hondo21's virus and spyware problem
#1
Posted 23 February 2007 - 07:40 AM
Register to Remove
#2
Posted 23 February 2007 - 07:41 AM
SmitFraudFix v2.144 Scan done at 6:23:07.75, Fri 02/23/2007 Run from C:\Documents and Settings\Glenn\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT The filesystem type is NTFS Fix run in normal mode »»»»»»»»»»»»»»»»»»»»»»»» hosts »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 C:\WINDOWS\system32\drvhif.dll FOUND ! »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Glenn »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Glenn\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Glenn\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" »»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32 »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End
#3
Posted 23 February 2007 - 07:42 AM
--------------------------------------------------------- AVG Anti-Spyware - Scan Report --------------------------------------------------------- + Created at: 8:12:46 AM 2/23/2007 + Scan result: C:\System Volume Information\_restore{A9FC58BD-0001-4B2D-8765-AC646203D592}\RP132\A0024555.dll -> Adware.Virtumonde : Cleaned. C:\WINDOWS\system32\iiffffe.dll -> Adware.Virtumonde : Cleaned. D:\System Volume Information\_restore{A9FC58BD-0001-4B2D-8765-AC646203D592}\RP132\A0024557.exe -> Downloader.Agent.bdr : Cleaned. D:\Temporary Internet Files\Content.IE5\1NAZJU9R\xc37[1].exe -> Downloader.Agent.bdr : Cleaned. D:\WINDOWS\TEMP\winAEC.tmp.exe -> Downloader.Agent.bdr : Cleaned. D:\System Volume Information\_restore{A9FC58BD-0001-4B2D-8765-AC646203D592}\RP132\A0024556.exe -> Downloader.Agent.bgn : Cleaned. C:\Documents and Settings\Glenn\Local Settings\Temp\Rar$EX16.688\keygen.exe -> Downloader.Small.edb : Cleaned. C:\System Volume Information\_restore{A9FC58BD-0001-4B2D-8765-AC646203D592}\RP132\A0024646.exe -> Downloader.Tiny.fk : Cleaned. C:\System Volume Information\_restore{A9FC58BD-0001-4B2D-8765-AC646203D592}\RP132\A0024664.exe -> Downloader.Tiny.fk : Cleaned. D:\Temporary Internet Files\Content.IE5\F32W0R4Y\xc23[1].exe -> Downloader.Tiny.fk : Cleaned. D:\WINDOWS\TEMP\winADD.tmp.exe -> Downloader.Tiny.fk : Cleaned. C:\Documents and Settings\Glenn\Cookies\glenn@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned. C:\Documents and Settings\Glenn\Cookies\glenn@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned. C:\Documents and Settings\Rebekah\Cookies\rebekah@aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned. C:\Documents and Settings\Rebekah\Cookies\rebekah@grouplotto.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned. C:\Documents and Settings\Glenn\Cookies\glenn@www.abcsearch[1].txt -> TrackingCookie.Abcsearch : Cleaned. C:\Documents and Settings\Sheli\Cookies\sheli@adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned. C:\Documents and Settings\Sheli\Cookies\sheli@ads15.bpath[1].txt -> TrackingCookie.Bpath : Cleaned. C:\Documents and Settings\Glenn\Cookies\glenn@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned. C:\Documents and Settings\Rebekah\Cookies\rebekah@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned. C:\Documents and Settings\Sheli\Cookies\sheli@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned. C:\Documents and Settings\Glenn\Cookies\glenn@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned. C:\Documents and Settings\Glenn\Cookies\glenn@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned. C:\Documents and Settings\Rebekah\Cookies\rebekah@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned. C:\Documents and Settings\Rebekah\Cookies\rebekah@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned. C:\Documents and Settings\Sheli\Cookies\sheli@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned. C:\Documents and Settings\Sheli\Cookies\sheli@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned. C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt -> TrackingCookie.Com : Cleaned. C:\Documents and Settings\Glenn\Cookies\glenn@com[1].txt -> TrackingCookie.Com : Cleaned. C:\Documents and Settings\Rebekah\Cookies\rebekah@com[1].txt -> TrackingCookie.Com : Cleaned. C:\Documents and Settings\Sheli\Cookies\sheli@com[1].txt -> TrackingCookie.Com : Cleaned. C:\Documents and Settings\Glenn\Cookies\glenn@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned. C:\Documents and Settings\Rebekah\Cookies\rebekah@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned. C:\Documents and Settings\Glenn\Cookies\glenn@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned. C:\Documents and Settings\Glenn\Cookies\glenn@enhance[2].txt -> TrackingCookie.Enhance : Cleaned. C:\Documents and Settings\Glenn\Cookies\glenn@ehg-maniatv.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned. C:\Documents and Settings\Glenn\Cookies\glenn@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned. C:\Documents and Settings\Glenn\Cookies\glenn@sales.liveperson[5].txt -> TrackingCookie.Liveperson : Cleaned. C:\Documents and Settings\Rebekah\Cookies\rebekah@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned. C:\Documents and Settings\Sheli\Cookies\sheli@sales.liveperson[3].txt -> TrackingCookie.Liveperson : Cleaned. C:\Documents and Settings\Glenn\Cookies\glenn@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned. C:\Documents and Settings\Glenn\Cookies\glenn@data1.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned. C:\Documents and Settings\Glenn\Cookies\glenn@data3.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned. C:\Documents and Settings\Glenn\Cookies\glenn@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned. C:\Documents and Settings\Rebekah\Cookies\rebekah@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned. C:\Documents and Settings\Rebekah\Cookies\rebekah@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned. C:\Documents and Settings\Glenn\Cookies\glenn@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned. C:\Documents and Settings\Rebekah\Cookies\rebekah@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned. C:\Documents and Settings\Glenn\Cookies\glenn@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned. C:\Documents and Settings\Glenn\Cookies\glenn@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned. C:\Documents and Settings\Rebekah\Cookies\rebekah@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned. C:\Documents and Settings\Rebekah\Cookies\rebekah@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned. C:\Documents and Settings\Sheli\Cookies\sheli@anat.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned. C:\Documents and Settings\Rebekah\Cookies\rebekah@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned. C:\Documents and Settings\Glenn\Local Settings\Temp\mst8B.tmp -> Trojan.Agent.qt : Cleaned. C:\System Volume Information\_restore{A9FC58BD-0001-4B2D-8765-AC646203D592}\RP132\A0024553.dll -> Trojan.Agent.qt : Cleaned. C:\WINDOWS\system32\winygm32.dll -> Trojan.Agent.qt : Cleaned. D:\Temporary Internet Files\Content.IE5\F32W0R4Y\xc29[1].exe -> Trojan.Agent.qt : Cleaned. ::Report end
#4
Posted 23 February 2007 - 07:43 AM
Logfile of HijackThis v1.99.1
Scan saved at 8:25:48 AM, on 2/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
F:\Avast\aswUpdSv.exe
F:\Avast\ashServ.exe
f:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\Avast\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
F:\Avast\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
F:\Avast\ashDisp.exe
F:\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
F:\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
F:\QUICKENW\QWDLLS.EXE
F:\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\devldr32.exe
F:\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.avast.com...07.php?lang=eng
O4 - HKLM\..\Run: [avast!] F:\Avast\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "F:\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [syswin] C:\WINDOWS\system32\v6.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvhif.dll,startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "f:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = F:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Quicken Startup.lnk = F:\QUICKENW\QWDLLS.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = F:\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.co...ll/gtdownlr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1163301421320
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1163302972925
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - F:\Avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - F:\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - F:\Avast\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - F:\Avast\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - f:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
#5
Posted 01 March 2007 - 05:02 PM
Warning: running option #2 on a non infected computer will remove your Desktop background.
Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
Reboot your computer in Safe Mode.
- If the computer is running, shut down Windows, and then turn off the power.
- Wait 30 seconds, and then turn the computer on.
- Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
- Ensure that the Safe Mode option is selected.
- Press Enter. The computer then begins to start in Safe mode.
- Login on your usual account.
Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.
A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.
The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________
Clean out your Temporary Internet files. Proceed like this:
- Quit Internet Explorer and quit any instances of Windows Explorer.
- Click Start, click Control Panel, and then double-click Internet Options.
- On the General tab, click Delete Files under Temporary Internet Files.
- In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
- On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
- Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
- Click OK.
Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________
Please post:
1.c:\rapport.txt
2.A new HijackThis log
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#6
Posted 01 March 2007 - 10:22 PM
One of the problems I've continued to have is that I always have a popup IE window that goes to "broadcaster.com" shortly after I start IE. But I haven't checked that again since running your instructions, since I stayed in Safe Mode. (I'm posting this from a separate PC.)
Here are the requested logfiles:
rapport.txt
SmitFraudFix v2.144
Scan done at 22:45:18.07, Thu 03/01/2007
Run from C:\Documents and Settings\Glenn\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
HijackThis log
Logfile of HijackThis v1.99.1
Scan saved at 11:05:03 PM, on 3/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
F:\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.avast.com...07.php?lang=eng
O4 - HKLM\..\Run: [avast!] F:\Avast\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "F:\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = F:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Quicken Startup.lnk = F:\QUICKENW\QWDLLS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.co...ll/gtdownlr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1163301421320
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1163302972925
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - F:\Avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - F:\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - F:\Avast\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - F:\Avast\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - f:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
#7
Posted 02 March 2007 - 03:23 PM
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#8
Posted 02 March 2007 - 06:57 PM
New log:
Logfile of HijackThis v1.99.1
Scan saved at 7:45:29 PM, on 3/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
F:\Avast\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
F:\Avast\ashServ.exe
f:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\Avast\ashDisp.exe
F:\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
F:\iTunes\iTunesHelper.exe
F:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
F:\QUICKENW\QWDLLS.EXE
C:\WINDOWS\system32\wuauclt.exe
F:\Avast\ashMaiSv.exe
F:\Avast\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\devldr32.exe
F:\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.avast.com...07.php?lang=eng
O4 - HKLM\..\Run: [avast!] F:\Avast\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "F:\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = F:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Quicken Startup.lnk = F:\QUICKENW\QWDLLS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.co...ll/gtdownlr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1163301421320
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1163302972925
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - F:\Avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - F:\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - F:\Avast\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - F:\Avast\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - f:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
#9
Posted 02 March 2007 - 07:01 PM
Open the HijackThis Folder. Find the file HijackThis.exe, Right Click on the file and Select Rename. Rename Hijackthis.exe to Spyware.exe.
Post a new HijackThis Log.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#10
Posted 02 March 2007 - 08:48 PM
Edited by hondo21, 02 March 2007 - 09:05 PM.
Register to Remove
#11
Posted 02 March 2007 - 08:50 PM
After the above
Post a new HijackThis log
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#12
Posted 02 March 2007 - 09:04 PM
Logfile of HijackThis v1.99.1
Scan saved at 10:01:03 PM, on 3/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
F:\Avast\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
F:\Avast\ashServ.exe
f:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\Avast\ashDisp.exe
F:\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
F:\iTunes\iTunesHelper.exe
F:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
F:\QUICKENW\QWDLLS.EXE
F:\Avast\ashMaiSv.exe
F:\Avast\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\Hijackthis\Spyware.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft....k/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.avast.com...07.php?lang=eng
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - f:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6F04B6C5-B562-4563-AE39-BC211D6DD903} - C:\WINDOWS\system32\gebaw.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {8E3595C5-6F6D-44B2-BC8B-FA2DAF1EE33C} - (no file)
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - (no file)
O4 - HKLM\..\Run: [avast!] F:\Avast\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "F:\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = F:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Quicken Startup.lnk = F:\QUICKENW\QWDLLS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.co...ll/gtdownlr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1163301421320
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1163302972925
O20 - Winlogon Notify: gebaw - C:\WINDOWS\system32\gebaw.dll
O20 - Winlogon Notify: iiffffe - iiffffe.dll (file missing)
O20 - Winlogon Notify: winygm32 - winygm32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - F:\Avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - F:\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - F:\Avast\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - F:\Avast\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - f:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Edited by hondo21, 02 March 2007 - 09:05 PM.
#13
Posted 02 March 2007 - 09:06 PM
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
- Please post the contents of C:\vundofix.txt and a new HiJackThis log.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
#14
Posted 02 March 2007 - 09:34 PM
Checking Java version...
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 10:11:49 PM 3/2/2007
Listing files found while scanning....
C:\WINDOWS\system32\gebaw.dll
C:\WINDOWS\system32\nsdpxdeh.exe
C:\WINDOWS\system32\tfbghulj.dll
C:\WINDOWS\system32\wabeg.bak1
C:\WINDOWS\system32\wabeg.bak2
C:\WINDOWS\system32\wabeg.ini
Beginning removal...
Attempting to delete C:\WINDOWS\system32\gebaw.dll
C:\WINDOWS\system32\gebaw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nsdpxdeh.exe
C:\WINDOWS\system32\nsdpxdeh.exe Has been deleted!
Attempting to delete C:\WINDOWS\system32\tfbghulj.dll
C:\WINDOWS\system32\tfbghulj.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wabeg.bak1
C:\WINDOWS\system32\wabeg.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\wabeg.bak2
C:\WINDOWS\system32\wabeg.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\wabeg.ini
C:\WINDOWS\system32\wabeg.ini Has been deleted!
Performing Repairs to the registry.
Done!
Logfile of HijackThis v1.99.1
Scan saved at 10:31:04 PM, on 3/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
F:\Avast\aswUpdSv.exe
F:\Avast\ashServ.exe
f:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
F:\Avast\ashDisp.exe
F:\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
F:\iTunes\iTunesHelper.exe
F:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
F:\QUICKENW\QWDLLS.EXE
F:\Avast\ashMaiSv.exe
C:\WINDOWS\system32\wuauclt.exe
F:\Avast\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
F:\Hijackthis\Spyware.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.avast.com...07.php?lang=eng
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - f:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6F04B6C5-B562-4563-AE39-BC211D6DD903} - C:\WINDOWS\system32\gebaw.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {8E3595C5-6F6D-44B2-BC8B-FA2DAF1EE33C} - (no file)
O4 - HKLM\..\Run: [avast!] F:\Avast\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "F:\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "F:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = F:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Quicken Startup.lnk = F:\QUICKENW\QWDLLS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.co...ll/gtdownlr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1163301421320
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1163302972925
O20 - Winlogon Notify: iiffffe - iiffffe.dll (file missing)
O20 - Winlogon Notify: winygm32 - winygm32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - F:\Avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - F:\Avast\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - F:\Avast\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - F:\Avast\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - f:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
No popups since I've opened IE7 to post this reply!
#15
Posted 02 March 2007 - 09:38 PM
O2 - BHO: (no name) - {6F04B6C5-B562-4563-AE39-BC211D6DD903} - C:\WINDOWS\system32\gebaw.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O20 - Winlogon Notify: iiffffe - iiffffe.dll (file missing)
O20 - Winlogon Notify: winygm32 - winygm32.dll (file missing)
Close ALL windows and browsers except HijackThis and click "Fix checked"
Reboot and "copy/paste" a new HijackThis log file into this thread.
Also please describe how your computer behaves at the moment.
The forum is run by volunteers who donate their time and expertise.
Want to help others? Join the ClassRoom and learn how.
Logs will be closed if you haven't replied within 3 days
If you would like to for the help you received.
Proud graduate of TC/WTT Classroom
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users