HELP - My Log
#1
Posted 21 February 2007 - 08:40 AM
Register to Remove
#2
Posted 21 February 2007 - 05:05 PM
My name is Vino Rosso - if it helps, you can call me Vino for short. I would be glad to take a look at your log and help you with solving any malware problems.
HijackThis logs can take a little time to research so I'd ask you to please be patient and I'd be grateful if you would note the following:
- I will working on your Malware issues, this may or may not, solve other issues you have with your machine.
- The fixes are specific to your problem and should only be used for this issue on this machine.
- Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
- It's often worth reading through these instructions and printing them for ease of reference.
- If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
- Finally, please reply to this thread. Do not start a new topic.
I have looked through your HijackThis log and cannot see any sign that you are using a firewall. Have you got Windows XP firewall running? If not, please turn it on via Start > Control Panel > Security Center > Windows Firewall. This is better than nothing but it only protects against incoming traffic. It doesn't protect you against outgoing baddies trying to "phone home". I strongly recommend that you install a firewall that monitors traffic in both directions. Please have a look at this article >here< which provides good information and links to free firewalls.
2 - SDFix
Download SDFix from >here< and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually
- Instead of Windows loading as normal, the Advanced Options Menu should appear
- Using the Up Arrow key on your keyboard, select the first option to run Windows in Safe Mode, then press Enter
- Choose your usual account.
- Open the SDFix folder and double click RunThis.bat to start the script
- Type Y to begin the cleanup process
- It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot
- Press any key and your PC will restart
- When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons
- Once the desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum) - Finally, paste the contents of the Report.txt in your next post
After you have completed the above, please post:
- the SDFix report
- and a new HijackThis log
Vino
Member of ASAP and Unite
The help we provide is free. If you wish to support us, please consider a small donation
#3
Posted 21 February 2007 - 06:07 PM
#4
Posted 22 February 2007 - 02:59 AM
It's really a personal choice. Some like Zone Alarm, others prefer Kerio or Outpost. Most believe Norton is a bit of a resource hog. I have Zone Alarm installed and am very happy with it. Whichever you choose, it IS worth installing to block outgoing connections that shouldn't be there.FYI, My Windows Firewall is ON, but nevertheless I'll download one of those firewalls. A little help though: I already have Zone Alarm, should I install it, or others are better?
The danger of turning updates off is that you'll not get any notification of critical/important updates to your computer. It's also likely that you'll forget to check for them. If you'd rather not have the updates set to Automatic, which is recommended, because perhaps you are on dial-up, you should have them set to, as a minimum, 'Notify me but don't automatically download or install them'. This option will warn you that updates are available and you can choose when to download them. Note that it is important you do not ignore these notifications. Not downloading them will leave your computer vunerable. Turning off automatic updates is definitely NOT recommended.Another question: I've heard different stories about "Windows automatic updates". For now it's OFF on my PC. Should I turn it on?
OK.As for the SDfix part, I'll do that in the morning and I'll post you right back.
Member of ASAP and Unite
The help we provide is free. If you wish to support us, please consider a small donation
#5
Posted 22 February 2007 - 06:49 PM
I did waht you told me, and here are the logs:
1. SDFix log
SDFix: Version 1.67
Run by Branka Antonic - Fri 02/23/2007 @ 1:31:58.71
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Name:
MsaSvc
Path:
C:\WINDOWS\system32\msasvc.exe
MsaSvc Deleted
Restoring Windows Registry Entries
Restoring Default Hosts File
Killing PID 148 'smss.exe'
Killing PID 224 'winlogon.exe'
Rebooting...
Normal Mode:
Checking Files:
Below files will be copied to Backups folder then removed:
C:\DOCUME~1\BRANKA~1\LOCALS~1\Temp\popuplog.txt - Deleted
C:\DOCUME~1\BRANKA~1\LOCALS~1\Temp\SysConf.conf - Deleted
C:\WINDOWS\ie-hook.txt - Deleted
C:\WINDOWS\system32\rpcc.dll - Deleted
ADS Check:
C:\WINDOWS\system32
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil"
"C:\\Program Files\\Programi\\FILM\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe"="C:\\Program Files\\Programi\\FILM\\K-Lite Codec Pack\\Media Player Classic\\mplayerc.exe:*:Enabled:Media Player Classic"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\Programi\\mirc\\mirc32.exe"="C:\\Program Files\\Programi\\mirc\\mirc32.exe:*:Enabled:mIRC Internet Relay Chat Client"
"C:\\Program Files\\Programi\\Hamachi\\hamachi.exe"="C:\\Program Files\\Programi\\Hamachi\\hamachi.exe:*:Enabled:Hamachi"
"C:\\Program Files\\Microsoft Games\\Age of Mythology\\aom.exe"="C:\\Program Files\\Microsoft Games\\Age of Mythology\\aom.exe:*:Enabled:aom"
"C:\\Valve\\Condition Zero\\czero.exe"="C:\\Valve\\Condition Zero\\czero.exe:*:Enabled:Condition Zero Launcher"
"C:\\windows\\system32\\explore.exe"="C:\\windows\\system32\\explore.exe:*:Enabled:Enabled"
"C:\\Documents and Settings\\Branka Antonic\\Desktop\\01.exe"="C:\\Documents and Settings\\Branka Antonic\\Desktop\\01.exe:*:Enabled:Enabled"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Mozilla Firefox"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"="C:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe:*:Enabled:TrueVector Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files:
---------------
Backups Folder: - C:\SDFix\backups\backups.zip
Checking For Files with Hidden Attributes :
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Documents and Settings\Branka Antonic\Application Data\Microsoft\Office\Shortcut Bar\Pro13.tmp
C:\Documents and Settings\Branka Antonic\Local Settings\Temp\$b17a2e8.tmp
C:\Documents and Settings\Branka Antonic\Local Settings\Temp\Pro13.tmp
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG
C:\WINDOWS\Temp\$_2341235.TMP
Add/Remove Programs List:
123 Free Solitaire
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Photoshop 7.0
Age of Mythology
Agere Systems PCI Soft Modem
AstroPop Deluxe 1.0
DiskSweeper FREE 1.0
Fallout2
Hamachi 1.0.1.1
HijackThis 1.99.1
Canon EOS 10D WIA Driver
ASUS SmartDoctor
Canon Utilities RemoteCapture 2.7
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities File Viewer Utility 1.3
ASUS GameFace Live
Canon Internet Library for ZoomBrowser EX
Canon Camera Window for ZoomBrowser EX
Nokia PC Suite 5.8
Canon Utilities PhotoStitch 3.1
ASUS Utilities
Canon RAW Image Task for ZoomBrowser EX
ItalianNow!
K-Lite Mega Codec Pack 1.01
KoolPlaya
Kyodai Mahjongg
Lexmark Software Uninstall
Mozilla Firefox (2.0)
Nero OEM
New.net Domains 7.48
NOD32 antivirus system
NVIDIA Drivers
QuickTime
RadLight
Shockwave
Macromedia Flash Player 8
Spybot - Search & Destroy 1.4
Visual Task Tips 2.1
Winamp (remove only)
WinRAR archiver
MSXML4 Parser
Canon Camera WIA Driver
Noiseware Community Edition
ASUS SmartDoctor
RemoteCapture 2.7.5
RemoteCapture Task
File Viewer Utility 1.3.2
OLYMPUS CAMEDIA Master 4.2
ASUS Enhanced Display Driver
PowerDVD
ASUS GameFace Live
CIG
Age of Empires III
Microsoft Office XP Professional with FrontPage
Camera Window
BlueSoleil
Canon PhotoRecord
Canon Utilities ZoomBrowser EX
NOD32 FiX v2.1
Nokia PC Suite 5.8
PhotoStitch
ASUS Utilities
RAW Image Task
3DMark03
Finished
2. HJT log
Logfile of HijackThis v1.99.1
Scan saved at 1:41:26 AM, on 2/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
C:\Program Files\Programi\VisualTaskTips\VisualTaskTips.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_48.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Programi\Winamp\winampa.exe
O4 - HKLM\..\Run: [RavTimeXP] C:\WINDOWS\HELP\SQQNO1.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
O4 - HKLM\..\Run: [MW1HelperStartUp] C:\PROGRA~1\MAGICW~1\MW1HEL~1.EXE /partner MW1
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\\SmartDoctor.exe /start
O4 - HKCU\..\Run: [VisualTaskTips] C:\Program Files\Programi\VisualTaskTips\VisualTaskTips.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\win_4.dll
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
3. A few questions:
- Now that I extracted SDFix, I can move the SDFIx.exe file into a folder? No need to be on the desktop I suppose?
- I already told you that I got Zone Alarm. The installation wizard asks me if I want a Pro version (which I should pay) or the Personal version (which is free). My question is: is the Personal version enough, or should I upgrade it to Pro?
#6
Posted 23 February 2007 - 02:01 AM
Please do not move or delete anything. We'll tidy things up once we have your computer cleaned.
The Personal (free) version is a good firewall and is sufficient if you are using a separate antivirus and other protection programs. If you get on with Zone Alarm, you could consider upgrading later. You can find a comparison >here<
I'm having a look through the logs you've posted and will be back as soon as I can.
Thanks
Member of ASAP and Unite
The help we provide is free. If you wish to support us, please consider a small donation
#7
Posted 23 February 2007 - 11:05 AM
#8
Posted 23 February 2007 - 03:04 PM
You should print out these instructions for reference as you will not have access to the internet during this fix.
Please read through these instructions and ask any questions.
1 - Remove Programs
Go to Start > Control Panel > Add/Remove Programs
If present, remove the following programs:
** Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.
New.net Domains 7.48
Close the Control Panel
2 - Run HijackThis Scan and Fix
Start HijackThis and click Do a system scan only
Tick the following entries, if present:
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_48.dll
O4 - HKLM\..\Run: [RavTimeXP] C:\WINDOWS\HELP\SQQNO1.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O20 - AppInit_DLLs: C:\WINDOWS\system32\win_4.dll
Close all windows except HijackThis
Click Fix Checked in HijackThis.
3 - Delete suspect files/folders
Using Windows Explorer, browse for the following files/folders and delete as instructed
NB Some files may have already been deleted by earlier actions so don't worry if you do not see them:
C:\WINDOWS\Help\SQQNO1.exe <=== This file only
C:\WINDOWS\System32\win_4.dll <=== This file only
C:\Program Files\NewDotNet <=== This folder only
4 - Clean Out Temporary Files
Download ATF Cleaner by Atribune © from >here<
This is a stand-alone program that does not need to be installed. Save it to a convenient location and make a shortcut on your desktop. Using this program will remove temporary files, temporary internet files and cookies from your system, which will mean that any scans will run faster.
- Make sure that all browser windows are closed
- Double-click the shortcut on your desktop to run the program.
- Under Main, choose Select All
- UNtick Prefetch
- Click Empty Selected
- If you use Firefox browser,
- Click Firefox at the top and choose Select All
- Click on Empty Selected
- NOTE: If you would like to keep any saved passwords, please untick that option.
- If you use Opera browser,
- Click Opera at the top and choose Select All
- Click on Empty Selected
- NOTE: If you would like to keep any saved passwords, please untick that option.
- Click Exit to close.
Download the trial version of AVG Anti-Spyware from >here< and install it. When the program has been installed, and you click the Finish button, AVG Anti-Spyware will open.
Do not run a scan yet.
If the program does not automatically update itself during installation, or you are unsure whether it has done so, please do the following:
- Click the Update icon at the top and under Manual Update click the Start update button.
- The program will either update or inform you that no update was available.
- Click the Shield icon at the top and under Resident shield is... click active. This should now change to inactive.
- Click the Update icon and untick the automatic update option.
- Click the Scanner icon at the top and then click the Settings Tab.
- Under How to act? click Recommended actions and select Quarantine from the menu.
You will need to reboot your computer into Safe Mode for the next steps. It would be a good idea for you to print these instructions, as you will not have access to the internet.
Important: If you have an always on connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.
6 - Boot to Safe Mode
- Restart your computer.
- Continually tap the F8 button as your computer is booting (a menu appears).
- Use up-arrow key to select Safe Mode and press Enter.
- Click on Scanner on the toolbar.
- Click on the Settings tab.
- Under How to act? - make sure that Quarantine is selected.
- Under How to scan? - All checkboxes should be ticked.
- Under Possibly unwanted software - All checkboxes should be ticked.
- Under Reports - Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan? - Select Scan every file.
- Click on the Scan tab.
- Click on Complete System Scan to start the scan process.
- Let the program scan your computer.
- When the scan has finished, follow the instructions below:
- Make sure that Set all elements to: shows Quarantine
- Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
- When the program has finished, it will display the message All actions have been applied.
- Then click the Save Scan Report button.
- Click the Save Report as button.
- Save the report to your Desktop.
- Right-click the AVG Tray Icon and select Exit.
7 - Check on status
After you have completed the above, please reboot and provide:
- the AVG Anti-Spyware Scan report
- a new HijackThis log
- and a description of how your PC is behaving - what problems are you now experiencing?
Good Luck
Vino
Member of ASAP and Unite
The help we provide is free. If you wish to support us, please consider a small donation
#9
Posted 24 February 2007 - 08:23 PM
1. the AVG Anti-Spyware Scan report
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 2:43:31 AM 2/25/2007
+ Scan result:
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP217\A0737329.dll -> Adware.Comet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP199\A0671192.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP199\A0672228.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP199\A0672428.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP199\A0672429.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP199\A0672430.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP199\A0672431.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP199\A0690246.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP202\A0693431.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP202\A0693433.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP212\A0727354.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP213\A0727733.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP225\A0762882.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP225\A0763527.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP225\A0763528.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP225\A0765932.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP232\A0786345.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP233\A0788339.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP233\A0789337.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP233\A0789481.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP233\A0789921.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP233\A0789922.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP235\A0792307.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP235\A0792308.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP237\A0794872.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall6_90.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall6_98.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall7_14.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall7_48.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\S-1-5-21-484763869-507921405-839522115-1003\Software\GoGoData\AdBuster\SpyDeny\ValidBHOList\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\S-1-5-21-484763869-507921405-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Documents and Settings\Branka Antonic\Local Settings\Temp\VVSNInst.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\Programi\RadLight\RadLight SE\RPKi\RPK.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP199\A0672372.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\SaveInstWm.exe/Save.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\SaveInstWm.exe/SaveUninst.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\SaveInstWm.exe/Weather\Uninst.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\SaveInstWm.exe/Weather\Weather.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP233\A0790088.exe -> Downloader.Small.crd : Cleaned with backup (quarantined).
E:\Arhive\Instalaciono\winXPsp2\OTHER\Nero 6.3.1.15\Keygen.exe -> Hijacker.Befins.b : Cleaned with backup (quarantined).
E:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP199\A0679116.exe -> Hijacker.Befins.b : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP225\A0761778.exe -> Not-A-Virus.Hoax.Win32.Renos.fl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP225\A0763173.exe -> Not-A-Virus.Hoax.Win32.Renos.gc : Cleaned with backup (quarantined).
E:\Arhive\Instalaciono\winXPsp2\OTHER\WinRAR 3.0\patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
E:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP199\A0679124.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/rpcc.dll -> Proxy.Dlena.bz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP236\A0794766.dll -> Proxy.Dlena.bz : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WinOpts -> Proxy.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\Branka Antonic\Cookies\branka antonic@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Branka Antonic\Cookies\branka antonic@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Branka Antonic\Local Settings\Temp\Cookies\branka antonic@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Branka Antonic\Cookies\branka antonic@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP199\A0671016.exe -> Trojan.Agent.abn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP199\A0671023.exe -> Trojan.Agent.abn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP199\A0671024.exe -> Trojan.Agent.abn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP199\A0671025.exe -> Trojan.Agent.abn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP199\A0671026.exe -> Trojan.Agent.abn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP199\A0671027.exe -> Trojan.Agent.abn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP225\A0763172.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP225\A0761777.exe -> Trojan.Sinowal.bh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{D5AB14C8-536D-4EE0-816D-1B5C0FB4D152}\RP225\A0763258.dll -> Trojan.Sinowal.bh : Cleaned with backup (quarantined).
::Report end
2. a new HijackThis log
Logfile of HijackThis v1.99.1
Scan saved at 2:46:29 AM, on 2/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe
C:\Program Files\Programi\VisualTaskTips\VisualTaskTips.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Programi\Winamp\winampa.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\Tools\NclTray.exe
O4 - HKLM\..\Run: [MW1HelperStartUp] C:\PROGRA~1\MAGICW~1\MW1HEL~1.EXE /partner MW1
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\\SmartDoctor.exe /start
O4 - HKCU\..\Run: [VisualTaskTips] C:\Program Files\Programi\VisualTaskTips\VisualTaskTips.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
3. and a description of how your PC is behaving - what problems are you now experiencing?
I noticed nothing unusual. Maybe some help as waht should I be looking for?
#10
Posted 25 February 2007 - 10:00 AM
Are you having any more problems with your computer or is everything working OK?3. and a description of how your PC is behaving - what problems are you now experiencing?
I noticed nothing unusual. Maybe some help as waht should I be looking for?
Member of ASAP and Unite
The help we provide is free. If you wish to support us, please consider a small donation
Register to Remove
#11
Posted 25 February 2007 - 11:04 AM
#12
Posted 25 February 2007 - 11:28 AM
1 - Delete Tools
The following files and folders were downloaded to help get rid of the malware on your PC. These can now be deleted as they are no longer required.
- C:\SDFix
This is adapted from my general post for the 'All Clean' status however please advise on any problems you may still have before proceding with the following:-
Hide your System Files
These files are hidden to avoid accidental deletion so please follow these steps:
Click Start
Open My Computer
Select Tools > Folder Options > Select the View Tab
Uncheck Show hidden files and folders in the Hidden files and folders section
Select Hide protected operating system files (recommended) option
Click OK, OK
Reset your system restore points
This will remove any infected files that may have been backed up by Windows. Should you have any problems following this step, a tutorial is available >here<. Please note that you need Administrator privileges to do the following:
Turn off System Restore
Start > right-click My Computer and select Properties
Click the System Restore tab
Tick Turn off System Restore
Click Apply, and then click OK.
Restart your computer
Turn ON System Restore
Start > Right-click on My Computer and select Properties
Click on the System Restore tab
Click on C: drive then Settings
Untick Turn off System Restore on this drive
OK, OK
Make Internet Explorer more secure
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Note: If you are using IE, you may want to consider changing Mozilla FireFox as an option however remember that you still need to use IE for certain sites like Microsoft Updates.
Windows Updates
Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
Anti-Virus
It is important that your computer has anti-virus software installed and it is updated at least on a weekly basis. Further information and programs can be found >here<
Firewall
Using a Firewall in its default configuration greatly reduces the risk of your computer being hacked. Further information and programs can be found >here<
Hosts File
For added protection you may also like to add a host file, for more information regarding host files read >here<
Anti-Malware Programs (all free)
Next, if they're not already present, I would recommend the download and installation of some or all of the following programs, and the updating of them on a regular basis:
- Ad-Aware SE - This is a program that scans for and removes known spyware from your machine. >Tutorial<
- Spybot Search & Destroy - Spybot is a tool like Ad-Aware SE whereas it seeks out and removes known spyware from your machine. >Tutorial<
These two tools (Ad-Aware & Spybot) are perfect complements to each other as one will most always find something the other missed. - Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machine.
>Tutorial< - IE_Spyad - Works by placing known "bad" sites into your Internet Explorer "Restricted Zones" prohibiting them from doing potentially problematic things to your computer. >Tutorial<
Vino
Member of ASAP and Unite
The help we provide is free. If you wish to support us, please consider a small donation
#13
Posted 25 February 2007 - 06:01 PM
#14
Posted 27 February 2007 - 10:06 AM
Edited by Foldingo, 27 February 2007 - 10:08 AM.
#15
Posted 27 February 2007 - 11:46 AM
Edited by Foldingo, 27 February 2007 - 11:48 AM.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users