
[Closed] PCPrivacyTool removal
#1
Posted 03 December 2007 - 07:32 PM
Register to Remove
#2
Posted 04 December 2007 - 11:58 AM
My name is Simon V., and I'll be glad to help you with your computer problems.
The first step in cleaning the malware off your computer is creating a HijackThis log:
Download HJTInstall.exe to your desktop.
- Doubleclick HJTInstall.exe to install HijackThis.
- By default it will install to C:\Program Files\Trend Micro\HijackThis .
- Click on Install.
- It will create a HijackThis icon on the desktop.
- Once installed, it will launch Hijackthis.
- Click on the Do a system scan and save a logfile button. It will scan and the log should open in Notepad. Please copy the contents of the report and paste it back here.
Don't use the AnalyseThis button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


So How Did I Get Infected In The First Place?
Stand Up and Be Counted!
#3
Posted 04 December 2007 - 10:04 PM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:00:59 AM, on 12/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Nnueee
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - F:\Program Files\flashget\jccatch.dll
O2 - BHO: (no name) - {40EB2EFA-65EE-4382-BDF6-B664C86C5CAB} - C:\WINDOWS\system32\actived.dll
O2 - BHO: ConnectionServices module - {6D7B211A-88EA-490c-BAB9-3600D8D7C503} - C:\Program Files\ConnectionServices\ConnectionServices.dll (file missing)
O2 - BHO: BitAccelerator module - {92860A02-4D69-48c1-82D7-EF6B2C609502} - C:\Program Files\BitAccelerator\BitAccelerator.dll (file missing)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - F:\Program Files\flashget\getflash.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Ad Muncher] "C:\Program Files\Ad Muncher\AdMunch.exe" /bt
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Закачать все при помощи FlashGet - F:\Program Files\flashget\jc_all.htm
O8 - Extra context menu item: &Закачать при помощи FlashGet - F:\Program Files\flashget\jc_link.htm
O8 - Extra context menu item: Block frame with Ad Muncher - http://www.admuncher...d=menu_ie_frame
O8 - Extra context menu item: Block image with Ad Muncher - http://www.admuncher...d=menu_ie_image
O8 - Extra context menu item: Block link with Ad Muncher - http://www.admuncher...id=menu_ie_link
O8 - Extra context menu item: Don't filter page with Ad Muncher - http://www.admuncher...menu_ie_exclude
O8 - Extra context menu item: Report page to the Ad Muncher developers - http://www.admuncher...=menu_ie_report
O9 - Extra button: Ni?aai?iua iaoa?eaeu - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\4\flashget\FlashGet.exe (file missing)
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - F:\4\flashget\FlashGet.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://ca.com/us/sec...an/pestscan.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1195693813578
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1196288744156
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{57FA5059-FA51-4435-B258-651850831260}: NameServer = 193.110.57.4 193.110.56.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{8BC8B0B6-558F-411C-97B9-D00D6B1AEA56}: NameServer = 192.168.0.1
O20 - AppInit_DLLs: c:\windows\system32\smserher.dll,C:\PROGRA~1\sQusi\SQUSIT~1\sQusi20Stb.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: ?o?iae niauoee (Eventlog) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
O23 - Service: Neo?aa COM caiene eiiiaeo-aeneia IMAPI (ImapiService) - Корпорация Майкрософт - C:\WINDOWS\system32\imapi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Корпорация Майкрософт - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Plug and Play (PlugPlay) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
O23 - Service: Aeniao?a? naaina ni?aaee aey oaaeaiiiai ?aai?aai noiea (RDSessMgr) - Корпорация Майкрософт - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Nia?o-ea?ou (SCardSvr) - Корпорация Майкрософт - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: ?o?iaeu e iiiaauaiey i?iecaiaeoaeuiinoe (SysmonLog) - Корпорация Майкрософт - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Oaiaaia eiie?iaaiea oiia (VSS) - Корпорация Майкрософт - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe (file missing)
O23 - Service: Aaaioa? i?iecaiaeoaeuiinoe WMI (WmiApSrv) - Корпорация Майкрософт - C:\WINDOWS\system32\wbem\wmiapsrv.exe
--
End of file - 9675 bytes
#4
Posted 05 December 2007 - 05:23 AM

Do you have a Russian version of Windows?
Please go to VirusTotal or Jotti and upload C:\WINDOWS\system32\actived.dll for scanning.
For VirusTotal:
- Please copy and paste C:\WINDOWS\system32\actived.dll in the text box next to the Browse... button.
- Click on Send File.
For Jotti:
- Please copy and paste C:\WINDOWS\system32\actived.dll in the text box next to the Browse... button.
- Click on Submit.
Copy/paste the results in Notepad and save them to your desktop.
Also do this for c:\windows\system32\smserher.dll and C:\PROGRAM FILES\sQusi\SQUSIT~1\sQusi20Stb.dll (SQUSIT~1 > this folder starts with the letters SQUSIT and has the file sQusi20Stb.dll inside of it)
In your next reply, please post the Virustotal/Jotti results.


So How Did I Get Infected In The First Place?
Stand Up and Be Counted!
#5
Posted 05 December 2007 - 11:06 AM
I scanned actived.dll
I couldn't locate the shredder whatewer...it doesn't exist I quess.
I couldn't scan sQusi file cuz when I try to upload it in both sites that u gave me - i get - the page could not be displayed...
so here is actived.dll scan
File actived.dll received on 12.05.2007 17:26:24 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 14/32 (43.75%)
Antivirus Version Last Update Result
AhnLab-V3 2007.12.5.0 2007.12.05 -
AntiVir 7.6.0.34 2007.12.05 TR/BHO.abo.1
Authentium 4.93.8 2007.12.05 -
Avast 4.7.1098.0 2007.12.05 -
AVG 7.5.0.503 2007.12.05 Generic9.AAUY
BitDefender 7.2 2007.12.05 -
CAT-QuickHeal 9.00 2007.12.05 Trojan.BHO.abo
ClamAV 0.91.2 2007.12.05 -
DrWeb 4.44.0.09170 2007.12.05 Trojan.DownLoader.37561
eSafe 7.0.15.0 2007.12.04 -
eTrust-Vet 31.3.5353 2007.12.05 -
Ewido 4.0 2007.12.05 -
FileAdvisor 1 2007.12.05 -
Fortinet 3.14.0.0 2007.12.05 -
F-Prot 4.4.2.54 2007.12.05 -
F-Secure 6.70.13030.0 2007.12.05 Trojan.Win32.BHO.abo
Ikarus T3.1.1.12 2007.12.05 Trojan-PWS.Win32.Lmir
Kaspersky 7.0.0.125 2007.12.05 Trojan.Win32.BHO.abo
McAfee 5177 2007.12.04 -
Microsoft 1.3007 2007.12.05 TrojanSpy:Win32/Bzub.GB.dll
NOD32v2 2701 2007.12.05 -
Norman 5.80.02 2007.12.05 W32/BHO.ATH
Panda 9.0.0.4 2007.12.04 Adware/AVSystemCare
Prevx1 V2 2007.12.05 Trojan.DoS.Win32.Opdos
Rising 20.21.20.00 2007.12.05 -
Sophos 4.24.0 2007.12.05 Troj/BHO-EE
Sunbelt 2.2.907.0 2007.12.05 -
Symantec 10 2007.12.05 -
TheHacker 6.2.9.150 2007.12.05 Trojan/BHO.abo
VBA32 3.12.2.5 2007.12.04 -
VirusBuster 4.3.26:9 2007.12.05 -
Webwasher-Gateway 6.6.2 2007.12.05 Trojan.BHO.abo.1
Additional information
File size: 92672 bytes
MD5: feef541b98155d8892e24093d52fd1b0
SHA1: 59dcb212ce087d1087106581120604f986de47b7
PEiD: -
packers: UPX
packers: UPX
packers: PE_Patch.UPX, UPX
Prevx info: http://fileinfo.prev...78739001A7812D0
#6
Posted 05 December 2007 - 12:15 PM
Let's make an Uninstall List:
Open HijackThis.
- Click on the Config button.
- Click on the Misc Tools button.
- Click on the Open Uninstall Manager button.
- Click on the Save list... button and save the file to a convenient location. When you press Save, Notepad will open with the contents of that file.
Be sure that you are set to see hidden files and folders:
- Close all programs so that you are at your desktop.
- Double-click on the My Computer icon.
- Select the Tools menu and click Folder Options.
- After the new window appears select the View tab.
- Put a checkmark in the checkbox labelled Display the contents of system folders.
- Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
- Remove the checkmark from the checkbox labelled Hide file extensions for known file types.
- Remove the checkmark from the checkbox labelled Hide protected operating system files. Answer Yes to the prompt.
- Press the Apply button and then the OK button and close My Computer.
Then look for c:\windows\system32\smserher.dll and upload it to Virustotal or Jotti. If it doesn't exist, please let me know. In your next reply, post the Uninstall List (uninstall_list.txt), along with the Virustotal/Jotti results (if you found the file).


So How Did I Get Infected In The First Place?
Stand Up and Be Counted!
#7
Posted 06 December 2007 - 07:22 AM
#8
Posted 06 December 2007 - 08:06 AM

I understand that downloading music and other files may be important to you; however, the Peer-to-Peer programs that you are using to do that, even if they are not infected with malware, will bring malware into your system. Therefore, the chances of you becoming infected again are very high. This obviously can result in disabling your computer and could even lead to someone stealing sensitive personal data from your computer. Beyond the inconvenience this causes you, these programs also tend to use your computer as a server to spread more infection all over the internet, so your computer becomes a part of the malware problem.
Remember that no matter how clean the program you're using for Peer-to-Peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via Peer-to-Peer filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Any program or file that offers you the ability to access non-freeware programs at no cost, e.g., pirated software and/or cracks/key generators for gaining access to legitimate software, is 100% guaranteed to contain malware.
Here is some information that looks at the rates of infection:
http://www.benedelman.org/spyware/p2p/
With that being said, I recommend that you remove the following Peer-to-Peer program(s):
BitTorrent 4.24.0
Step 1
Click on Start, then Control Panel. Double click on Add or Remove Programs.
Please remove the following program(s):
- sQusi Tracking Plus
- BitAccelerator
- ConnectionServices
Step 2
Open HijackThis, perform a scan and put a check next to the following items (if present):
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {40EB2EFA-65EE-4382-BDF6-B664C86C5CAB} - C:\WINDOWS\system32\actived.dll
O2 - BHO: ConnectionServices module - {6D7B211A-88EA-490c-BAB9-3600D8D7C503} - C:\Program Files\ConnectionServices\ConnectionServices.dll (file missing)
O2 - BHO: BitAccelerator module - {92860A02-4D69-48c1-82D7-EF6B2C609502} - C:\Program Files\BitAccelerator\BitAccelerator.dll (file missing)
O20 - AppInit_DLLs: c:\windows\system32\smserher.dll,C:\PROGRA~1\sQusi\SQUSIT~1\sQusi20Stb.dll
Close all programs except HijackThis and click on Fix checked.
Step 3
Navigate to the following files/folders using Windows Explorer and delete them when found:
C:\Program Files\BitAccelerator\ <-- Folder
C:\Program Files\ConnectionServices\ <-- Folder
Step 4
In your next reply, please post:
- a new HijackThis log
- How is your computer running now?


So How Did I Get Infected In The First Place?
Stand Up and Be Counted!
#9
Posted 11 December 2007 - 06:21 AM


So How Did I Get Infected In The First Place?
Stand Up and Be Counted!
#10
Posted 14 December 2007 - 05:47 AM


So How Did I Get Infected In The First Place?
Stand Up and Be Counted!
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users