Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved]Unwanted Emails


  • This topic is locked This topic is locked
9 replies to this topic

#1 tinpanalley

tinpanalley

    Authentic Member

  • Authentic Member
  • PipPip
  • 189 posts

Posted 05 August 2007 - 01:14 PM

Hi,
Straight to the point... I'm getting lots of unwanted emails from questionable places ("Dear Winner" stuff), your typical spam annoyances but some other things as well. Also, some pages are taking way too long to load. If someone could please look at my hijackthis logfile, I'd really appreciate it.

Also, if there's something I need to do to get a response within 5 days that I'm not doing, could you let me know? I know it's busy but I always end up waiting through the 5 days and having to re-post my issue.

Thanks, here's the logfile:

Logfile of HijackThis v1.99.1
Scan saved at 3:06:44 PM, on 8/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AccuWeatherDesktopAlerts\AccuWeatherDesktopAlerts.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\CTSvcCDA.exe
C:\WINDOWS\runservice.exe
C:\Program Files\MacOpener\FORMATM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RioMSC.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\Smc.exe" -startgui
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\system32\mstask.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AccuWeatherDesktopAlerts] C:\Program Files\AccuWeatherDesktopAlerts\AccuWeatherDesktopAlerts.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1099665745687
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1163200215953
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec....sa/SymAData.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - file://D:\webpull\support\disc\ASP\tools\en\bin\npseatools.cab
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
O20 - Winlogon Notify: SSOExec - %windir%\temp\sso\ssoexec.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: MacFormatService - Unknown owner - C:\Program Files\MacOpener\FORMATM.EXE" /SERVICE (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    Advertisements

Register to Remove


#2 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 05 August 2007 - 11:03 PM

Hello tinpanalley and welcome back to the TomCoyote Forums

My name is Trevuren and I will be helping you with your problem.


A. Please RUN HijackThis
  • Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
    O20 - Winlogon Notify: SSOExec - %windir%\temp\sso\ssoexec.dll (file missing)
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)


  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.


B. Please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner
Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
The program launches and downloads the latest definition files.
  • Once the files are downloaded click on Next
  • Click on Scan Settings and configure as follows:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK and, under select a target to scan, select My Computer
When the scan is done, in the Scan is completed window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
Posted Image
Posted Image
To obtain the report:
Click on: Save Report As (above - red blinking arrow)
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report along with a fresh HijackThis log in your reply.


C.
Also please tell me how your system is running.

Regards,

Trevuren
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#3 tinpanalley

tinpanalley

    Authentic Member

  • Authentic Member
  • PipPip
  • 189 posts

Posted 06 August 2007 - 07:54 AM

First, thank you for replying so soon. Here'e the Kaspersky scan: ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Monday, August 06, 2007 9:46:22 AM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.93.0 Kaspersky Anti-Virus database last update: 6/08/2007 Kaspersky Anti-Virus database records: 373406 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ E:\ F:\ G:\ H:\ I:\ J:\ K:\ O:\ Scan Statistics: Total number of scanned objects: 259197 Number of viruses found: 24 Number of infected objects: 107 Number of suspicious objects: 0 Duration of the scan process: 04:36:26 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Phil Vasquez\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Phil Vasquez\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Phil Vasquez\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Phil Vasquez\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Phil Vasquez\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\Phil Vasquez\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Phil Vasquez\ntuser.dat Object is locked skipped C:\Documents and Settings\Phil Vasquez\ntuser.dat.LOG Object is locked skipped C:\Program Files\Sygate\SPF\debug.log Object is locked skipped C:\Program Files\Sygate\SPF\rawlog.log Object is locked skipped C:\Program Files\Sygate\SPF\seclog.log Object is locked skipped C:\Program Files\Sygate\SPF\syslog.log Object is locked skipped C:\Program Files\Sygate\SPF\tralog.log Object is locked skipped C:\Program Files\WMR11\WMRecorderv112_Crack.exe Object is locked skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\QuarantineDE7892.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\QuarantineDE7892.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\QuarantineDE7892.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.d skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\QuarantineDE7892.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenStream.d skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\QuarantineDE7892.zip ZIP: infected - 4 skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\QuarantineDE7892.zip CryptFF: infected - 4 skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\QuarantineFA6BA7.0 Infected: Exploit.HTML.Mht skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine5A16BF2 Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\QuarantineE174911 Infected: not-a-virus:AdWare.Win32.ISearch.a skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\1545718C Infected: not-a-virus:AdWare.Win32.Suggestor.g skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\1F9944CB Infected: not-a-virus:AdWare.Win32.EliteBar.q skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\21E41A93 Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\23CA2D71.exe/stt.exe Infected: HackTool.Win32.Aost skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\23CA2D71.exe/unpack7.exe/es32.dll Infected: Backdoor.IRC.Zapchast skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\23CA2D71.exe/unpack7.exe/lssas.exe Infected: Backdoor.Win32.FTP.ioFtpd.b skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\23CA2D71.exe/unpack7.exe/ntio40.sys Infected: Backdoor.IRC.Zapchast skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\23CA2D71.exe/unpack7.exe/stt.exe Infected: HackTool.Win32.Aost skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\23CA2D71.exe/unpack7.exe/csrs.exe Infected: Backdoor.Win32.mIRC-based skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\23CA2D71.exe/unpack7.exe Infected: Backdoor.Win32.mIRC-based skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\23CA2D71.exe/setuphlp.cmd Infected: Backdoor.IRC.Zapchast skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\23CA2D71.exe/srvchk.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\23CA2D71.exe RAR: infected - 9 skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\23CA2D71.exe CryptFF: infected - 9 skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\30A962B9.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\30A962B9.zip/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\30A962B9.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\30A962B9.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\30A962B9.zip ZIP: infected - 4 skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\30A962B9.zip CryptFF: infected - 4 skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\366125B8 Infected: not-a-virus:AdWare.Win32.Beginto.a skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\398E67DD.0 Infected: Trojan-Clicker.JS.Linker.l skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\39FA32C8 Infected: not-a-virus:AdWare.Win32.BetterInternet skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\3E1E442A.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\3E1E442A.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\3E1E442A.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\3E1E442A.zip ZIP: infected - 3 skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\3E1E442A.zip CryptFF: infected - 3 skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\3E347359.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\3E347359.zip/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\3E347359.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\3E347359.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\3E347359.zip ZIP: infected - 4 skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\3E347359.zip CryptFF: infected - 4 skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\418B6BAF Infected: not-a-virus:AdWare.Win32.EliteBar.v skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\482A0E56 Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\48C11E59.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\48C11E59.zip/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\48C11E59.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\48C11E59.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\48C11E59.zip ZIP: infected - 4 skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\48C11E59.zip CryptFF: infected - 4 skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\48D51A43.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\48D51A43.zip/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\48D51A43.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\48D51A43.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\48D51A43.zip ZIP: infected - 4 skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\48D51A43.zip CryptFF: infected - 4 skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\48FC1218.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\48FC1218.zip/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\48FC1218.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\48FC1218.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\48FC1218.zip ZIP: infected - 4 skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\48FC1218.zip CryptFF: infected - 4 skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\4933415C.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\4933415C.zip/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\4933415C.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\4933415C.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\4933415C.zip ZIP: infected - 4 skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\4933415C.zip CryptFF: infected - 4 skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\4A94708D Infected: not-a-virus:AdWare.Win32.EliteBar.q skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\4B9A2271 Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\57813108.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\57813108.zip/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\57813108.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\57813108.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\57813108.zip ZIP: infected - 4 skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\57813108.zip CryptFF: infected - 4 skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\57F0448D.0TM Infected: Exploit.HTML.Mht skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\580E0911 Infected: not-a-virus:AdWare.Win32.Beginto.a skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\59010ABF Infected: not-a-virus:AdWare.Win32.Beginto.a skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\636E49A9.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\636E49A9.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\636E49A9.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\636E49A9.zip ZIP: infected - 3 skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\636E49A9.zip CryptFF: infected - 3 skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\76242EB9.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\76242EB9.zip/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\76242EB9.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\76242EB9.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\76242EB9.zip ZIP: infected - 4 skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\76242EB9.zip CryptFF: infected - 4 skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\765F2278.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\765F2278.zip/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\765F2278.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\765F2278.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\765F2278.zip ZIP: infected - 4 skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\765F2278.zip CryptFF: infected - 4 skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\766C4A6A.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\766C4A6A.zip/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\766C4A6A.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\766C4A6A.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\766C4A6A.zip ZIP: infected - 4 skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\766C4A6A.zip CryptFF: infected - 4 skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\768C6E46.0TM Infected: Exploit.HTML.Mht skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\78734D64 Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped C:\RECYCLER\S-1-5-21-1942873142-913711009-2564194695-500\Dc2\Quarantine\7E8D7BFF Infected: not-a-virus:AdWare.Win32.EliteBar.v skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{681AD0F2-0D47-41B9-8237-A8C74BD32DF4}\RP375\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped C:\WINDOWS\system32\drivers\sptd6589.sys Object is locked skipped C:\WINDOWS\system32\drivers\vaxscsi.sys Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped C:\WINDOWS\system32\mmf.sys Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped C:\XBOX\Apps\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped K:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped K:\System Volume Information\_restore{681AD0F2-0D47-41B9-8237-A8C74BD32DF4}\RP375\change.log Object is locked skipped Scan process completed.

#4 tinpanalley

tinpanalley

    Authentic Member

  • Authentic Member
  • PipPip
  • 189 posts

Posted 06 August 2007 - 07:55 AM

And this is the new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:47:37 AM, on 8/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AccuWeatherDesktopAlerts\AccuWeatherDesktopAlerts.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\CTSvcCDA.exe
C:\WINDOWS\runservice.exe
C:\Program Files\MacOpener\FORMATM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RioMSC.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\hijack\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\Smc.exe" -startgui
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\system32\mstask.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AccuWeatherDesktopAlerts] C:\Program Files\AccuWeatherDesktopAlerts\AccuWeatherDesktopAlerts.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1099665745687
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1163200215953
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec....sa/SymAData.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - file://D:\webpull\support\disc\ASP\tools\en\bin\npseatools.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: MacFormatService - Unknown owner - C:\Program Files\MacOpener\FORMATM.EXE" /SERVICE (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#5 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 06 August 2007 - 11:06 AM

A. Your copy of mirc is infected. I would strongly suggest that you UNINSTALL it immediately then DELETE it from C:\Program Files\MIRC.

B. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

C. Now defrag your hard drive using Windows Defrag utility if you do not have a commercial version.


Once all of the above is done, Reboot your machine and please tell me how things are now running.


Regards,

Trevuren
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#6 tinpanalley

tinpanalley

    Authentic Member

  • Authentic Member
  • PipPip
  • 189 posts

Posted 06 August 2007 - 01:40 PM

Hey, I deleted entirely mirc which I wasn't using anyway and ran ATF. I'm now defragmenting the drive. It was 20% defragged so it's gonna take a while. I'll get back to you soon as it's done. Meantime can you recommend a good defrag program that isn't the Windows one? Paid or not, I don't mind.

Edited by tinpanalley, 06 August 2007 - 01:41 PM.


#7 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 06 August 2007 - 02:01 PM

:thumbup:
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#8 tinpanalley

tinpanalley

    Authentic Member

  • Authentic Member
  • PipPip
  • 189 posts

Posted 06 August 2007 - 10:38 PM

Alright, all instructions followed. I saved a log of the defrag as well if it helps. I rebooted and I've been using it on and off tonight. It seems ok, but there were a few delays here and there. But more importantly, I won't know if the spam has stopped until i check my email for a few days. Anything else I can try? (Oh, and completely unrelated, but I'm originally from Toronto. Go Leafs!) :)

#9 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 06 August 2007 - 11:15 PM

I did not do anything to stop the Spam per se. They have your email address. You either change your email addy or buy a good spam blocker.


Inasmuch as I can do nothing for the Spam blocker I will provide you with the final cleanup procedures then close the thread in a day or so.


Congratulations, your log looks CLEAN

There are a few things you must do once you are completely clean:

1. Time for some housekeeping

Please download the OTMoveIt by OldTimer
  • Save it to your desktop.
  • Run the tool by clicking on the icon.
  • Click the Cleanup button.
  • The tools that we used as well as this one will be removed from your system.

2. Please run ATF Cleaner again..

3. Now Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
Here are some tips to reduce the potential for spyware infection in the future:

Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
And also see TonyKlein's good advice
So how did I get infected in the first place?

Regards,

Trevuren

Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

#10 Trevuren

Trevuren

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 8,632 posts
  • Interests:Woodworking

Posted 12 August 2007 - 08:32 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php
Microsoft MVP Consumer Security 2008 - 2009


Proud graduate of TC/WTT Classroom



The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Join the ClassRoom and learn how.


Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users