spyware/viruses after re-installing xp (sp1)(RESOLVED)

  1. 21-12-2005  #1
    madmikejt12
    madmikejt12 is offline Dedicated Member

    spyware/viruses after re-installing xp (sp1)(RESOLVED)

    hi, i recently re-installed xp home (sp1) and i had to go on the internet to download graphics driver because the display was too big.... i got a message that obviously wasnt from microsoft, it was a red circle with a white cross in the middle and when i hover over it, it says "your computer is infected" and every so often it says @your computer is infected with spyware........" i ran ad-aware and AVG 3 times, deleted everything and its not gone, could you please check this log?
    Logfile of HijackThis v1.99.1
    Scan saved at 14:33:25, on 21/12/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
    C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\Mp***ent.exe
    C:\Program Files\VoyagerTest\fts.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\winstall.exe
    C:\Program Files\AOL 9.0a\aoltray.exe
    C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\imapi.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    D:\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
    O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
    O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
    O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6C9D93D1-58BE-4EED-B436-1E1D12FFEC01}: NameServer = 205.188.146.145
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

    hope you can help
    Thanks, Mike

  3. 21-12-2005  #2
    brain_damage
    brain_damage is offline D-A-L Team Member (UK)
    Hi mike have you tried running avg etc, in safe mode with system restore turned off?
  4. 21-12-2005  #3
    Neal
    Neal is offline Dedicated Member
    Hi and welcome to the wonderful world of spysheriff. This requires a special tool to get rid of this and away we go.

    You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

    Download smitRem.exe and save the file to your desktop.
    Double click on the file to extract it to it's own folder on the desktop.

    Please download, install, and update the free version of Ewido Security Suite:
    1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    2. When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
    3. From the main Ewido screen, click on update in the left menu, then click the Start update button.
    4. After the update finishes, the status bar at the bottom will display "Update successful"
    5. Exit Ewido. DO NOT run a scan yet.

    If you do not already have Ad-Aware SE 1.06 installed, follow these download and setup instructions. Also check for updates:
    Ad-Aware SE Setup
    Again, do NOT run a scan yet.


    Next, please reboot your computer in Safe Mode by doing the following:
    1. Restart your computer
    2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    3. Instead of Windows loading as normal, a menu should appear
    4. Select the first option, to run Windows in Safe Mode.

    Scan with HijackThis again and place a check next to these items:

    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

    Close all other windows except HijackThis, and hit Fix Checked

    Hunt for and delete if found:

    winstall.exe

    Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again --- this is normal.
    Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.

    Next, run Ad-aware and perform a full scan. Remove everything found.

    Now open Ewido Security Suite
    • Click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
    • If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
    • When the scan finishes, click on "Save Report". This will create a text file. Save that file for us later.
    • Close Ewido
    Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck "Security Info" if present.


    Restart your computer in normal mode.

    Run the Panda online virus scan at http://www.pandasoftware.com/products/activescan.htm
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on Local Disks to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
    Finally, restart your computer once more, and please post a new HijackThis log as well as the log from the Ewido scan and the log from the smitRem tool, which will be located at C:\smitfiles.txt.
    Let us know if any problems persist.
  5. 22-12-2005  #4
    madmikejt12
    madmikejt12 is offline Dedicated Member
    Hi mike have you tried running avg etc, in safe mode with system restore turned off?
    i tried it in safe mode but not with sytem restore off, would this make a difference?

    that file is in the C drive. its just C:/winstall i tried to delete that yesturday but it cannot be done in normal mode with the process running.

    i am going to follow the instructio0ns now and let you know how i get on.
    Thank you both for your replies
  6. 22-12-2005  #5
    madmikejt12
    madmikejt12 is offline Dedicated Member
    seems to bo ok now, thanks, here are the logs:

    HJThis:
    Logfile of HijackThis v1.99.1
    Scan saved at 05:22:46, on 22/12/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    C:\PROGRA~1\McAfee.com\PERSON~1\Mp***ent.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
    C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
    C:\Program Files\VoyagerTest\fts.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\AOL 9.0a\aoltray.exe
    C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    D:\HijackThis.exe

    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
    O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
    O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
    O4 - Global Startup: Microsoft Office.lnk = D:\Program files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
    O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
    O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
    O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6C9D93D1-58BE-4EED-B436-1E1D12FFEC01}: NameServer = 205.188.146.145
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
  7. 22-12-2005  #6
    madmikejt12
    madmikejt12 is offline Dedicated Member
    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 04:17:58, 22/12/2005
    + Report-Checksum: 6B4407B6

    + Scan result:

    C:\Documents and Settings\Owner.MIKES-PC\Application Data\Opera\Opera\profile\cache4\opr0000L.jar/GetAccess.class -> Downloader.Java.OpenConnection.aj : Cleaned with backup
    C:\Documents and Settings\Owner.MIKES-PC\Application Data\Opera\Opera\profile\cache4\opr0000L.jar/Installer.class -> Downloader.Java.OpenConnection.aj : Cleaned with backup
    C:\Documents and Settings\Owner.MIKES-PC\Application Data\Opera\Opera\profile\cache4\opr0000O.class -> Trojan.ClassLoader.Dummy.d : Cleaned with backup
    C:\Documents and Settings\Owner.MIKES-PC\Application Data\Opera\Opera\profile\cache4\opr0000Q.htm -> Downloader.Inor.a : Cleaned with backup
    C:\Documents and Settings\Owner.MIKES-PC\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Du mmy.class-44eba5ec-11dbe626.class -> Trojan.ClassLoader.Dummy.d : Cleaned with backup
    C:\Documents and Settings\Owner.MIKES-PC\Cookies\owner@122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Owner.MIKES-PC\Cookies\owner@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Owner.MIKES-PC\Cookies\owner@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
    C:\Documents and Settings\Owner.MIKES-PC\Cookies\owner@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
    C:\Documents and Settings\Owner.MIKES-PC\Cookies\owner@doubleclick
  8. 22-12-2005  #7
    madmikejt12
    madmikejt12 is offline Dedicated Member
    [1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
    C:\Documents and Settings\Owner.MIKES-PC\Cookies\owner@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
    C:\Documents and Settings\Owner.MIKES-PC\Cookies\owner@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
    C:\WINDOWS\tool2.exe -> Hijacker.Spywad.o : Cleaned with backup
    : mozilla.12: D:\Program files\Internet stuff\Browsers\k-mellon\K-Meleon\Profiles\default\7rfhzj5w.slt\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
    : mozilla.13: D:\Program files\Internet stuff\Browsers\k-mellon\K-Meleon\Profiles\default\7rfhzj5w.slt\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
    : mozilla.15: D:\Program files\Internet stuff\Browsers\k-mellon\K-Meleon\Profiles\default\7rfhzj5w.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
    : mozilla.18: D:\Program files\Internet stuff\Browsers\k-mellon\K-Meleon\Profiles\default\7rfhzj5w.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
    : mozilla.19: D :\Program files\Internet stuff\Browsers\k-mellon\K-Meleon\Profiles\default\7rfhzj5w.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
    : mozilla.20: D :\Program files\Internet stuff\Browsers\k-mellon\K-Meleon\Profiles\default\7rfhzj5w.slt\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
    : mozilla.21: D :\Program files\Internet stuff\Browsers\k-mellon\K-Meleon\Profiles\default\7rfhzj5w.slt\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
    : mozilla.22 :\Program files\Internet stuff\Browsers\k-mellon\K-Meleon\Profiles\default\7rfhzj5w.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
    : mozilla.31: D :\Program files\Internet stuff\Browsers\k-mellon\K-Meleon\Profiles\default\7rfhzj5w.slt\cookies.txt -> Spyware.Cookie.Spylog : Cleaned with backup
    : mozilla.32: D :\Program files\Internet stuff\Browsers\k-mellon\K-Meleon\Profiles\default\7rfhzj5w.slt\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
    : mozilla.33: D :\Program files\Internet stuff\Browsers\k-mellon\K-Meleon\Profiles\default\7rfhzj5w.slt\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
  9. 22-12-2005  #8
    Neal
    Neal is offline Dedicated Member
    Good job,

    I need to see the Panda scan log also please.
  10. 22-12-2005  #9
    madmikejt12
    madmikejt12 is offline Dedicated Member
    Incident Status Location

    Adware:adware/cws.searchmeup Not desinfected C:\WINDOWS\SYSTEM32\paytime.exe
    Adware:adware/secure32 Not desinfected C:\WINDOWS\country.exe
    Security Risk:Exploit/MIE.CHM Not desinfected C:\Documents and Settings\Owner.MIKES-PC\Application Data\Opera\Opera\profile\cache4\opr00006.htm
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner.MIKES-PC\Application Data\Opera\Opera\profile\cache4\opr0000N.jar[Matrix.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner.MIKES-PC\Application Data\Opera\Opera\profile\cache4\opr0000N.jar[Counter.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner.MIKES-PC\Application Data\Opera\Opera\profile\cache4\opr0000N.jar[Dummy.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner.MIKES-PC\Application Data\Opera\Opera\profile\cache4\opr0000N.jar[Parser.class]
    Adware:Adware/CWS.Searchmeup Not desinfected C:\Documents and Settings\Owner.MIKES-PC\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jav a.jar-cb66fa7-371c78bc.zip[GetAccess.class]
    Adware:Adware/CWS.Searchmeup Not desinfected C:\Documents and Settings\Owner.MIKES-PC\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jav a.jar-cb66fa7-371c78bc.zip[Installer.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner.MIKES-PC\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jav a.jar-cb66fa7-371c78bc.zip[NewSecurityClassLoader.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner.MIKES-PC\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jav a.jar-cb66fa7-371c78bc.zip[NewURLClassLoader.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner.MIKES-PC\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loa deradv470.jar-217a6652-6a4a2de4.zip[Matrix.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner.MIKES-PC\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loa deradv470.jar-217a6652-6a4a2de4.zip[Counter.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner.MIKES-PC\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loa deradv470.jar-217a6652-6a4a2de4.zip[Dummy.class]
    Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner.MIKES-PC\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loa deradv470.jar-217a6652-6a4a2de4.zip[Parser.class]
  11. 22-12-2005  #10
    Neal
    Neal is offline Dedicated Member
    Save 20% on AVG Internet Security 2012 Suite!
    Download the Intermute stand-alone version of CWShredder from here: cwshredder.net/bin/CWShredder.exe
    Install it and check for updates then exit, we will use it later.



    Make sure you can see hidden files.
    In Windows XP
    Click Start.
    Open My Computer.
    Select the Tools menu and click Folder Options.
    Select the View Tab.
    Under the Hidden files and folders heading select Show hidden files and folders.
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.
    Click OK.
    After you're cleaned, please "rehide" them again.


    Reboot back into safe mode.


    Now run CWShredder and click fix


    Still in safe mode hunt for and delete if found:

    C:\WINDOWS\SYSTEM32\paytime.exe < file

    C:\WINDOWS\country.exe < file


    Reboot back to normal mode and empty your Opera cache


    Also empty Java cache

    How is your computer behaving now?
+ Reply to Thread
Page 1 of 2 1 2 LastLast
« Help removing Home Search Assistent | been overrun with trojans »