDetectiveMembers.members) - http://www.drivershq.com/files/cab/member/DriverDetective-m.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by17fd.bay17.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: PavProt - Unknown owner - (no file)
O23 - Service: PavPrSrv - Unknown owner - (no file)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Here is the active scan log

Incident Status Location

Potentially unwanted tool:application/bestoffer Not disinfected c:\windows\smdat32m.sys
Adware:adware/actualnames Not disinfected c:\program files\advsearch
Potentially unwanted tool:application/need2find Not disinfected c:\program files\Need2Find
Potentially unwanted tool:application/antispywaresoldier Not disinfected hkey_current_user\software\ADV
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM
Adware:adware/activshopper Not disinfected Windows Registry
Adware:adware/instafinder Not disinfected Windows Registry
Dialer:dialer.ok Not disinfected HKEY_CURRENT_USER\CLSID\{35F59C80-C1F2-4EEA-9981-686C7D5A9277}
Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\Documents and Settings\Coral\DoctorWeb\Quarantine\A0002276.exe
Adware:Adware/RXToolbar Not disinfected C:\Documents and Settings\Coral\DoctorWeb\Quarantine\A0003257.dll
Potentially unwanted tool:Application/Altnet Not disinfected C:\Documents and Settings\Coral\DoctorWeb\Quarantine\A0005524.dll
Potentially unwanted tool:Application/Altnet Not disinfected C:\Documents and Settings\Coral\DoctorWeb\Quarantine\A0005525.dll
Potentially unwanted tool:Application/Altnet Not disinfected C:\Documents and Settings\Coral\DoctorWeb\Quarantine\A0005526.exe
Potentially unwanted tool:Application/Altnet Not disinfected C:\Documents and Settings\Coral\DoctorWeb\Quarantine\A0005528.dll
Potentially unwanted tool:Application/Altnet Not disinfected C:\Documents and Settings\Coral\DoctorWeb\Quarantine\A0005529.dll
Potentially unwanted tool:Application/Altnet Not disinfected C:\Documents and Settings\Coral\DoctorWeb\Quarantine\A0005530.dll
Potentially unwanted tool:Application/Altnet Not disinfected C:\Documents and Settings\Coral\DoctorWeb\Quarantine\A0005531.exe
Potentially unwanted tool:Application/BrilliantDigital Not disinfected C:\Documents and Settings\Coral\DoctorWeb\Quarantine\A0005532.exe
Potentially unwanted tool:Application/Altnet Not disinfected C:\Documents and Settings\Coral\DoctorWeb\Quarantine\A0005534.dll
Adware:Adware/InstaFinder Not disinfected C:\Documents and Settings\Coral\DoctorWeb\Quarantine\A0005882.dll
Potentially unwanted tool:Application/Need2Find Not disinfected C:\Documents and Settings\Coral\DoctorWeb\Quarantine\A0007302.DLL
Potentially unwanted tool:Application/Need2Find Not disinfected C:\Documents and Settings\Coral\DoctorWeb\Quarantine\ND2FNBAR.DLL
Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\Documents and Settings\Coral\DoctorWeb\Quarantine\p2psetup[1].exe
Potentially unwanted tool:Application/Need2Find Not disinfected C:\Documents and Settings\Coral\DoctorWeb\Quarantine\uninstall need2find bar.dll
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\9vbpvcn3.default\cookies-1.txt[.statcounter.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Nathan\Application Data\Mozilla\Firefox\Profiles\9vbpvcn3.default\cookies-2.txt[.statcounter.com/]
Again thank you for your time
Beau
 
Flrman1

· Registered
Joined
·
46,465 Posts
#10 ·
* Copy these instructions to notepad and save them to your desktop. You will need them to refer to.

* I am attaching a fix.zip file to this post. Download it and save it to your desktop. Unzip it to extract the fix.reg file it contains.

Doubleclick on the fix.reg file to add it to the registry. Answer yes to confirm the merge.

* Restart your computer into safe mode now. Perform the following steps in safe mode:

* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

O4 - Startup: .protected

Close Hijack This.

* Double-click on Killbox.exe to run it.
  • Put a tick by Standard File Kill.
  • In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

    C:\Documents and Settings\Nathan\Start Menu\Programs\Startup\.protected

    c:\windows\smdat32m.sys

    c:\program files\advsearch

    c:\program files\Need2Find

    C:\Documents and Settings\Coral\Start Menu\Programs\Startup\.protected
  • Click on the button that has the red circle with the X in the middle after you enter each file.
  • It will ask for confimation to delete the file.
  • Click Yes.
  • Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
  • Killbox may tell you that one or more files do not exist.
  • If that happens, just continue on with all the files. Be sure you don't miss any.
  • Exit the Killbox.

* Run ATF Cleaner:
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
    • If you use Firefox:
      • Click Firefox at the top and choose: Select All
      • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    • If you use Opera:
      • Click Opera at the top and choose: Select All
      • Click the Empty Selected button.
        [*]NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.

* Restart back into Windows normally now.

* Go here and do the BitDefender online virus scan.
  • Click "I Agree" to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click "Click here to scan" to begin the scan.
  • Please refrain from using the computer until the scan is finished.
  • When the scan is finished, click on "Click here to export the scan results"
  • Save the report to your desktop then come back here and attach it to your next reply along with a new Hijack This log..
 

Attachments

Save Share
B

· Registered
Joined
·
23 Posts
Discussion Starter · #11 ·
hi
killbox could not delete c\program\advsearch.
otherwise have done all. here is the HJT log

Logfile of HijackThis v1.99.1
Scan saved at 9:46:13 p.m., on 18/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\sistray.EXE
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\sm56hlpr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-nz\msntb.dll
O3 - Toolbar: xtramsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-nz\msntb.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {266B9238-31A5-4B53-9039-272FE846DF9D} (DiameterTransfer Control) - http://www.sis.com/download/SISTransfer.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133574571625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146864049046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B590F5BC-5774-47D8-859E-727E25E017AA} (DriverDetectiveMembers.members) - http://www.drivershq.com/files/cab/member/DriverDetective-m.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by17fd.bay17.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: PavProt - Unknown owner - (no file)
O23 - Service: PavPrSrv - Unknown owner - (no file)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

bitdefender report

BitDefender Online Scanner

Scan report generated at: Thu, Jan 18, 2007 - 21:37:17

Scan path: A:\;C:\;D:\;

Statistics

Time
01:33:31

Files
229149

Folders
7708

Boot Sectors
2

Archives
1184

Packed Files
12953

Results

Identified Viruses
9

Infected Files
27

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
27

Engines Info

Virus Definitions
371000

Engine build
AVCORE v1.0 (build 2371) (i386) (Dec 13 2006 11:16:42)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1

Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions

Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes

Scanned File
Status

C:\$VAULT$.AVG\00087906.FIL
Infected with: Worm.Glowa.AI

C:\$VAULT$.AVG\00087906.FIL
Disinfection failed

C:\$VAULT$.AVG\00087906.FIL
Deleted

C:\$VAULT$.AVG\00087953.FIL
Infected with: Worm.Glowa.AI

C:\$VAULT$.AVG\00087953.FIL
Disinfection failed

C:\$VAULT$.AVG\00087953.FIL
Deleted

C:\$VAULT$.AVG\00737375.FIL
Infected with: Trojan.Spambot.BO

C:\$VAULT$.AVG\00737375.FIL
Disinfection failed

C:\$VAULT$.AVG\00737375.FIL
Deleted

C:\$VAULT$.AVG\00740437.FIL
Infected with: Trojan.Downloader.Agent.AFB

C:\$VAULT$.AVG\00740437.FIL
Disinfection failed

C:\$VAULT$.AVG\00740437.FIL
Deleted

C:\$VAULT$.AVG\00743390.FIL
Infected with: Worm.Glowa.AI

C:\$VAULT$.AVG\00743390.FIL
Disinfection failed

C:\$VAULT$.AVG\00743390.FIL
Deleted

C:\$VAULT$.AVG\00750343.FIL
Infected with: Worm.Glowa.AI

C:\$VAULT$.AVG\00750343.FIL
Disinfection failed

C:\$VAULT$.AVG\00750343.FIL
Deleted

C:\$VAULT$.AVG\00753171.FIL
Infected with: Worm.Glowa.AI

C:\$VAULT$.AVG\00753171.FIL
Disinfection failed

C:\$VAULT$.AVG\00753171.FIL
Deleted

C:\$VAULT$.AVG\02871625.FIL
Infected with: Trojan.Spambot.BO

C:\$VAULT$.AVG\02871625.FIL
Disinfection failed

C:\$VAULT$.AVG\02871625.FIL
Deleted

C:\$VAULT$.AVG\02874296.FIL
Infected with: Trojan.Downloader.Agent.AFB

C:\$VAULT$.AVG\02874296.FIL
Disinfection failed

C:\$VAULT$.AVG\02874296.FIL
Deleted

C:\$VAULT$.AVG\02876375.FIL
Infected with: Worm.Glowa.AI

C:\$VAULT$.AVG\02876375.FIL
Disinfection failed

C:\$VAULT$.AVG\02876375.FIL
Deleted

C:\$VAULT$.AVG\02882390.FIL
Infected with: Worm.Glowa.AI

C:\$VAULT$.AVG\02882390.FIL
Disinfection failed

C:\$VAULT$.AVG\02882390.FIL
Deleted

C:\$VAULT$.AVG\02884937.FIL
Infected with: Worm.Glowa.AI

C:\$VAULT$.AVG\02884937.FIL
Disinfection failed

C:\$VAULT$.AVG\02884937.FIL
Deleted

C:\$VAULT$.AVG\02912953.FIL
Infected with: Trojan.Downloader.Agent.AFB

C:\$VAULT$.AVG\02912953.FIL
Disinfection failed

C:\$VAULT$.AVG\02912953.FIL
Deleted

C:\$VAULT$.AVG\02918156.FIL
Infected with: Trojan.Downloader.Agent.AFB

C:\$VAULT$.AVG\02918156.FIL
Disinfection failed

C:\$VAULT$.AVG\02918156.FIL
Deleted

C:\$VAULT$.AVG\02919796.FIL
Infected with: Trojan.Downloader.Agent.AFB

C:\$VAULT$.AVG\02919796.FIL
Disinfection failed

C:\$VAULT$.AVG\02919796.FIL
Deleted

C:\$VAULT$.AVG\02923031.FIL
Infected with: Trojan.Downloader.Agent.AFB

C:\$VAULT$.AVG\02923031.FIL
Disinfection failed

C:\$VAULT$.AVG\02923031.FIL
Deleted

C:\$VAULT$.AVG\02933437.FIL
Infected with: Trojan.Downloader.Agent.AFB

C:\$VAULT$.AVG\02933437.FIL
Disinfection failed

C:\$VAULT$.AVG\02933437.FIL
Deleted

C:\$VAULT$.AVG\02938500.FIL
Infected with: Trojan.Downloader.Agent.AFB

C:\$VAULT$.AVG\02938500.FIL
Disinfection failed

C:\$VAULT$.AVG\02938500.FIL
Deleted

C:\Documents and Settings\Coral\DoctorWeb\Quarantine\ml[1].exe
Infected with: Trojan.Downloader.Small.EFH

C:\Documents and Settings\Coral\DoctorWeb\Quarantine\ml[1].exe
Disinfection failed

C:\Documents and Settings\Coral\DoctorWeb\Quarantine\ml[1].exe
Deleted

C:\Documents and Settings\Nathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-6f84c9b5.zip=>Mein.class
Infected with: Java.Trojan.Exploit.Bytverify

C:\Documents and Settings\Nathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-6f84c9b5.zip=>Mein.class
Disinfection failed

C:\Documents and Settings\Nathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-6f84c9b5.zip=>Mein.class
Deleted

C:\Documents and Settings\Nathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-6f84c9b5.zip
Updated

C:\Documents and Settings\Nathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-6f84c9b5.zip=>Prober.class
Infected with: Java.Trojan.Exploit.Bytverify

C:\Documents and Settings\Nathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-6f84c9b5.zip=>Prober.class
Disinfection failed

C:\Documents and Settings\Nathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-6f84c9b5.zip=>Prober.class
Deleted

C:\Documents and Settings\Nathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-6f84c9b5.zip
Updated

C:\Documents and Settings\Nathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-6f84c9b5.zip=>Beyond.class
Infected with: Trojan.Java.Binny.A

C:\Documents and Settings\Nathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-6f84c9b5.zip=>Beyond.class
Disinfection failed

C:\Documents and Settings\Nathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-6f84c9b5.zip=>Beyond.class
Deleted

C:\Documents and Settings\Nathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-6f84c9b5.zip
Updated

C:\Documents and Settings\Nathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-6f84c9b5.zip=>binny/binny.class
Infected with: Trojan.Dropper.Java.Beyond.D

C:\Documents and Settings\Nathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-6f84c9b5.zip=>binny/binny.class
Disinfection failed

C:\Documents and Settings\Nathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-6f84c9b5.zip=>binny/binny.class
Deleted

C:\Documents and Settings\Nathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-6f84c9b5.zip
Updated

C:\Documents and Settings\Nathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-6f84c9b5.zip=>binny/binny2.class
Infected with: Trojan.Java.Binny.A

C:\Documents and Settings\Nathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-6f84c9b5.zip=>binny/binny2.class
Disinfection failed

C:\Documents and Settings\Nathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-6f84c9b5.zip=>binny/binny2.class
Deleted

C:\Documents and Settings\Nathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4461f74a-6f84c9b5.zip
Updated

C:\Documents and Settings\Nathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-47610a46-6fc42045.zip=>javautil.zip
Infected with: Generic.Malware.dld!!.EB79E121

C:\Documents and Settings\Nathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-47610a46-6fc42045.zip=>javautil.zip
Disinfection failed

C:\Documents and Settings\Nathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-47610a46-6fc42045.zip=>javautil.zip
Deleted

C:\Documents and Settings\Nathan\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-47610a46-6fc42045.zip
Updated

C:\System Volume Information\_restore{C2BDE191-173E-4792-B8F6-E85E9CEA4A56}\RP10\A0005888.dll
Infected with: DeepScan:Generic.Zlob.CDAAE811

C:\System Volume Information\_restore{C2BDE191-173E-4792-B8F6-E85E9CEA4A56}\RP10\A0005888.dll
Disinfection failed

C:\System Volume Information\_restore{C2BDE191-173E-4792-B8F6-E85E9CEA4A56}\RP10\A0005888.dll
Deleted

C:\System Volume Information\_restore{C2BDE191-173E-4792-B8F6-E85E9CEA4A56}\RP16\A0008414.exe
Infected with: Trojan.Downloader.Small.EFH

C:\System Volume Information\_restore{C2BDE191-173E-4792-B8F6-E85E9CEA4A56}\RP16\A0008414.exe
Disinfection failed

C:\System Volume Information\_restore{C2BDE191-173E-4792-B8F6-E85E9CEA4A56}\RP16\A0008414.exe
Deleted
 
Flrman1

· Registered
Joined
·
46,465 Posts
#12 ·
* Go here and run the F-Secure Online Scanner.

  • Follow the Instructions on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • After the ActiveX installs,Click Full System Scan
  • When the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply along with a new Hijack This log.

Note: You have to use Internet Explorer to do the scan.
 
Save Share
B

· Registered
Joined
·
23 Posts
Discussion Starter · #13 ·
HJT log

Logfile of HijackThis v1.99.1
Scan saved at 8:18:57 p.m., on 19/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\sistray.EXE
C:\WINDOWS\system32\keyhook.exe
C:\WINDOWS\sm56hlpr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-nz\msntb.dll
O3 - Toolbar: xtramsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-nz\msntb.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\system32\sistray.EXE
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {266B9238-31A5-4B53-9039-272FE846DF9D} (DiameterTransfer Control) - http://www.sis.com/download/SISTransfer.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133574571625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146864049046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {B590F5BC-5774-47D8-859E-727E25E017AA} (DriverDetectiveMembers.members) - http://www.drivershq.com/files/cab/member/DriverDetective-m.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by17fd.bay17.hotmail.msn.com/activex/HMAtchmt.ocx
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: PavProt - Unknown owner - (no file)
O23 - Service: PavPrSrv - Unknown owner - (no file)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

f-secure scan report

Scanning Report
Friday, January 19, 2007 19:16:58 - 20:16:04
Computer name: SCOOP-2200
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\

--------------------------------------------------------------------------------

Result: 1 malware found
W32/Smalltroj.MGE (virus)
C:\DOCUMENTS AND SETTINGS\CORAL\DOCTORWEB\QUARANTINE\INSTALL.DLL (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 32671
System: 4407
Not scanned: 101
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 1
Submitted: 1
Files not scanned:
xe*SA\MACHINEKEYS\3E9F4F605B560EEE4BD69BDCF8BCB605_B573ABC7-4D1C-4890-80AA-B438B50116A1
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\3EDCA588B0922422F25DA901B487484E_B573ABC7-4D1C-4890-80AA-B438B50116A1
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\404076582BDEB78A2CF55CF459B4D363_B573ABC7-4D1C-4890-80AA-B438B50116A1
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\41C8E9BEED5898269A1CB1D81DAD389B_B573ABC7-4D1C-4890-80AA-B438B50116A1
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\46C81350C64ABEF270BD958D8B8D865D_B573ABC7-4D1C-4890-80AA-B438B50116A1
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\471500857E3D93B2768F4D4B8EB971BC_B573ABC7-4D1C-4890-80AA-B438B50116A1
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\491EC1483B03250CB13CD723645CE862_B573ABC7-4D1C-4890-80AA-B438B50116A1
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\4D465CCC42034AD6DB58DE99439E8A79_B573ABC7-4D1C-4890-80AA-B438B50116A1
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\5249B35BDE7048C5344FA83863AA7338_B573ABC7-4D1C-4890-80AA-B438B50116A1
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\56B4227B4148FED03C869E3BBBB97A02_B573ABC7-4D1C-4890-80AA-B438B50116A1
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\5B7CFBCD8A8A08FA1539686F7AABE491_B573ABC7-4D1C-4890-80AA-B438B50116A1
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\5D5DF090591D0D35BA9D11761BF1E69E_B573ABC7-4D1C-4890-80AA-B438B50116A1
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\5ECE1A99F7E0B30B43AA27EA8DDE5A38_B573ABC7-4D1C-4890-80AA-B438B50116A1
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\619B678A130260E8474141A96B0E11F5_B573ABC7-4D1C-4890-80AA-B438B50116A1
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\623EE652F6F0DA4E9BFBA3F3BC5EFE3B_B573ABC7-4D1C-4890-80AA-B438B50116A1
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\64868B8713B0068D08C67824B976FAB6_B573ABC7-4D1C-4890-80AA-B438B50116A1
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\6A52FEC681C5B8E0BCD4CDC2A28DD1F9_B573ABC7-4D1C-4890-80AA-B438B50116A1
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\747AC6B70552537942B9775E2931BB6F_B573ABC7-4D1C-4890-80AA-B438B50116A1
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\79C9558ABDBBDC04CE3EE05368751FEE_B573ABC7-4D1C-4890-80AA-B438B50116A1
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\7F5D6DF8836F9457C60CFD69F448D0E8_B573ABC7-4D1C-4890-80AA-B438B50116A1
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\850F458D75F3842A69C83F3049404F50_B573ABC7-4D1C-4890-80AA-B438B50116A1
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\879D3A10252BD077D487EEF70DCCD8C0_B573ABC7-4D1C-4890-80AA-B438B50116A1
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\87B4479FC62DE28CF3DC0D5C5CB842A4_B573ABC7-4D1C-4890-80AA-B438B50116A1
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\8CCF37F1B04439440BB60A229F14F398_B573ABC7-4D1C-4890-80AA-B438B50116A1
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\8F263452F47DDC78D95433E3E2865975_B573ABC7-4D1C-4890-80AA-B438B50116A1
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\92A489415DCE505F6E7DD1AC8AFCC9C7_B573ABC7-4D1C-4890-80AA-B438B50116A1
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACKY

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-01-18
F-Secure AVP: 7.0.171, 2007-01-18
F-Secure Orion: 1.2.37, 2007-01-19
F-Secure Blacklight: 1.0.53, 0000-00-00
F-Secure Draco: 1.0.35, 2007-01-17
F-Secure Pegasus: 1.19.0, 2007-00-17
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics

--------------------------------------------------------------------------------

Thank you
 
Flrman1

· Registered
Joined
·
46,465 Posts
#14 ·
How is everything now?

Did you used to have Panda antivirus installed or still have it maybe?
 
Save Share
B

· Registered
Joined
·
23 Posts
Discussion Starter · #15 ·
HI
Yes it seems they do have panda on their computer.Have deleted it using add/remove. Done a search for it and found it still here. Tryed to delete files but pavlsp.dll cannot be deleted access denied. tried to delete files in safe mode with the same results. Is there a programm that will remove this for me ?

Otherwise all seems to be going fine . will do a scan and check for infections.

Thanks
 
Flrman1

· Registered
Joined
·
46,465 Posts
#16 ·
Check the Panda site and see if they offer a tool to remove Panda remnants.

As the malware cleaning is done now, please do the following:

* If I had you use Killbox to delete any files, go ahead and delete the C:\!Killbox folder then empty the Recycle Bin.

* Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.

* Go to Windows update and install all "High Priority Updates".

* Now turn off System Restore:

On the Desktop, right-click My Computer.
Click "Properties".
Click the "System Restore" tab.
Put a check by "Turn off System Restore on all drives".
Click Apply, and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To turn System Restore back on:

On the Desktop, right-click My Computer.
Click "Properties".
Click the "System Restore" tab.
Remove the check by "Turn off System Restore on all drives".
Click Apply, and then click OK.

To create a restore point:

Single-click "Start" and point to "All Programs".
Mouse over "Accessories", then "System Tools", and select "System Restore".
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the "Next" button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click "Create" and you're done.
 
Save Share
B

· Registered
Joined
·
23 Posts
Discussion Starter · #17 ·
:up: :) Hi.

Thank you for all your help. Comp is running better, did a scan and it came up clean. Did a sys restore and will now give comp back with some security instructions.

Thank you once again

Beau
 
Flrman1

· Registered
Joined
·
46,465 Posts
#19 ·
Since this problem has been solved, I'm closing this thread. If you need it reopened please PM me or one of the other mods.

Anyone else with a similar problem please start a "New Thread".
 
Save Share
1 - 19 of 19 Posts
Status
Not open for further replies.
About this Discussion
18 Replies
3 Participants
Last post:
Flrman1
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Windows XP Off Topic Lounge Thread Games & Discussion
Top