Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Winfixer popus on a fressh windows install - HijackThis log


  • This topic is locked This topic is locked
11 replies to this topic

#1 Rodrigo Basniak

Rodrigo Basniak

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 04 May 2006 - 08:22 PM

Hi people.... Can someone help me with this? I got a "NTLDR is missing" error message when booting my notebook, I tried to repair this with no sucess so I deleted the partition and did a fresh install of Windows XP, but I'm having lots of messages from the 'system administrator' (like those sent by NET SEND) telling me about Winfixer and other apps... I only installed Windows XP from the original CD from HP and the Driver Recovery CD... then I installed MSN Messenger and Skype... but I was already having those popups before those last two. I haven't downloaded any update or SP2 yet 'cause I though something was wrong since it's a fresh install... This is the hijackthis log: Logfile of HijackThis v1.99.1 Scan saved at 23:11:17, on 4/5/2006 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Skype\Phone\Skype.exe C:\WINDOWS\ehome\ehmsas.exe C:\WINDOWS\ehome\ehSched.exe C:\WINDOWS\System32\nvsvc32.exe C:\Program Files\Turbo ADSL\WrOS.EXE C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\MOZILL~1\FIREFOX.EXE D:\Appz\HijackThis.exe O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [HidePost] C:\WINDOWS\System32\hidepost.exe O4 - HKLM\..\Run: [z-WrDialer] C:\Program Files\Turbo ADSL\WrDialer.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O17 - HKLM\System\CCS\Services\Tcpip\..\{43A51FE0-AE3E-410E-AF0B-76B203F1B968}: NameServer = 201.10.120.2 201.10.128.3 O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program Files\Turbo ADSL\WrOS.EXE Thanks a lot, Rodrigo Basniak

    Advertisements

Register to Remove


#2 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 05 May 2006 - 12:09 PM

Hello Rodrigo,

Welcome to Tom Coyote.

This is how to fix "NTLDR is missing"

Windows XP users

1. Insert the Windows XP bootable CD into the computer.
2. When prompted to press any key to boot from the CD, press any key.
3. Once in the Windows XP setup menu press the "R" key to repair Windows.
4. Log into your Windows installation by pressing the "1" key and pressing enter.
5. You will then be prompted for your administrator password, enter that password.
6. Copy the below two files to the root directory of the primary hard disk. In the below example we are copying these files from the CD-ROM drive letter "E". This letter may be different on your computer.

copy e:\i386\ntldr c:\
copy e:\i386\ntdetect.com c:\

7. Once both of these files have been successfully copied, remove the CD from the computer and reboot.




DO THIS FIRST
Your HIJACKTHIS program is current, but it is very important that it resides in its own folder.
We will use Hijackthis (HJT) to make changes to your system and HJT will make backups of those changes,
If HJT is not in its own folder, those backups could be lost.

Easy to fix,
* just go to My Computer > YOUR C:\ DRIVE > Program Files and create a new folder and name it Hijackthis .
* Now scroll to where you have HJT currently, right click on the HJT icon and select CUT .
* Now open the new folder you just created and right click within that folder and select PASTE .
* Now HJT should reside in C:\Program Files\Hijackthis\Hijackthis.exe

Please do not proceed until you have moved HJT




You log is not showing me anything earth shattering to suggest a virus or malware, but if could be hidding.

Download and Save Blacklight to your desktop:

Double-click blbeta.exe then accept the agreement, leave [X]scan through Windows Explorer checked, click > scan then > next

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"


Post back with the Blacklight log please

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#3 Rodrigo Basniak

Rodrigo Basniak

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 05 May 2006 - 09:28 PM

Hi... That's the log you requested: 05/05/06 23:55:39 [Info]: BlackLight Engine 1.0.36 initialized 05/05/06 23:55:39 [Info]: OS: 5.1 build 2600 (Service Pack 1) 05/05/06 23:55:39 [Note]: 7019 4 05/05/06 23:55:39 [Note]: 7005 0 05/05/06 23:55:43 [Note]: 7006 0 05/05/06 23:55:44 [Note]: 7011 1868 05/05/06 23:55:45 [Note]: 7026 0 05/05/06 23:55:45 [Note]: 7026 0 05/05/06 23:55:58 [Note]: FSRAW library version 1.7.1015 05/06/06 00:15:21 [Note]: 7007 0 I know this will sound newbie or even crazy but the strangest thing is that the popus seems to disapeared... I haven't much time to spend in the computer to be sure of that, but I'll let it on to see if some popup comes up.... Windows installed some updates automatically, but I don't think this would solve the problem... would it? Best regards, Rodrigo Basniak

#4 Rodrigo Basniak

Rodrigo Basniak

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 06 May 2006 - 04:27 AM

Hi again... Yep... the messages are still there... I left the computer on and when I woke up there was some messages about WinXpCleaner.... :( Regards, Rodrigo Basniak

#5 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 06 May 2006 - 07:03 AM

Good Morning,

The winfixer popups are from a Vundo Infection but your log looks ok, so it may be stealth installed.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log into your next reply.

Post back with the Vundofix log and a new HJT log please.

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#6 Rodrigo Basniak

Rodrigo Basniak

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 08 May 2006 - 08:13 PM

Hi again....

VundoFix didn't found anything... :(

And here's the a new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 23:07:04, on 8/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Turbo ADSL\WrOS.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\svchost.exe
D:\Appz\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HidePost] C:\WINDOWS\System32\hidepost.exe
O4 - HKLM\..\Run: [z-WrDialer] C:\Program Files\Turbo ADSL\WrDialer.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Windows mplayercodex Services] MSPF.EXE
O4 - HKCU\..\RunServices: [Windows mplayercodex Services] MSPF.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147043909156
O17 - HKLM\System\CCS\Services\Tcpip\..\{43A51FE0-AE3E-410E-AF0B-76B203F1B968}: NameServer = 201.10.120.2 201.10.128.3
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program Files\Turbo ADSL\WrOS.EXE


Thanks again....
Rodrigo Basniak

#7 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 09 May 2006 - 07:10 AM

Good Morning,


You may want to print this out or copy and paste it into Notepad as we will be offline for part of the fix.


* Click on MY COMPUTER
* Then on your C: Drive
* Then to TOOLS/ FOLDER OPTIONS/ VIEW
* Choose the radio button to SHOW HIDDEN FILES AND FOLDERS
* Take the checkmark out of HIDE EXTENSIONS FOR KNOWN FILE TYPES
* Then APPLY/ OK

* Don't forget to reverse this once your computer is clean



Download and install Ewido Anti-Malware
Ewido Anti-Malware
* When installing, under Additional Options uncheck
* Install background guard and
* Install scan via context menu

* Launch Ewido, there should be an icon on your desktop for it to double-click.
o Click on update
o You should see Update Complete when done.
o Now close out the program <-- Dont run it yet





Now reboot into Safemode
* Go to START/ SHUT OF YOUR COMPUTER/ RESTART
* As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly, this will bring up a menu.
* Use the UP AND DOWN ARROW KEYS to scroll up to SAFEMODE
* Then press the ENTER KEY ON YOUR KEYBOARD



Now open Ewido
o Click on scanner.
o Run a full system scan
o Let the program scan the machine.
o While the scan is in progress you will be prompted to clean files, click OK.
o Select Perform action on all infections
o Once the scan has completed, there will be a button located on the bottom of the screen named Save report.
o Click Save report.
o Save the report to your desktop.


While in Safemode, open HJT Scan Only, close all open windows , check these items and click on Fix Checked.

O4 - HKCU\..\Run: [Windows mplayercodex Services] MSPF.EXE
O4 - HKCU\..\RunServices: [Windows mplayercodex Services] MSPF.EXE



Look for and delete this file, it could be in one of possible three locations

C:\MSPF.exe
C:\windows\MSPF.exe
C:\windows\system32\MSPF.exe



Reboot normally



Run both these free online virus scanners, have Housecall set to auto clean, Panda will let you save the report,
http://housecall.trendmicro.com/
http://www.pandasoft...com/activescan/

Post back with the Panda Report, the Ewido Report and a New HJT Log.

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#8 Rodrigo Basniak

Rodrigo Basniak

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 11 May 2006 - 09:04 PM

Hello again...

All done :) Here you are the logs you requested:

- ewido log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 01:02:25, 11/5/2006
+ Report-Checksum: 36E1C3C2

+ Scan result:

:mozilla.9:C:\Documents and Settings\Rodrigo Basniak\Application Data\Mozilla\Firefox\Profiles\6wusrjxj.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Rodrigo Basniak\Application Data\Mozilla\Firefox\Profiles\6wusrjxj.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Rodrigo Basniak\Application Data\Mozilla\Firefox\Profiles\6wusrjxj.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Rodrigo Basniak\Application Data\Mozilla\Firefox\Profiles\6wusrjxj.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Rodrigo Basniak\Application Data\Mozilla\Firefox\Profiles\6wusrjxj.default\cookies.txt -> TrackingCookie.Addynamix : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Rodrigo Basniak\Application Data\Mozilla\Firefox\Profiles\6wusrjxj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Rodrigo Basniak\Application Data\Mozilla\Firefox\Profiles\6wusrjxj.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Rodrigo Basniak\Application Data\Mozilla\Firefox\Profiles\6wusrjxj.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Rodrigo Basniak\Application Data\Mozilla\Firefox\Profiles\6wusrjxj.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Rodrigo Basniak\Application Data\Mozilla\Firefox\Profiles\6wusrjxj.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Rodrigo Basniak\Application Data\Mozilla\Firefox\Profiles\6wusrjxj.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Rodrigo Basniak\Application Data\Mozilla\Firefox\Profiles\6wusrjxj.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Rodrigo Basniak\Application Data\Mozilla\Firefox\Profiles\6wusrjxj.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Rodrigo Basniak\Application Data\Mozilla\Firefox\Profiles\6wusrjxj.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Rodrigo Basniak\Application Data\Mozilla\Firefox\Profiles\6wusrjxj.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Rodrigo Basniak\Application Data\Mozilla\Firefox\Profiles\6wusrjxj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Rodrigo Basniak\Application Data\Mozilla\Firefox\Profiles\6wusrjxj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Rodrigo Basniak\Application Data\Mozilla\Firefox\Profiles\6wusrjxj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Rodrigo Basniak\Application Data\Mozilla\Firefox\Profiles\6wusrjxj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Rodrigo Basniak\Application Data\Mozilla\Firefox\Profiles\6wusrjxj.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Rodrigo Basniak\Cookies\rodrigo basniak@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Rodrigo Basniak\Cookies\rodrigo basniak@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Program Files\Turbo ADSL\WrDialer.exe -> Heuristic.Win32.Dialer : Cleaned with backup


::Report End

- HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 23:37:20, on 11/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Turbo ADSL\WrOS.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Appz\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [HidePost] C:\WINDOWS\System32\hidepost.exe
O4 - HKLM\..\Run: [z-WrDialer] C:\Program Files\Turbo ADSL\WrDialer.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147043909156
O17 - HKLM\System\CCS\Services\Tcpip\..\{43A51FE0-AE3E-410E-AF0B-76B203F1B968}: NameServer = 201.10.120.2 201.10.128.3
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program Files\Turbo ADSL\WrOS.EXE


- Panda log


Incident Status Location

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Rodrigo Basniak\Application Data\Mozilla\Firefox\Profiles\6wusrjxj.default\cookies.txt[.terra.com.br/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Rodrigo Basniak\Application Data\Mozilla\Firefox\Profiles\6wusrjxj.default\cookies.txt[.google.com.br/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Rodrigo Basniak\Application Data\Mozilla\Firefox\Profiles\6wusrjxj.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Rodrigo Basniak\Application Data\Mozilla\Firefox\Profiles\6wusrjxj.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Rodrigo Basniak\Application Data\Mozilla\Firefox\Profiles\6wusrjxj.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Rodrigo Basniak\Application Data\Mozilla\Firefox\Profiles\6wusrjxj.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Rodrigo Basniak\Application Data\Mozilla\Firefox\Profiles\6wusrjxj.default\cookies.txt[.uol.com.br/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Rodrigo Basniak\Application Data\Mozilla\Firefox\Profiles\6wusrjxj.default\cookies.txt[de.uol.com.br/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Rodrigo Basniak\Application Data\Mozilla\Firefox\Profiles\6wusrjxj.default\cookies.txt[.ig.com.br/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Rodrigo Basniak\Cookies\rodrigo basniak@atdmt[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Rodrigo Basniak\Cookies\rodrigo basniak@google.com[1].txt
Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\system32\i


It seems that the net send messages disapeared :)

Thank you,
Rodrigo Basniak

#9 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 13 May 2006 - 07:53 PM

Rodrigo, Sorry for the late reply but I have been away for a couple of days. Is this a program that you use C:\Program Files\Turbo ADSL <---- I am sure its ok but I am picking up mixed results on it. Basically all Panda and Ewido found were cookies, Ewido did find the above program and it looks like it removed part of it. The rest of your log looks good :thumbup: Are you having any issues???

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#10 Rodrigo Basniak

Rodrigo Basniak

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 14 May 2006 - 04:53 PM

Hi, The Turbo ADSL is my internet dialer, there's nothing to worry about this one... :) Everything else is just ok... no more net send messages or anything else... Thank you so much and best regards, Rodrigo Basniak

#11 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 14 May 2006 - 04:56 PM

Rodrigo :D

Glad things are well :thumbup:



Here are some free programs and tips for keeping your system up to date, and to help keep all the riff raff out of your system.

Be sure to follow the instructions for System Restore because everything we removed is backed up in that program and if you ever use it to revert your system to an earlier date, you can reinfect your self all over again.


Download and Install CCleaner
* Click on Run Cleaner
* Run the Issues Scan < When it asks you to backup the Registry..Say Yes
Tutorial for CCleaner


Now that your clean, we need to erase all possible older infected files that may still be lurking on your system.
* Clean out your TEMP FILES
* This procedure should be run from SAFEMODE for better results.

To Enter SAFEMODE

* Go to START/ SHUT OF YOUR COMPUTER/ RESTART
* As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly, this will bring up a menu.
* Use the UP AND DOWN ARROW KEYS to scroll up to SAFEMODE
* Then press the ENTER KEY ON YOUR KEYBOARD

* Go to My Computer/ C: Drive/ Documents and Settings/ Every User on this Computer Local Settings
and delete all the contents of the Temp Folder and the Temporary Internet Files Folder <--Just the contents, not the folder itself.

* Go to My Computer/ C:/ Windows/ Temp and delete all the contents of the Temp Folder <-- But not the temp folder itself.

* Go to My Computer/ C:/ Windows/ Prefetch and remove all the contents of the Prefetch Folder. <--But not the Prefetch folder itself.


NOW RE-BOOT NORMALLY


* Open INTERNET EXPLORER
* Click on the TOOLS MENU
* Then INTERNET OPTIONS
* At the GENERAL TAB (which should be the first tab you are currently on),
* click on the DELETE FILES BUTTON and put a checkmark in DELETE ALL OFFLINE CONTENT.
* Then press the OK BUTTON . This may take quite a while, so do not be alarmed with how long it takes.
* When it is done, your Temporary Internet Files will now be deleted.

Now Empty your Recycle Bin

System Restore makes regular backups of all your settings, if you ever had to use this program to restore your
system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.

* Right-click My Computer.
* Click Properties.
* Click the System Restore tab.
* Check Turn off System Restore on all Drives.
* Click Apply, and then click OK.

Reboot your System

Turn ON System Restore.

* Right-click My Computer.
* ClickProperties.
* Click the System Restore tab.
* UN-Check Turn off System Restore on all Drives.
* Click Apply, and then click OK.

* Go to Start/ Control Panel/ Performance and Maintenance/ System Restore/ Create a New Restore Point
You can name the restore point anything you like, something that you can remember, You will have to be in Catagory View to see this

* Make sure that your ANTI-VIRUS SOFTWARE is up to date and run a full scan at least once aweek.

* Here are Free Anti-Virus Programs if you need one. Just install one because with AV software...MORE IS NOT BETTER.

AVG Free Edition
AntVir Personal Edition


* Spybot Search and Destroy 1.4
Check for Updates/ Immunize and run a Full System Scan on a regular basis.

* Ad-Aware SE Personal 1.06
Check for Updates and run a Full System Scan on a regular basis.

* Spyware Blaster It will prevent most spyware from ever being installed.

* Spyware Guard It offers realtime protection from spyware installation attempts.

* Win Patrol This program will warn you when any changes are being made to your system and
give you the option to deny the change.

* IE- Spyad IE-Spyad places over 4000 web sites and domains
in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed,
although you will still be able to connect to the sites.

* Firefox Browser
It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use
them both. When it asks you if you want it to be your default browser, say NO and take the checkmark out of the box to ask you again. After you use this
for awhile, you will want to make it your default.

* Thunderbird Mail There companion mail program was highly favored in PCWorld Magazine,
this has a good spam filter and is more secure than Outlook Express.

* Zone Alarm Here is a free Firewall from Zone Labs, I wouldn't
access the internet without it.

* WINDOWS UPDATES - Enable Automatic Updates
Right click on MY COMPUTER/Click on PROPERTIES/ AUTOMATIC UPDATES and put a mark in the radio button
DOWNLOAD UPDATES FOR ME BUT LET ME CHOOSE WHEN TO INSTALL THEM.

* Go to START/ CONTROL PANEL> PERFORMANCE AND MAINTENANCE> REARRANGE ITEMS ON YOUR HARD DISK TO MAKE PROGRAMS RUN FASTER
This is the Windows Disk Defragger, run this maybe once or twice a month to keep your system running good. The first time you run it, it may take awhile.

Thanks for stopping by Tom Coyote, I am glad I was able to help you, I will keep this thread open for a few days in case you have any other questions.

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#12 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 21 May 2006 - 10:33 AM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users