Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Multiple Virus Attacks! Hjt Log Attached! Help!

Started by Qball , Apr 11 2007 04:04 PM

  • This topic is locked This topic is locked
6 replies to this topic

#1 Qball

Qball

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 11 April 2007 - 04:04 PM

Help, came back from a week long vacation to find that my daughter has overloaded the computer with viruses somehow. To her credit she tried to fix things by downloading just about every anti-virus software and spyware program that she could get her hands on, along with following to much different advice from techno-communication teenage junkies. Nevertheless this type of mess needs some expert help. Spybot and Adware SE have always been on this computer so without further delay here is the HijackThis Log, THANKS IN ADVANCE:

Logfile of HijackThis v1.99.1
Scan saved at 5:06:54 PM, on 4/11/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\program files\sygate\ssa\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINNT\Explorer.EXE
F:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Softwin\BitDefender8\bdmcon.exe
C:\Program Files\Softwin\BitDefender8\bdnagent.exe
F:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
F:\Downloaded Programs\Process Explorer\ProcessExplorerNt\procexp.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINNT\system32\mshta.exe
F:\Program Files\CCleaner\ccleaner.exe
F:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://sympatico.msn.ca/?lang=en-CA
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://sympatico.msn.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O1 - Hosts: 1.1.1.1 securityresponse.symantec.com
O1 - Hosts: 1.1.1.1 symantec.com
O1 - Hosts: 1.1.1.1 www.symantec.com
O1 - Hosts: 1.1.1.1 free.grisoft.com
O1 - Hosts: 1.1.1.1 housecall.trendmicro.com
O1 - Hosts: 1.1.1.1 pandasoftware.com
O1 - Hosts: 1.1.1.1 www.pandasoftware.com
O1 - Hosts: 1.1.1.1 usa.kaspersky.com
O1 - Hosts: 1.1.1.1 ewido.net
O1 - Hosts: 1.1.1.1 zonelabs.com
O1 - Hosts: 1.1.1.1 www.zonelabs.com
O1 - Hosts: 1.1.1.1 bitdefender.com
O1 - Hosts: 1.1.1.1 www.bitdefender.com
O1 - Hosts: 1.1.1.1 download.bitdefender.com
O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
O1 - Hosts: 1.1.1.1 spywareinfo.com
O1 - Hosts: 1.1.1.1 www.spywareinfo.com
O1 - Hosts: 1.1.1.1 merijn.org
O1 - Hosts: 1.1.1.1 www.merijn.org
O1 - Hosts: 1.1.1.1 sysinternals.com
O1 - Hosts: 1.1.1.1 www.sysinternals.com
O1 - Hosts: 1.1.1.1 onguardonline.gov
O1 - Hosts: 1.1.1.1 www.onguardonline.gov
O1 - Hosts: 1.1.1.1 avast.com
O1 - Hosts: 1.1.1.1 www.avast.com
O1 - Hosts: 1.1.1.1 safety.live.com
O1 - Hosts: 1.1.1.1 www.paretologic.com
O1 - Hosts: 1.1.1.1 paretologic.com
O1 - Hosts: 1.1.1.1 services.google.com
O1 - Hosts: 1.1.1.1 www.webroot.com
O1 - Hosts: 1.1.1.1 webroot.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -

c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender8\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Program Files\Softwin\BitDefender8\bdnagent.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [FreeRAM XP] "F:\Program Files\YourWare Solutions\FreeRAM XP

Pro\FreeRAM XP Pro.exe" -win
O4 - Startup: services.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search -

http://kb.bar.need2f...earch.html?p=KB
O8 - Extra context menu item: Encarta &Definition -

http://ca.encarta.ms...kDictionary.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -

%windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 -

{85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -

http://messenger.zon...kr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

http://housecall60.t...all/xscan60.cab
O16 - DPF: {051D0E35-F4E3-4C8D-B411-AB0875F4C683} (Anark Client 4.0 ActiveX Control)

- http://install.anark...en/AMClient.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage

Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky...can_unicode.cab
O16 - DPF: {131EB16C-BD58-443F-8151-6DFBB0DA1778} (Anark Client 3.0 ActiveX Control)

- http://install.anark...en/AMClient.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage

Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) -

http://www.trendsecu...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent

6.6) -

http://housecall65.t...n32/activex/hcI

mpl.cab
O16 - DPF: {23B1D1AE-A29F-4AE2-B76E-CAB6E14811C4} (DHCPConfiguration Class) -

http://eserv.sympati...adaPortalAX.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) -

http://messenger.zon...er.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -

http://security.syma...bin/AvSniff.cab
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group

Hardware Control) -

https://disneyblast....wareControl.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) -

http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://spaces.msn.co....cab?10,0,911,0
O16 - DPF: {5CD4310E-88FB-43C1-BE24-5F3FA9C5C9D1} (KooPlayer Control) -

http://www.tvlution.com/KooPlayer.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -

http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base

Module) -

http://cdn.scan.onec...lscbase8300.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E2D6932-3885-4FA2-8DD4-DB63FFE33797} (PhotoPickConvert Class) -

http://appdirectory....ap/PhtPkCnv.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.micros...nt/muweb_site.c

ab?1149895973109
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent

6.5) -

http://housecall65.t...n32/activex/hcI

mpl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) -

http://tv.disney.go....y/OTOYAX29b.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -

http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl

Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) -

http://pdl.stream.ao.../ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = implementation.teranet.ca
O17 - HKLM\System\CCS\Services\Tcpip\..\{7BD7C8C2-71C4-419A-BBB2-ADFEA40EC620}:

NameServer = 85.255.116.41,85.255.112.125
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5F9D6EC-921F-4085-8DB3-DB898567EAB2}:

Domain = sympatico.ca
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5F9D6EC-921F-4085-8DB3-DB898567EAB2}:

NameServer = 85.255.116.41,85.255.112.125
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA4DCD52-FABC-405B-919F-B7BFE2A6238B}:

NameServer = 85.255.116.41,85.255.112.125
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = implementation.teranet.ca
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList =

implementation.teranet.ca,teranet.ca,datacentres.teranet.ca,corp.teranet.ca,sandbox.

teranet.ca,teranet.on.ca
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.41

85.255.112.125
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = implementation.teranet.ca
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList =

implementation.teranet.ca,teranet.ca,datacentres.teranet.ca,corp.teranet.ca,sandbox.

teranet.ca,teranet.on.ca
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.41

85.255.112.125
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =

implementation.teranet.ca,teranet.ca,datacentres.teranet.ca,corp.teranet.ca,sandbox.

teranet.ca,teranet.on.ca
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.41

85.255.112.125
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} -

D:\CDS300\__CDS2.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - F:\Program

Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - F:\Program Files\Alwil

Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - F:\Program Files\Alwil

Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - F:\Program Files\Alwil

Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program

Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program

Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: DefWatch - Symantec Corporation -

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - F:\Program

Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS

Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation -

C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation -

C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec

Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SBHookSvc - Unknown owner -

C:\PROGRA~1\NETASS~1\SMARTB~1\SBHookSvc.exe (file missing)
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. -

C:\program files\sygate\ssa\smc.exe
O23 - Service: SysEnforce - Unknown owner - F:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE

(file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program

Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file

missing)

    Advertisements

Register to Remove

#2 Shaba

Shaba

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 769 posts
  • MVP

Posted 12 April 2007 - 12:42 AM

Hi Qball

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://www.bleepingc.../Fixwareout.exe
  • Save it to your desktop and run it. Click Next, then Install, make sure Run fixit is checked and click Finish.
  • The fix will begin; follow the prompts.
  • You will be asked to reboot your computer; please do so.
  • Your system may take longer than usual to load; this is normal.
  • Once the desktop loads, post the text that will open (report.txt) and a new Hijackthis log in the forum please.
Post:

- a fresh HijackThis log
- sdfix report
- fixwareout report
UNITE and ASAP member since 2006

Posted Image

#3 Qball

Qball

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 13 April 2007 - 07:05 PM

Thanks Shaba

Here are the log reports that you asked for:


Logfile of HijackThis v1.99.1
Scan saved at 8:17:46 PM, on 4/13/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\program files\sygate\ssa\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
SDFixF:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
F:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\NOTEPAD.EXE
F:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\igfxtray.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
F:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\HijackThis\AnalyzeMe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://sympatico.msn.ca/?lang=en-CA
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://sympatico.msn.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -

c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DiskeeperSystray] "F:\Program Files\Executive

Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec

AntiVirus\vptray.exe
O4 - HKLM\..\Run: [gcasServ] "F:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe"

-atboottime
O4 - HKCU\..\Run: [FreeRAM XP] "F:\Program Files\YourWare Solutions\FreeRAM XP

Pro\FreeRAM XP Pro.exe" -win
O4 - Startup: services.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search -

http://kb.bar.need2f...earch.html?p=KB
O8 - Extra context menu item: Encarta &Definition -

http://ca.encarta.ms...kDictionary.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -

%windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 -

{85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -

http://messenger.zon...kr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

http://housecall60.t...all/xscan60.cab
O16 - DPF: {051D0E35-F4E3-4C8D-B411-AB0875F4C683} (Anark Client 4.0 ActiveX Control)

- http://install.anark...en/AMClient.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage

Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky...can_unicode.cab
O16 - DPF: {131EB16C-BD58-443F-8151-6DFBB0DA1778} (Anark Client 3.0 ActiveX Control)

- http://install.anark...en/AMClient.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage

Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) -

http://www.trendsecu...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent

6.6) -

http://housecall65.t...n32/activex/hcI

mpl.cab
O16 - DPF: {23B1D1AE-A29F-4AE2-B76E-CAB6E14811C4} (DHCPConfiguration Class) -

http://eserv.sympati...adaPortalAX.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) -

http://messenger.zon...er.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -

http://security.syma...bin/AvSniff.cab
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group

Hardware Control) -

https://disneyblast....wareControl.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) -

http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://spaces.msn.co....cab?10,0,911,0
O16 - DPF: {5CD4310E-88FB-43C1-BE24-5F3FA9C5C9D1} (KooPlayer Control) -

http://www.tvlution.com/KooPlayer.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -

http://download.bitd...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base

Module) -

http://cdn.scan.onec...lscbase8300.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -

http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E2D6932-3885-4FA2-8DD4-DB63FFE33797} (PhotoPickConvert Class) -

http://appdirectory....ap/PhtPkCnv.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.micros...nt/muweb_site.c

ab?1149895973109
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent

6.5) -

http://housecall65.t...n32/activex/hcI

mpl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) -

http://tv.disney.go....y/OTOYAX29b.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -

http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl

Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) -

http://pdl.stream.ao.../ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = implementation.teranet.ca
O17 - HKLM\System\CCS\Services\Tcpip\..\{7BD7C8C2-71C4-419A-BBB2-ADFEA40EC620}:

NameServer = 85.255.116.41,85.255.112.125
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5F9D6EC-921F-4085-8DB3-DB898567EAB2}:

Domain = sympatico.ca
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5F9D6EC-921F-4085-8DB3-DB898567EAB2}:

NameServer = 85.255.116.41,85.255.112.125
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA4DCD52-FABC-405B-919F-B7BFE2A6238B}:

NameServer = 85.255.116.41,85.255.112.125
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = implementation.teranet.ca
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList =

implementation.teranet.ca,teranet.ca,datacentres.teranet.ca,corp.teranet.ca,sandbox.

teranet.ca,teranet.on.ca
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.41

85.255.112.125
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = implementation.teranet.ca
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList =

implementation.teranet.ca,teranet.ca,datacentres.teranet.ca,corp.teranet.ca,sandbox.

teranet.ca,teranet.on.ca
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.41

85.255.112.125
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =

implementation.teranet.ca,teranet.ca,datacentres.teranet.ca,corp.teranet.ca,sandbox.

teranet.ca,teranet.on.ca
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.41

85.255.112.125
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} -

D:\CDS300\__CDS2.dll (file missing)
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - F:\Program

Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - F:\Program Files\Alwil

Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - F:\Program Files\Alwil

Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - F:\Program Files\Alwil

Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program

Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DefWatch - Symantec Corporation -

C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - F:\Program

Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS

Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation -

C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation -

C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec

Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SBHookSvc - Unknown owner -

C:\PROGRA~1\NETASS~1\SMARTB~1\SBHookSvc.exe (file missing)
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. -

C:\program files\sygate\ssa\smc.exe
O23 - Service: SysEnforce - Unknown owner - F:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE

(file missing)

SDFix Log File:


SDFix: Version 1.78

Run by - Fri 04/13/2007 - 19:30:10.62

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found...




Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINNT\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINNT\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Remaining Files:
---------------


Checking For Files with Hidden Attributes:

C:\Documents and Settings\wtsang01\NetHood\ftp.astro.com\Desktop.ini
C:\Documents and Settings\wtsang01\Application Data\Microsoft\Word\~WRL0044.tmp
C:\Documents and Settings\wtsang01\Application Data\Microsoft\Word\~WRL0117.tmp
C:\Documents and Settings\wtsang01\Application Data\Microsoft\Word\~WRL0161.tmp
C:\Documents and Settings\wtsang01\Application Data\Microsoft\Word\~WRL0374.tmp
C:\Documents and Settings\wtsang01\Application Data\Microsoft\Word\~WRL1248.tmp
C:\Documents and Settings\wtsang01\Application Data\Microsoft\Word\~WRL1389.tmp
C:\Documents and Settings\wtsang01\Application Data\Microsoft\Word\~WRL1713.tmp
C:\Documents and Settings\wtsang01\Application Data\Microsoft\Word\~WRL1846.tmp
C:\Documents and Settings\wtsang01\Application Data\Microsoft\Word\~WRL1942.tmp
C:\Documents and Settings\wtsang01\Application Data\Microsoft\Word\~WRL2566.tmp
C:\Documents and Settings\wtsang01\Application Data\Microsoft\Word\~WRL2956.tmp
C:\Documents and Settings\wtsang01\Application Data\Microsoft\Word\~WRL3109.tmp
C:\Documents and Settings\wtsang01\Application Data\Microsoft\Word\~WRL3364.tmp
C:\Documents and Settings\wtsang01\Application Data\Microsoft\Word\~WRL3595.tmp
C:\Documents and Settings\wtsang01\My Documents\Victoria\Grade 10\CHV2O\~WRL0376.tmp
C:\Documents and Settings\wtsang01\My Documents\Victoria\Grade 10\CHV2O\~WRL0577.tmp
C:\Documents and Settings\wtsang01\My Documents\Victoria\Grade 10\CHV2O\~WRL1480.tmp
C:\Documents and Settings\wtsang01\My Documents\Victoria\Grade 10\CHV2O\~WRL1939.tmp
C:\Documents and Settings\wtsang01\My Documents\Victoria\Grade 10\CHV2O\~WRL2013.tmp
C:\Documents and Settings\wtsang01\My Documents\Victoria\Grade 10\CHV2O\~WRL2534.tmp
C:\Documents and Settings\wtsang01\My Documents\Victoria\Grade 10\CHV2O\~WRL2546.tmp
C:\Documents and Settings\wtsang01\My Documents\Victoria\Grade 10\CHV2O\~WRL3193.tmp
C:\Documents and Settings\wtsang01\My Documents\Victoria\Grade 10\CHV2O\~WRL3301.tmp
C:\Documents and Settings\wtsang01\My Documents\Victoria\Grade 10\CHV2O\~WRL3476.tmp
C:\Documents and Settings\wtsang01\My Documents\Victoria\Grade 10\CHV2O\~WRL3750.tmp

Finished


Fixwareout Log Report:


Fixwareout Last edited 4/5/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further

inspection.



Click browse, find the file then click submit.
http://www.virustota...h/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"THGuard"="\"F:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"avast!"="F:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"Synchronization Manager"="mobsync.exe /logon"
"DiskeeperSystray"="\"F:\\Program Files\\Executive

Software\\Diskeeper\\DkIcon.exe\""
"HotKeysCmds"="C:\\WINNT\\system32\\hkcmd.exe"
"IgfxTray"="C:\\WINNT\\system32\\igfxtray.exe"
"Smapp"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smtray.exe"
"vptray"="C:\\Program Files\\Symantec_Client_Security\\Symantec

AntiVirus\\vptray.exe"
"gcasServ"="\"F:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"QuickTime Task"="\"F:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="\"F:\\Program Files\\YourWare Solutions\\FreeRAM XP Pro\\FreeRAM XP

Pro.exe\" -win"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»


Thanks again, there are several different virus/malware programs that have caught worms and trojans, in the week prior to this posting.
Let me know if you want a list.

#4 Shaba

Shaba

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 769 posts
  • MVP

Posted 14 April 2007 - 03:04 AM

Hi

You are using three antivirus, AVG, avast! and Norton. Are all up-to-date?

The formatting of your post is messed up. This is caused by not having Word Wrap checked.
1. Click Start > All Programs > Accessories > Notepad
2. On the menu bar in Notepad select Format and click on WordWrap so it appears checked

Open HijackThis, click do a system scan only and checkmark these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O8 - Extra context menu item: &Search -
http://kb.bar.need2f...earch.html?p=KB
O17 - HKLM\System\CCS\Services\Tcpip\..\{7BD7C8C2-71C4-419A-BBB2-ADFEA40EC620}:
NameServer = 85.255.116.41,85.255.112.125
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5F9D6EC-921F-4085-8DB3-DB898567EAB2}:
NameServer = 85.255.116.41,85.255.112.125
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA4DCD52-FABC-405B-919F-B7BFE2A6238B}:
NameServer = 85.255.116.41,85.255.112.125
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.41
85.255.112.125
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.41
85.255.112.125
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.41
85.255.112.125
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} -
D:\CDS300\__CDS2.dll (file missing)

Close all windows including browser and press fix checked

Update AVG anti-spyware, don't scan yet

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
______________________________

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer, all browsers and quit any instances of Windows Explorer.

For Internet Explorer 7
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete... under Browsing History.
  • Next to Temporary Internet Files, click Delete files, and then click OK.
  • Next to Cookies, click Delete cookies, and then click OK.
  • Next to History, click Delete history, and then click OK.
  • Click the Close button.
  • Click OK.
For Internet Explorer 4.x - 6.x
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
For Netscape 4.x and Up
  • Click Edit from the Netscape menubar.
  • Click Preferences... from the Edit menu.
  • Expand the Advanced menu by clicking the triangle sign.
  • Click Cache.
  • Click both the Clear Memory Cache and the Clear Disk Cache buttons.
For Mozilla 1.x and Up
  • Click Edit from the Mozilla menubar.
  • Click Preferences... from the Edit menu.
  • Expand the Advanced menu by clicking the plus sign.
  • Click Cache.
  • Click the Clear Cache button.
For Opera
  • Click File from the Opera menubar.
  • Click Preferences... from the File menu.
  • Click the History and Cache menu.
  • Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
  • Click Ok to close the Preferences menu.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
______________________________

Re-run fixwareout

Please post:
  • fixwareout report
  • AVG Anti-Spyware log
  • A new HijackThis log
You may need several replies to post the requested logs, otherwise they might get cut off.
UNITE and ASAP member since 2006

Posted Image

#5 Qball

Qball

    New Member

  • New Member
  • Pip
  • 3 posts

Posted 17 April 2007 - 12:27 AM

Sorry for the delay Shabba,

I lost my internet access, when HJT ( I mean ME ) removed the 85.255.116.41,85.255.112.125 IP addresses along with my Tcpip stack.
I only checked the bad ones but they all went. The correct info was still there for my ISP, but I had to re-enter the info, and 'OK' my way
from the local area network properties tab to re-register the HKLM keys in the registry. Got help from my ISP on that fix.

You'll see the correct info in the logs. I still have to put back the networking Ip stuff, but the logs are good now on the 017's.

Thanks again.




Fixwareout Last edited 4/5/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustota...h/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"THGuard"="\"F:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"Synchronization Manager"="mobsync.exe /logon"
"DiskeeperSystray"="\"F:\\Program Files\\Executive Software\\Diskeeper\\DkIcon.exe\""
"HotKeysCmds"="C:\\WINNT\\system32\\hkcmd.exe"
"IgfxTray"="C:\\WINNT\\system32\\igfxtray.exe"
"Smapp"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smtray.exe"
"vptray"="C:\\Program Files\\Symantec_Client_Security\\Symantec AntiVirus\\vptray.exe"
"QuickTime Task"="\"F:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Smctray"="\"C:\\Program Files\\sygate\\ssa\\Smc.exe\" -start"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FreeRAM XP"="\"F:\\Program Files\\YourWare Solutions\\FreeRAM XP Pro\\FreeRAM XP Pro.exe\" -win"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:19:21 AM 4/15/2007

+ Scan result:



Nothing found.


::Report end

}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}


Logfile of HijackThis v1.99.1
Scan saved at 12:37:30 AM, on 4/15/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\program files\sygate\ssa\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
F:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\NMSSvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
F:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\igfxtray.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
F:\Downloaded Programs\SYSINTERALS\Autoruns for Windows v8.61\autoruns.exe
C:\Program Files\HijackThis\AnalyzeMe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/?lang=en-CA
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [THGuard] "F:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DiskeeperSystray] "F:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Smctray] "C:\Program Files\sygate\ssa\Smc.exe" -start
O4 - HKCU\..\Run: [FreeRAM XP] "F:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - Startup: services.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Encarta &Definition - http://ca.encarta.ms...kDictionary.htm
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {051D0E35-F4E3-4C8D-B411-AB0875F4C683} (Anark Client 4.0 ActiveX Control) - http://install.anark...en/AMClient.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {131EB16C-BD58-443F-8151-6DFBB0DA1778} (Anark Client 3.0 ActiveX Control) - http://install.anark...en/AMClient.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecu...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {23B1D1AE-A29F-4AE2-B76E-CAB6E14811C4} (DHCPConfiguration Class) - http://eserv.sympati...adaPortalAX.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast....wareControl.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co....cab?10,0,911,0
O16 - DPF: {5CD4310E-88FB-43C1-BE24-5F3FA9C5C9D1} (KooPlayer Control) - http://www.tvlution.com/KooPlayer.ocx
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E2D6932-3885-4FA2-8DD4-DB63FFE33797} (PhotoPickConvert Class) - http://appdirectory....ap/PhtPkCnv.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1149895973109
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://tv.disney.go....y/OTOYAX29b.cab
O16 - DPF: {819F8533-D935-4183-B692-587F8D56AC3C} (iolo.AV.OnlineVirusScanner) - http://www.iolo.com/...x/AVCheckUp.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = implementation.teranet.ca
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5F9D6EC-921F-4085-8DB3-DB898567EAB2}: Domain = sympatico.ca
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5F9D6EC-921F-4085-8DB3-DB898567EAB2}: NameServer = 209.226.175.223,198.235.216.134
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = implementation.teranet.ca
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = implementation.teranet.ca
O20 - Winlogon Notify: !SASWinLogon - F:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - F:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SBHookSvc - Unknown owner - C:\PROGRA~1\NETASS~1\SMARTB~1\SBHookSvc.exe (file missing)
O23 - Service: Sygate Security Agent (SmcService) - Sygate Technologies, Inc. - C:\program files\sygate\ssa\smc.exe



Btw, All the virus programs are up to date but I need to trim back to one because of conflicts. Any suggestions???

Edited by Qball, 17 April 2007 - 12:30 AM.

#6 Shaba

Shaba

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 769 posts
  • MVP

Posted 17 April 2007 - 01:20 AM

Hi

Glad to hear that connection is back :)

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases

  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Post:

- a fresh HijackThis log
- kaspersky report
UNITE and ASAP member since 2006

Posted Image

#7 Shaba

Shaba

    Advanced Member

  • Authentic Member
  • PipPipPipPip
  • 769 posts
  • MVP

Posted 24 April 2007 - 10:38 AM

Due to the lack of feedback this Topic is closed. If you need help please start a new thread and post a new HJT log
UNITE and ASAP member since 2006

Posted Image

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·