6 replies to this topic

[Daytek85]

Hello,
I recently encounted those two Trojans yesterday. I ran my anti virus, AVG Free edition, and it cleaned out both, but the first one kept on popping back. I googled the names and I heard that they both might be linked with AVG, so I uninstalled it, and downloaded Avast Anti Virus. Ran a full scan in safemode and it came up clean. I was wondering if I posted a hijackthis log you could confirm everything is gone. Or if there is anything more I can clear up. Thank you.

Logfile of HijackThis v1.99.1
Scan saved at 6:39:33 PM, on 6/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Tyson\hijackthis.exe

O1 - Hosts: 206.222.29.130 L2authd.lineage2.com
O1 - Hosts: 206.222.29.130 L2testauthd.lineage2.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.snipernet.us
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.snipernet.us (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.2.1.87.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1142492615593
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{42742643-1B40-4A7C-A175-FFFA80806D96}: NameServer = 192.168.10.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Susan528]

Hello Daytek85 and Welcome to TomCoyote,

Please do the following:

STEP 1.
======
DelDomains

Download this file to your desktop.
http://www.mvps.org/.../DelDomains.inf

Right-click on the deldomains.inf file and select 'Install'

Once it is finished your Zones should be reset.

Note, if you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection

STEP 2.
======
SpySweeper

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless you are instructed to.


Download the trial version of Spy Sweeper from Here

• Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper) You will be prompted to check for updated definitions, please do so.
  (This may take several minutes)
• Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.
• Click on Sweep and allow it to fully scan your system.If you are prompted to restart the computer, do so immediately. This is a necessary step to kill the infection!
• When the sweep has finished, click Remove. Click Select All and then Next
• From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.
• Exit Spy Sweeper.

STEP 3.
======
Ewido Trojan Scanner
Please download, install, and update the NEW free version of Ewido trojan scanner:

• When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
• When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
• From the main ewido screen, click on update in the left menu, then click the Start update button.
• After the update finishes (the status bar at the bottom will display "Update successful")
• Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
• If ewido finds anything, it will pop up a notification. Select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
• When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Empty Recycle Bin
Reboot

Please post the results from SpySweeper, ewido and a new hijackthis log.

[Daytek85]

Hello, thank you for the reply, I have finished all the scans now and I will post the logs in a second, but I wanted to say a few things first. The first thing is when you said in green text if I used spyblaster or IE I had to enable the protection again or something? I use internet explorer as my browser, so how do I re-protect myself? I dont understand what you mean when you said "run the batch file". Also with spysweeper I had some troubles with the program, first time I scanned I forgot to show extensions for known formats so I stopped it 5 minutes in, second time it froze on some file it was trying to scan (it was a demo of a game i downloaded) so I had to ctrl+alt+del and end it, then I rebooted and erased the demo (I didn't want it anyway! lol). Then when I started spysweeper again it said something in my host file was changed and to fix it. It was from a lineage2 server so I hit fix as I did not want those anymore, I am sure it is all in the log, I am sorry if I did something wrong, here are the logs. Oh one more thing, when I was running ewido and it found a tracker cookie it didn't say clean it only had actions, remove, or none. so I did remove hope thats ok.

********
6:31 PM: | Start of Session, Saturday, June 17, 2006 |
6:31 PM: Spy Sweeper started
6:31 PM: Sweep initiated using definitions version 701
6:31 PM: Starting Memory Sweep
6:34 PM: Memory Sweep Complete, Elapsed Time: 00:02:13
6:34 PM: Starting Registry Sweep
6:34 PM: Registry Sweep Complete, Elapsed Time:00:00:08
6:34 PM: Starting Cookie Sweep
6:34 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
6:34 PM: Starting File Sweep
6:41 PM: Found Adware: bingofun games
6:41 PM: lt33xg.mid (ID = 51219)
6:52 PM: Warning: Unable to sweep compressed file: System Error. Code: 8.
Not enough storage is available to process this command
6:52 PM: Warning: Unable to sweep compressed file: System Error. Code: 5.
Access is denied
6:52 PM: Warning: Unable to sweep compressed file: System Error. Code: 5.
Access is denied
6:52 PM: Warning: Unhandled Archive Type
6:52 PM: Warning: Unhandled Archive Type
6:52 PM: Warning: Unhandled Archive Type
6:52 PM: Warning: Unhandled Archive Type
6:52 PM: Warning: Unhandled Archive Type
6:52 PM: Warning: Unable to sweep compressed file: System Error. Code: 8.
Not enough storage is available to process this command
6:53 PM: Warning: Unhandled Archive Type
6:55 PM: Warning: Unhandled Archive Type
6:57 PM: Warning: Unable to sweep compressed file: System Error. Code: 8.
Not enough storage is available to process this command
6:57 PM: Warning: Unhandled Archive Type
6:57 PM: Warning: Unhandled Archive Type
6:57 PM: Warning: Unhandled Archive Type
6:57 PM: Warning: Unhandled Archive Type
6:57 PM: Warning: Unhandled Archive Type
6:57 PM: Warning: Unhandled Archive Type
6:57 PM: Warning: Unhandled Archive Type
6:57 PM: Warning: Unhandled Archive Type
6:57 PM: File Sweep Complete, Elapsed Time: 00:23:28
6:57 PM: Full Sweep has completed. Elapsed time 00:25:51
6:57 PM: Traces Found: 1
6:58 PM: Removal process initiated
6:58 PM: Quarantining All Traces: bingofun games
6:58 PM: Removal process completed. Elapsed time 00:00:00
********
5:42 PM: | Start of Session, Saturday, June 17, 2006 |
5:42 PM: Spy Sweeper started
5:42 PM: Sweep initiated using definitions version 701
5:42 PM: Starting Memory Sweep
5:44 PM: Memory Sweep Complete, Elapsed Time: 00:02:25
5:44 PM: Starting Registry Sweep
5:44 PM: Registry Sweep Complete, Elapsed Time:00:00:09
5:44 PM: Starting Cookie Sweep
5:44 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
5:44 PM: Starting File Sweep
5:52 PM: Found Adware: bingofun games
5:52 PM: lt33xg.mid (ID = 51219)
6:03 PM: Warning: Unable to sweep compressed file: System Error. Code: 8.
Not enough storage is available to process this command
6:03 PM: Warning: Unable to sweep compressed file: System Error. Code: 5.
Access is denied
6:03 PM: Warning: Unable to sweep compressed file: System Error. Code: 5.
Access is denied
6:04 PM: Warning: Unhandled Archive Type
6:04 PM: Warning: Unhandled Archive Type
6:04 PM: Warning: Unhandled Archive Type
6:04 PM: Warning: Unhandled Archive Type
6:04 PM: Warning: Unhandled Archive Type
6:04 PM: Warning: Unable to sweep compressed file: System Error. Code: 8.
Not enough storage is available to process this command
6:05 PM: Warning: Unhandled Archive Type
6:06 PM: Warning: Unhandled Archive Type
6:26 PM: Sweep Canceled
6:31 PM: Processing Hosts File Alerts
6:31 PM: Fixed Hosts File entry: L2authd.lineage2.com
6:31 PM: Fixed Hosts File entry: L2testauthd.lineage2.com
6:31 PM: | End of Session, Saturday, June 17, 2006 |
********
5:33 PM: | Start of Session, Saturday, June 17, 2006 |
5:33 PM: Spy Sweeper started
5:33 PM: Sweep initiated using definitions version 701
5:33 PM: Starting Memory Sweep
5:37 PM: Memory Sweep Complete, Elapsed Time: 00:03:40
5:37 PM: Starting Registry Sweep
5:37 PM: Registry Sweep Complete, Elapsed Time:00:00:09
5:37 PM: Starting Cookie Sweep
5:37 PM: Found Spy Cookie: about cookie
5:37 PM: user@about[2].txt (ID = 2037)
5:37 PM: Found Spy Cookie: yieldmanager cookie
5:37 PM: user@ad.yieldmanager[1].txt (ID = 3751)
5:37 PM: Found Spy Cookie: atlas dmt cookie
5:37 PM: user@atdmt[2].txt (ID = 2253)
5:37 PM: user@compactiongames.about[2].txt (ID = 2038)
5:37 PM: Found Spy Cookie: overture cookie
5:37 PM: user@data4.perf.overture[1].txt (ID = 3106)
5:37 PM: Found Spy Cookie: wtlive.com cookie
5:37 PM: user@dcstest.wtlive[1].txt (ID = 3700)
5:37 PM: Found Spy Cookie: fastclick cookie
5:37 PM: user@fastclick[2].txt (ID = 2651)
5:37 PM: Found Spy Cookie: tacoda cookie
5:37 PM: user@tacoda[2].txt (ID = 6444)
5:37 PM: Found Spy Cookie: tribalfusion cookie
5:37 PM: user@tribalfusion[1].txt (ID = 3589)
5:37 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
5:37 PM: Starting File Sweep
5:38 PM: Sweep Canceled
5:38 PM: File Sweep Complete, Elapsed Time: 00:01:12
5:38 PM: Traces Found: 9
5:38 PM: Removal process initiated
5:38 PM: Quarantining All Traces: about cookie
5:38 PM: Quarantining All Traces: atlas dmt cookie
5:38 PM: Quarantining All Traces: fastclick cookie
5:38 PM: Quarantining All Traces: overture cookie
5:38 PM: Quarantining All Traces: tacoda cookie
5:38 PM: Quarantining All Traces: tribalfusion cookie
5:38 PM: Quarantining All Traces: wtlive.com cookie
5:38 PM: Quarantining All Traces: yieldmanager cookie
5:38 PM: Removal process completed. Elapsed time 00:00:00
********
5:30 PM: | Start of Session, Saturday, June 17, 2006 |
5:30 PM: Spy Sweeper started
5:31 PM: Your spyware definitions have been updated.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 7:26:55 PM, 6/17/2006
+ Report-Checksum: A612F481

+ Scan result:

C:\Documents and Settings\User\Cookies\user@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned with backup
C:\Documents and Settings\User\Cookies\user@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\User\Cookies\user@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 7:27:41 PM, on 6/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Tyson\hijackthis.exe

O1 - Hosts: 206.222.29.130 L2authd.lineage2.com
O1 - Hosts: 206.222.29.130 L2testauthd.lineage2.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_2.2.1.87.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1142492615593
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{42742643-1B40-4A7C-A175-FFFA80806D96}: NameServer = 192.168.10.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Susan528]

You did fine.

Don't worry about the "run batch file"-- all that means is that IE/Spyads would need to be set-up again.

Let's do one more scan please.

Now run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
• Scan using the following Anti-Virus database:
• Standard
• Scan Options:
• Scan Archives
• Scan Mail Bases
• Click OK
• Now under select a target to scan:
• Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button:
• Save the file to your desktop.

Copy and paste that information from Kapersky in your next post.

Please post (reply) with the results from Kapersky.

[Daytek85]

Hey again, here is the scan results, once again I hope this was ok, it finished scanning my harddrive then it started to scan my DVD drive, and I had a game in there, so it started taking so long scanning like 1.cab or something sO i just took the DVD out... lol. I think it was fully done with my harddrive tho. ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Sunday, June 18, 2006 5:33:35 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.78.0 Kaspersky Anti-Virus database last update: 19/06/2006 Kaspersky Anti-Virus database records: 189243 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ Scan Statistics: Total number of scanned objects: 97900 Number of viruses found: 1 Number of infected objects: 1 Number of suspicious objects: 0 Duration of the scan process: 01:17:00 Infected Object Name / Virus Name / Last Action C:\System Volume Information\_restore{996FF943-98A4-4096-837A-FF7BFB68B03F}\RP89\A0016472.exe Infected: Trojan-Clicker.Win32.VB.lb skipped Scan process completed. Thx again.

[Susan528]

Good work Daytek85,

Your hijackthis log appears to be clean. Step 3 will clear the infected restore file.

Please do the following and be sure to install the latest Java update.

STEP 1.
======
Cleanmgr
To clean temporary files:

• Go > start > run and type cleanmgr and click OK
• Scan your system for files to remove.
• Make sure Temporary Files, Temporary Internet Files and Recycle Bin are the only things checked.
• Click OK to remove those files.
• Click Yes to confirm deletion.

STEP 2.( Windows XP only)
======
Prefetch Folder
Open C:\Windows\Prefetch\
Delete All files in this folder but not the Prefetch folder

STEP 3.
======
System Restore for Windows XP
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

• Turn off System Restore.
• On the Desktop, right-click My Computer.
• Click Properties.
• Click the System Restore tab.
• Check Turn off System Restore.
• Click Apply, and then click OK.

Reboot.

Turn ON System Restore.

• On the Desktop, right-click My Computer.
• Click Properties.
• Click the System Restore tab.
• UN-Check *Turn off System Restore*.
• Click Apply, and then click OK.

STEP 4.
======
DON’T BECOME OVERCONFIDENT WITH ANTIVIRUS APPLICATIONS INSTALLED!!!

http://forum.malware...39eba6ea0b5e8ee

Stay up to date on security patches and be extremely wary of clicking on links and attachments that arrive unbidden in instant messages and e-mail.

"The number one thing the majority of the malicious code we're seeing now does is disable or delete anti-virus and other security software," Dunham said. "In a lot of cases, once the user clicks on that attachment, it's already too late."

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

• Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
  
• Test your Firewall - Please test your firewall and make sure it is working properly.
  Test Firewall
  
  
• Visit Microsoft's Update Site Frequently - It is important that you visit Windows Updates regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
  A tutorial on installing & using this product can be found here:
  Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
  
  
• Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
  A tutorial on installing & using this product can be found here:
  Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
  
  
• Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
  A tutorial on installing & using this product can be found here:
  Using SpywareBlaster to protect your computer from Spyware and Malware
  
  
• Update your Java to the latest version. Uninstall any and all versions you have listed in add/remove programs and install the latest version from here:
  Java Software Java Runtime Environment Version 5.0 Update 7
  http://www.java.com/...load/manual.jsp
  
  
• Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
  
  
• More info on how to prevent malware you can also find here (By Tony Klein)

Follow this list and your potential for being infected again will reduce dramatically.

Thank you for allowing me to assist you.

Susan

[Susan528]

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php