hjthis log - about:blank win2000
-
hjthis log - about:blank win2000
Hi there,
Its been a while since you guys last had to help me out of a virus hole but now my old laptop is playing up. I suspect it has the dreaded about:blank lurking inside as my homepage was set to it.
Ran spybot ok - but Ad-aware runs part way through then halts - the hard drive continues to run something in the background for 5 - 10 mins and pc is inoperable.
Ran a hjthis log as attached .
any thoughts?
Many thanks
Graham
Logfile of HijackThis v1.99.1
Scan saved at 3:24:46 PM, on 4/3/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\Program Files\TOSHIBA\TME\Tmesrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\hjthis\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O16 - DPF: ConferenceRoom Java Client - http://java.irc.liveharmony.org:8080/java/cr.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/game...s/y/vpt0_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.amdocs.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.amdocs.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.amdocs.com
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diablo II Close Game Server (D2GS) - Unknown owner - C:\Diablo II\save\Europe\D2GSSVC.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: THotkey (THOTKEY) - TOSHIBA Corp. - C:\WINNT\SYSTEM32\THOTKEY.EXE
O23 - Service: Tmesrv - Unknown owner - C:\Program Files\TOSHIBA\TME\Tmesrv.exe" /Service (file missing)
-
Hi and welcome back,
Please download, install, and update the NEW free version of Ewido trojan scanner:
[*]When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
[*]When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
[*]From the main ewido screen, click on update in the left menu, then click the Start update button.
[*]After the update finishes (the status bar at the bottom will display "Update successful")
[*]Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
[*]If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
[*]When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
Post the log Ewido makes back here please.
-
Hi there Neal,
Thanks for your quick reply - much appreciated .
I have downloaded and ran the 'ewido' program as you suggested...The database warning did not appear so I continued.
It found trojan and hijacker intrusions which I guess are more serious than the cookie trackers.
Attached as log
Thanks again.
Graham.
wido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 10:06:42 AM, 4/4/2006
+ Report-Checksum: 5119C4BA
+ Scan result:
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\SearchAssistant Uninstall -> Adware.CoolWebSearch : Cleaned with backup
C:\WINNT\SYSTEM32\DRIVERS\ETC\hosts.20041029-221354.backup -> Trojan.Qhost.f : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\backups\backup-20060403-131653-139.dll -> Hijacker.StartPage.abg : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@trafi c[1].txt -> TrackingCookie.Trafic : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@webst at[2].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@edge. ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@bilbo .counted[2].txt -> TrackingCookie.Counted : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@adtec h[2].txt -> TrackingCookie.Adtech : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@adopt .euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@112.2 o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Program Files\AdStatus Service -> Adware.WinTaskAd : Cleaned with backup
::Report End
-
Any better?
www.pandasoftware.com/activescan/
Internet Explorer Required
Please run this online virus scan: ActiveScan
* Once you are on the Panda site click the Scan your PC button
* A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send(*NOTE it's perfectly safe to do so..You will NOT be spammed from this)
- Select either Home User or Company
* Click the big Scan Now button
* If/when you get a notice that Panda wants to install an ActiveX component allow it
* It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
* When download is complete, click on Local Disks to start the scan
* When the scan completes, if anything is detected, click the See Report button, then Save Report and save it to a convenient location like your desktop and post it back here please and a new hijackthis log as well. Thanks.
Please post me a new hijackthis log and the Panda scan log please.
-
hmmm doesnt seem to be much better..
Have ran pandasoft - it found some adware & spyware log as attached.
hjthis log attached.
I notice that when scanning with hjthis - the scan stalls when it gets to item 023 and the pc goes into its 5 mins of hard drive activity where pc is locked out.
pandasoft report log:
Incident Status Location
Adware:Adware/SAHAgent Not disinfected C:\WINNT\SYSTEM32\xmltok.dll
Spyware:Spyware/BetterInet Not disinfected C:\WINNT\SYSTEM32\in10thinInstGACI43s.dll
Spyware:Spyware/BetterInet Not disinfected C:\WINNT\INF\banner.inf
Adware:Adware/IPInsight Not disinfected C:\WINNT\INF\conscorr.inf
Potentially unwanted tool:Application/FunWeb Not disinfected C:\WINNT\Downloaded Program Files\f3initialsetup1.0.0.8.inf
Adware:Adware/NetPals Not disinfected C:\WINNT\Downloaded Program Files\ATPartners.inf
Adware:Adware Program Not disinfected C:\WINNT\Downloaded Program Files\WildApp.inf
Adware:adware/ncase Not disinfected C:\WINNT\msbbau.dat
Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\AcidSettingsCoolBin\Bib Way.exe
Dialer
ialer.BRE Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\ICD1.tmp\games.inf
Dialerialer.BRE Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\ICD2.tmp\games.inf
Spyware:Spyware/Apropos Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\temp.fr1255\pstub0\proxystub.dll
Adware:Adware/IPInsight Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\conscorr.inf
Adware:Adware/IPInsight Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\conscorr.ini
Adware:Adware/TVMedia Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\tvmupdater.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\bis1D.exe
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@statc ounter[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@as-us.falkag[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@azjmp[2].txt
Spyware:Cookie/Microsofte Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@micro softeup.112.2o7[1].txt
Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Administrator\Application Data\tvmcwrd.dll
HJTHIS LOG
Logfile of HijackThis v1.99.1
Scan saved at 4:47:21 AM, on 4/5/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\Program Files\TOSHIBA\TME\Tmesrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjthis\hijackthis.exe
C:\Program Files\Internet Explorer\iexplore.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: ConferenceRoom Java Client - http://java.irc.liveharmony.org:8080/java/cr.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/game...s/y/vpt0_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.amdocs.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.amdocs.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.amdocs.com
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diablo II Close Game Server (D2GS) - Unknown owner - C:\Diablo II\save\Europe\D2GSSVC.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: THotkey (THOTKEY) - TOSHIBA Corp. - C:\WINNT\SYSTEM32\THOTKEY.EXE
O23 - Service: Tmesrv - Unknown owner - C:\Program Files\TOSHIBA\TME\Tmesrv.exe" /Service (file missing)
-------------------------------------------------------
-
Hi,
Looks like Panda flushed some bad things out of the bushes, so let's start by doing this:
Go into add/remove program and remove:(IF FOUND)
Webrebates
SAHAgent/Shopathome Agent
BetterInet
Fun Web
Net Pals
nCase
TVMedia
Reboot if anything was removed.
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
Please download AproposFix from here:
http://swandog46.geekstogo.com/aproposfix.exe
Save it to your desktop but do NOT run it yet.
Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.
When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.
Also...
Download and unzip to it's own folder:
http://metallica.geekstogo.com/findlop.zip
Run(Double Click) the findlop.bat which can be found in the findlop folder and post the result.
I need:
New hijackthis log
log from Apropos fix
log from find LOP
Thanks.
-
Hi Neal,
I ran the aproposfix executable in safe mode as detailed.
HJT ran and log as attached. I noticed the same 5-10 min hard disk activity whilst laptop locked out when search got to 023...
The logfiles are attached as instructed.
Logfile of HijackThis v1.99.1
Scan saved at 9:02:18 PM, on 4/6/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\Program Files\TOSHIBA\TME\Tmesrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjthis\hijackthis.exe
C:\WINNT\system32\sspipes.scr
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: ConferenceRoom Java Client - http://java.irc.liveharmony.org:8080/java/cr.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/game...s/y/vpt0_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.amdocs.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.amdocs.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.amdocs.com
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diablo II Close Game Server (D2GS) - Unknown owner - C:\Diablo II\save\Europe\D2GSSVC.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: THotkey (THOTKEY) - TOSHIBA Corp. - C:\WINNT\SYSTEM32\THOTKEY.EXE
O23 - Service: Tmesrv - Unknown owner - C:\Program Files\TOSHIBA\TME\Tmesrv.exe" /Service (file missing)
Aproposfixlog
Log of AproposFix v1.1
************
Running from directory:
C:\Documents and Settings\Administrator\Desktop\aproposfix
************
Registry entries found:
************
No service found!
Removing hidden folder:
No folder found!
Deleting files:
Backing up files:
Done!
Removing registry entries:
REGEDIT4
Done!
Finished!
And log from findlop
[TRACE] Enumerating jobs and queues
Thats the story so far.
Oh and I did try something between this and the previous log - I manually located and deleted the 2 entries that corresponded to the dialer.bre as logged in the ewido scan.
C:\Documents and Settings\Administrator\Local Settings\Temp\ICD1.tmp\games.inf
Dialerialer.BRE Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\ICD2.tmp\games.inf
Cheers
Graham
-
OK,
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All except cookies
Click the Empty Selected button.
=============================================
If you use Firefox Browser
Click Firefox at the top and choose: Select All except cookiesl
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
=============================================
If you use Opera browser
Click Opera at the top and choose: Select All except cookies
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
=============================================
Please download WebRoot SpySweeper from HERE (It's a 14-day trial):
* Click Download Now to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits
o Please UNCHECK Do not Sweep System Restore Folder.
* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply along with a fresh HJT log.
-
Hi again,
Here is the latest after ATF & Spysweeper.
hjt log still stalls at 023...
***
11:00 PM: | Start of Session, Thursday, April 06, 2006 |
11:00 PM: Spy Sweeper started
11:00 PM: Sweep initiated using definitions version 651
11:00 PM: Starting Memory Sweep
11:11 PM: Memory Sweep Complete, Elapsed Time: 00:10:56
11:11 PM: Starting Registry Sweep
11:11 PM: Found Adware: blazefind_adstat
11:11 PM: HKCR\adstatservx.installer\ (3 subtraces) (ID = 104585)
11:11 PM: HKLM\software\classes\adstatservx.installer\ (3 subtraces) (ID = 104586)
11:12 PM: Found Adware: wild media - minigolf
11:12 PM: HKLM\software\microsoft\windows\currentversion\mod uleusage\c:/winnt/minigolf_affiliate.exe\ (2 subtraces) (ID = 135054)
11:12 PM: HKLM\software\microsoft\windows\currentversion\sha reddlls\ || c:\winnt\minigolf_affiliate.exe (ID = 135060)
11:12 PM: Found Adware: wildmedia
11:12 PM: HKCR\interface\{851f86c9-d3cc-4574-93f5-40e2d65159e4}\ (8 subtraces) (ID = 146695)
11:12 PM: HKLM\software\classes\interface\{851f86c9-d3cc-4574-93f5-40e2d65159e4}\ (8 subtraces) (ID = 146709)
11:13 PM: Found Adware: megasear toolbar
11:13 PM: HKU\WRSS_Profile_S-1-5-21-143744227-174999600-642189945-61564\software\megasear toolbar\ (19 subtraces) (ID = 134923)
11:13 PM: HKU\WRSS_Profile_S-1-5-21-143744227-174999600-642189945-61564\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-c0ff-fa7fb592bf30} (ID = 134930)
11:13 PM: Found Adware: directrevenue-abetterinternet
11:13 PM: HKU\WRSS_Profile_S-1-5-21-143744227-174999600-642189945-61564\software\localnrd\ (13 subtraces) (ID = 145919)
11:13 PM: Found Adware: webrebates
11:13 PM: HKU\WRSS_Profile_S-1-5-21-143744227-174999600-642189945-61564\software\microsoft\internet explorer\menuext\web rebates\ (2 subtraces) (ID = 146297)
11:13 PM: Registry Sweep Complete, Elapsed Time:00:02:02
11:13 PM: Starting Cookie Sweep
11:13 PM: Found Spy Cookie: a cookie
11:13 PM: administrator@a[1].txt (ID = 2027)
11:13 PM: Found Spy Cookie: statcounter cookie
11:13 PM: administrator@statcounter[2].txt (ID = 3447)
11:13 PM: Found Spy Cookie: 2o7.net cookie
11:13 PM: administrator@msnportal.112.2o7[1].txt (ID = 1958)
11:13 PM: Found Spy Cookie: falkag cookie
11:13 PM: administrator@sel.as-us.falkag[1].txt (ID = 2650)
11:13 PM: administrator@as-us.falkag[2].txt (ID = 2650)
11:13 PM: Found Spy Cookie: azjmp cookie
11:13 PM: administrator@azjmp[2].txt (ID = 2270)
11:13 PM: administrator@microsofteup.112.2o7[1].txt (ID = 1958)
11:13 PM: Found Spy Cookie: webtrends cookie
11:13 PM: administrator@m.webtrends[1].txt (ID = 3669)
11:13 PM: administrator@as-eu.falkag[1].txt (ID = 2650)
11:13 PM: administrator@sel.as-eu.falkag[1].txt (ID = 2650)
11:13 PM: administrator@2o7[1].txt (ID = 1957)
11:13 PM: Cookie Sweep Complete, Elapsed Time: 00:00:02
11:13 PM: Starting File Sweep
11:13 PM: Warning: Failed to open file "c:\pagefile.sys". Access is denied
11:16 PM: Found Adware: ipinsight
11:16 PM: conscorr.ini (ID = 64264)
11:27 PM: Warning: Failed to open file "c:\winnt\system32\config\software.log". The process cannot access the file because it is being used by another process
11:27 PM: Warning: Failed to open file "c:\winnt\system32\config\default.log". The process cannot access the file because it is being used by another process
11:27 PM: Warning: Failed to open file "c:\winnt\system32\config\security". The process cannot access the file because it is being used by another process
11:27 PM: Warning: Failed to open file "c:\winnt\system32\config\security.log". The process cannot access the file because it is being used by another process
11:27 PM: Warning: Failed to open file "c:\winnt\system32\config\system.alt". The process cannot access the file because it is being used by another process
11:27 PM: Warning: Failed to open file "c:\winnt\system32\config\sam". The process cannot access the file because it is being used by another process
11:27 PM: Warning: Failed to open file "c:\winnt\system32\config\sam.log". The process cannot access the file because it is being used by another process
11:27 PM: Warning: Failed to open file "c:\winnt\system32\config\system". The process cannot access the file because it is being used by another process
11:27 PM: Warning: Failed to open file "c:\winnt\system32\config\software". The process cannot access the file because it is being used by another process
11:27 PM: Warning: Failed to open file "c:\winnt\system32\config\default". The process cannot access the file because it is being used by another process
11:35 PM: Warning: The file sweep got stuck and had to be terminated and restarted in "safe" (slow) mode..
11:35 PM: File Sweep Complete, Elapsed Time: 00
43
11:35 PM: Full Sweep has completed. Elapsed time 00:35:01
11:35 PM: Traces Found: 80
11:38 PM: Removal process initiated
11:38 PM: Quarantining All Traces: directrevenue-abetterinternet
11:38 PM: Quarantining All Traces: wildmedia
11:38 PM: Quarantining All Traces: blazefind_adstat
11:38 PM: Quarantining All Traces: ipinsight
11:38 PM: Quarantining All Traces: megasear toolbar
11:40 PM: Quarantining All Traces: webrebates
11:40 PM: Quarantining All Traces: wild media - minigolf
11:40 PM: Quarantining All Traces: 2o7.net cookie
11:40 PM: Quarantining All Traces: a cookie
11:40 PM: Quarantining All Traces: azjmp cookie
11:40 PM: Quarantining All Traces: falkag cookie
11:40 PM: Quarantining All Traces: statcounter cookie
11:40 PM: Quarantining All Traces: webtrends cookie
11:40 PM: Removal process completed. Elapsed time 00:01:59
********
10:56 PM: | Start of Session, Thursday, April 06, 2006 |
10:56 PM: Spy Sweeper started
10:56 PM: Messenger service has been disabled.
10:57 PM: Your spyware definitions have been updated.
11:00 PM: | End of Session, Thursday, April 06, 2006 |
HJT log
Logfile of HijackThis v1.99.1
Scan saved at 12:01:43 AM, on 4/7/2006
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\SYSTEM32\THOTKEY.EXE
C:\Program Files\TOSHIBA\TME\Tmesrv.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjthis\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: ConferenceRoom Java Client - http://java.irc.liveharmony.org:8080/java/cr.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/game...s/y/vpt0_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.amdocs.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.amdocs.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.amdocs.com
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Diablo II Close Game Server (D2GS) - Unknown owner - C:\Diablo II\save\Europe\D2GSSVC.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: THotkey (THOTKEY) - TOSHIBA Corp. - C:\WINNT\SYSTEM32\THOTKEY.EXE
O23 - Service: Tmesrv - Unknown owner - C:\Program Files\TOSHIBA\TME\Tmesrv.exe" /Service (file missing)
-------------------------------------------
-
OK, now let's start getting rid of the stuff Panda finds and does not disinfect.
so if you would give me a new and fresh Panda scan log we will kill those items next.
I wanted spysweeper to kill as much of that stuff as possible first.
Thanks.
Full Member
