Clean-Up the Old PC

Having software/hardware problems? Get help here!

Postby [Aliens]kronenbourg » Tue May 08, 2007 7:20 am

THIS IS FOR Warrior ONLY


got it right this time

WinPFind3 Fix -


Start WinPFind3U. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

Code: Select all
[Registry - All]
< SharedTaskScheduler [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
YN -> {4233ac08-a2c4-4742-a0b4-83719613d62c} [HKLM] -> %System32%\ilmpjy.dll [grassily]
[Empty Temp Folders]





The fix should only take a very short time and then you will might asked if you want to reboot. Choose Yes if it does

when it reboots


Post the following back here:

the latest .log file from the WinPFind3u folder (it will have a name in the format mmddyyyy_hhmmss.log)

a new HJT log
Image

Image
User avatar
[Aliens]kronenbourg
Lieutenant General
Lieutenant General
 
Posts: 4665
Joined: Thu Oct 19, 2006 7:20 am
Location: Bradford, England

Postby [Aliens]Warriorjock » Tue May 08, 2007 12:15 pm

ok bud cheers will do that tonite
Image
Image




WHO DARES WINS
[Aliens]Warriorjock
Captain
Captain
 
Posts: 1745
Joined: Mon Oct 23, 2006 11:20 am
Location: Scotland

Postby Spadess » Tue May 08, 2007 2:50 pm

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/07/2007 at 11:45 AM

Application Version : 3.7.1018

Core Rules Database Version : 3232
Trace Rules Database Version: 1243

Scan type : Complete Scan
Total Scan Time : 00:35:43

Memory items scanned : 381
Memory threats detected : 0
Registry items scanned : 6709
Registry threats detected : 31
File items scanned : 40956
File threats detected : 15

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{10078081-9A9B-46F8-A818-D812CC8DA90F}
HKCR\CLSID\{10078081-9A9B-46F8-A818-D812CC8DA90F}
HKCR\CLSID\{10078081-9A9B-46F8-A818-D812CC8DA90F}\InprocServer32
HKCR\CLSID\{10078081-9A9B-46F8-A818-D812CC8DA90F}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\VTUTQ.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10078081-9A9B-46F8-A818-D812CC8DA90F}

Adware.Tracking Cookie
C:\Documents and Settings\One\Cookies\one@a[1].txt
C:\Documents and Settings\One\Cookies\one@revsci[2].txt
C:\Documents and Settings\One\Cookies\one@ads.itv[2].txt
C:\Documents and Settings\One\Cookies\one@sitestats.tiscali.co[1].txt
C:\Documents and Settings\One\Cookies\one@myoffers[1].txt

Trojan.WinAntiSpyware/WinAntiVirus 2006/2007
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VSPF_HK\0000#Capabilities

Trojan.Unknown Origin
HKLM\SOFTWARE\Microsoft\MSSMGR
HKLM\SOFTWARE\Microsoft\MSSMGR#Data
HKLM\SOFTWARE\Microsoft\MSSMGR#LSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#Brnd
HKLM\SOFTWARE\Microsoft\MSSMGR#Rid
HKLM\SOFTWARE\Microsoft\MSSMGR#LID

Trojan.Security Toolbar
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url

Browser Hijacker.Favorites
C:\DOCUMENTS AND SETTINGS\ONE\DESKTOP\NEW FOLDER\2006 STUFF\;\NEW FOLDER\STUFF\SECURITY TROUBLESHOOTING.URL
C:\DOCUMENTS AND SETTINGS\ONE\FAVORITES\ONLINE SECURITY TEST.URL

Worm.Alcra Variant
C:\WINDOWS\SYSTEM32\CMD.COM
C:\WINDOWS\SYSTEM32\PING.COM
C:\WINDOWS\SYSTEM32\REGEDIT.COM
C:\WINDOWS\SYSTEM32\TASKLIST.COM
C:\WINDOWS\SYSTEM32\TRACERT.COM


one down.. 8)
Image
User avatar
Spadess
1st Lieutenant
1st Lieutenant
 
Posts: 1040
Joined: Wed Oct 18, 2006 1:25 pm

Postby Spadess » Tue May 08, 2007 3:03 pm

Logfile of HijackThis v1.99.1
Scan saved at 4:02:55 PM, on 5/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Belkin\F5D7051\WLService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\msgrapp.8.1.0178.00.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O20 - Winlogon Notify: Zboard - C:\WINDOWS\SYSTEM32\Winlognotif.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe


tadaaa 8) 8) Thanks a million Kro mate
Image
User avatar
Spadess
1st Lieutenant
1st Lieutenant
 
Posts: 1040
Joined: Wed Oct 18, 2006 1:25 pm

Postby [Aliens]Warriorjock » Tue May 08, 2007 4:53 pm

Hi bud is this it....

[Registry - All]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{4233ac08-a2c4-4742-a0b4-83719613d62c} not found.
[Empty Temp Folders]
D:\DOCUME~1\HIRAMD~1\LOCALS~1\Temp\ -> emptied.
D:\Documents and Settings\Hiram Dunn\Local Settings\Temporary Internet Files\Content.IE5\ -> emptied
RecycleBin -> emptied.
< End of log >
Created on 05/08/2007 17:47:35
Image
Image




WHO DARES WINS
[Aliens]Warriorjock
Captain
Captain
 
Posts: 1745
Joined: Mon Oct 23, 2006 11:20 am
Location: Scotland

Postby [Aliens]Warriorjock » Tue May 08, 2007 4:56 pm

And this bud

Logfile of HijackThis v1.99.1
Scan saved at 17:55:15, on 08/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
c:\apps\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\apps\Powercinema\PCMService.exe
C:\apps\ABoard\ABoard.exe
C:\Program Files\AGEIA Technologies\TrayIcon.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\apps\ABoard\AOSD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\APPS\SMP\SmpSys.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
c:\apps\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - c:\apps\skype\phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Vade Retro Outlook Express] "C:\PROGRA~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [PCMService] "c:\apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [ACTIVBOARD] c:\apps\ABoard\ABoard.exe
O4 - HKLM\..\Run: [AGEIA PhysX SysTray] C:\Program Files\AGEIA Technologies\TrayIcon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [SmpcSys] C:\APPS\SMP\SmpSys.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_0
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\IGN\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Performance Center] C:\Program Files\Ascentive\Performance Center\APCMain.exe -m
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\apps\skype\phone\IEPlugin\SKYPEI~1.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/ ... .3.102.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.putfile.com/includes/ImageUploader4.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\apps\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\apps\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
Image
Image




WHO DARES WINS
[Aliens]Warriorjock
Captain
Captain
 
Posts: 1745
Joined: Mon Oct 23, 2006 11:20 am
Location: Scotland

Postby [Aliens]kronenbourg » Wed May 09, 2007 6:51 am

THIS IS FOR Spadess ONLY


Spadess, the Hijackthis log isn't complete. Can you doublecheck the log that's saved, as you're missing a bunch of information :wink:
Image

Image
User avatar
[Aliens]kronenbourg
Lieutenant General
Lieutenant General
 
Posts: 4665
Joined: Thu Oct 19, 2006 7:20 am
Location: Bradford, England

Postby Spadess » Wed May 09, 2007 12:07 pm

yep, i can confirm that what's posted is all that is saved on the log file. nothing was interupted on the scan either. does look a bit brief but ive tried to find a way of getting more info for you mate but no joy :( :(

Overall how fecked is my pc then? :lol: :lol:
Image
User avatar
Spadess
1st Lieutenant
1st Lieutenant
 
Posts: 1040
Joined: Wed Oct 18, 2006 1:25 pm

Postby [Aliens]kronenbourg » Wed May 09, 2007 12:36 pm

Re-run Hijathis again, just to be sure. Doesn't seem right that the 04 entries (startup programs) are missing, as I assume other things like your antivirus are starting okay.
Image

Image
User avatar
[Aliens]kronenbourg
Lieutenant General
Lieutenant General
 
Posts: 4665
Joined: Thu Oct 19, 2006 7:20 am
Location: Bradford, England

Postby Spadess » Wed May 09, 2007 1:02 pm

ok done it again and the results are in..

Logfile of HijackThis v1.99.1
Scan saved at 2:01:43 PM, on 5/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Belkin\F5D7051\WLService.exe
C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Ideazon\Zboard Software\Driver\ZboardTray.exe
C:\Program Files\Ideazon\Zboard Software\Driver\Zboard.exe
C:\Program Files\Windows NT\Accessories\wordpad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\msgrapp.8.1.0178.00.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O20 - Winlogon Notify: Zboard - C:\WINDOWS\SYSTEM32\Winlognotif.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
Image
User avatar
Spadess
1st Lieutenant
1st Lieutenant
 
Posts: 1040
Joined: Wed Oct 18, 2006 1:25 pm

Postby [Aliens]kronenbourg » Mon May 14, 2007 6:53 am

THIS IS FOR Spadess ONLY


COMBO FIX:
Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Image

Image
User avatar
[Aliens]kronenbourg
Lieutenant General
Lieutenant General
 
Posts: 4665
Joined: Thu Oct 19, 2006 7:20 am
Location: Bradford, England

Postby [Aliens]kronenbourg » Mon May 14, 2007 6:59 am

THIS IS FOR Warrior ONLY


Right, its clean now, and I'll look at your startup list later on. However, you should read the following:


Turn off system restore by following instructions here
http://www.thespykiller.co.uk/index.php?page=8
That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point.

go here http://forums.techguy.org/t208517/s.html for info on how to tighten your security settings and how to help prevent future attacks.
and scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Then pay an urgent visit to windows update & make sure you are fully updated & get the bunch of new updates that are alleged to plug the security holes that let these pests on in the first place.



Kro
Image

Image
User avatar
[Aliens]kronenbourg
Lieutenant General
Lieutenant General
 
Posts: 4665
Joined: Thu Oct 19, 2006 7:20 am
Location: Bradford, England

Postby [Aliens]Warriorjock » Mon May 14, 2007 6:37 pm

ok bud cheers.
Image
Image




WHO DARES WINS
[Aliens]Warriorjock
Captain
Captain
 
Posts: 1745
Joined: Mon Oct 23, 2006 11:20 am
Location: Scotland

Postby Spadess » Sat May 19, 2007 1:15 am

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\{BC4FC~1


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-19 ))))))))))))))))))))))))))))))))))


2007-05-07 11:08 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-05-07 11:08 <DIR> d-------- C:\DOCUME~1\One\APPLIC~1\SUPERAntiSpyware.com
2007-05-07 11:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-05-07 10:57 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-05-07 10:52 <DIR> d----c--- C:\VundoFix Backups
2007-05-06 22:47 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-05-03 18:39 <DIR> d-------- C:\Program Files\GameSpy
2007-05-02 02:57 <DIR> d-------- C:\Program Files\VisualRoute Lite Edition
2007-05-02 02:57 <DIR> d-------- C:\DOCUME~1\One\vw
2007-04-22 15:42 99,904 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-04-22 15:42 63,040 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-04-22 15:42 22,584 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-04-22 15:42 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-04-22 13:44 <DIR> d-------- C:\ProgramData


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-11 01:51:06 -------- d-----w C:\DOCUME~1\One\APPLIC~1\Xfire
2007-05-11 00:55:51 -------- d-s---w C:\Program Files\Xfire
2007-05-07 10:07:57 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-06 22:16:08 5,107 -c--a-w C:\WINDOWS\mozver.dat
2007-05-06 22:16:05 -------- d-----w C:\DOCUME~1\One\APPLIC~1\Real
2007-05-06 21:47:33 -------- d-----w C:\Program Files\Common Files\Real
2007-05-03 13:29:57 -------- d-----w C:\Program Files\ATI Technologies
2007-05-03 13:29:50 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-22 13:31:36 -------- d-----w C:\Program Files\LocalCooling
2007-04-11 16:55:47 -------- d-----w C:\Program Files\Crave Entertainment
2007-04-04 19:44:59 -------- d-----w C:\Program Files\mIRC
2007-04-02 13:29:42 -------- d-----w C:\Program Files\Common Files\stardock
2007-04-01 12:22:39 -------- d-----w C:\Program Files\BitComet
2007-03-24 20:45:18 -------- d-----w C:\DOCUME~1\One\APPLIC~1\Nokia
2007-03-24 20:45:15 -------- d-----w C:\DOCUME~1\One\APPLIC~1\Nokia Multimedia Player
2007-03-22 20:05:00 520,192 ------w C:\WINDOWS\system32\ati2sgag.exe
2007-03-18 13:59:14 -------- d-----w C:\Program Files\AviSynth 2.5
2007-03-18 13:59:12 -------- d-----w C:\Program Files\eRightSoft
2007-03-16 12:54:58 -------- d-----w C:\Program Files\PowerArchiver
2007-03-15 19:55:51 -------- d-----w C:\DOCUME~1\One\APPLIC~1\PC Suite
2007-03-15 19:51:50 -------- d-----w C:\Program Files\Nokia
2007-03-15 19:51:50 -------- d-----w C:\Program Files\Common Files\Nokia
2007-03-15 13:29:00 -------- d-----w C:\DOCUME~1\One\APPLIC~1\Datalayer
2007-03-15 01:58:38 315,392 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-03-15 01:57:34 267,776 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-03-15 01:57:15 1,986,560 ----a-w C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-03-15 01:55:38 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-03-15 01:50:39 122,880 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-03-15 01:50:27 114,688 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-03-15 01:50:19 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-03-15 01:50:12 42,496 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-03-15 01:49:59 114,688 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-03-15 01:48:39 450,560 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-03-15 01:47:52 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-03-15 01:40:10 2,820,544 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-03-15 01:29:47 1,315,712 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-03-15 01:29:32 3,107,788 ----a-w C:\WINDOWS\system32\ativvaxx.dat
2007-03-15 01:19:32 5,402,624 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-03-15 01:16:14 258,048 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-03-15 01:14:43 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-03-15 01:10:28 356,352 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-03-14 20:48:42 -------- d-----w C:\Program Files\DIFX
2007-03-14 20:48:16 -------- d-----w C:\Program Files\Common Files\PCSuite
2007-03-13 12:13:12 -------- d-----w C:\Program Files\MSN Messenger
2007-03-06 22:04:53 143,676 ----a-w C:\WINDOWS\system32\atiicdxx.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrayTool"="C:\Documents and Settings\All Users\Start Menu\Programs\Ideazon Zboard\TrayTool.lnk" [2006-12-24 15:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"WinRoll"="C:\Program Files\WinRoll\winroll.exe" [2006-01-01 23:27]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"RunStartupScriptSync"=0 (0x0)
"SynchronousMachineGroupPolicy"=0 (0x0)
"SynchronousUserGroupPolicy"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRemoteRecursiveEvents"=1 (0x1)
"NoStrCmpLogical"=1 (0x1)
"NoClose"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMBalloonTip"=1 (0x1)
"NoSaveSettings"=0 (0x0)
"NoRecentDocsHistory"=1 (0x1)
"NoLowDiskSpaceChecks"=1 (0x1)
"MemCheckBoxInRunDlg"=0 (0x0)
"NoClose"=0 (0x0)
"NoAutoTrayNotify"=0 (0x0)
"NoResolveTrack"=0 (0x0)
"NoResolveSearch"=1 (0x1)
"LinkResolveIgnoreLinkInfo"=1 (0x1)
"NoStartBanner"=01000000
"NoWelcomeScreen"=1 (0x1)
"NoRecentDocsNetHood"=1 (0x1)
"NoDesktopCleanupWizard"=1 (0x1)
"NoSharedDocuments"=1 (0x1)
"NoThemesTab"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Zboard]
Winlognotif.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 nwprovau
Security Packages kerberos msv1_0 schannel wdigest
Notification Packages scecli

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"C:\Program Files\BearShare\BearShare.exe" /pause

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSPVideo9]
C:\Program Files\pspvideo9\pspVideo9.exe -t

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Run a DLL as an App"=C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\Yahoo!\Common\ymmapi.dll,OpenInboxHandler

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"StarSkin"=C:\PROGRAM FILES\ROCKET DIVISION SOFTWARE\STARSKIN\STARSKIN.EXE -H
"Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HTTPFilter HTTPFilter
LocalService Alerter WebClient LmHosts RemoteRegistry upnphost SSDPSRV
NetworkService DnsCache
DcomLaunch DcomLaunch TermService
rpcss RpcSs
imgsvc StiSvc
termsvcs TermService

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7a4c66c2-d7a1-11da-86ad-0011507e263e}]
Shell\AutoRun\command H:\setupSNK.exe

*Newly Created Service* -PROCEXP90

Contents of the 'Scheduled Tasks' folder
2007-02-16 17:15:00 C:\WINDOWS\tasks\1-Click Maintenance.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-19 09:42:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-19 9:43:29




...................................


Im getting the same hijackthis log over and over mate. Cant squize anthing else outa her. Thanks alot for the help man its a big help.
Image
User avatar
Spadess
1st Lieutenant
1st Lieutenant
 
Posts: 1040
Joined: Wed Oct 18, 2006 1:25 pm

Postby [Aliens]kronenbourg » Thu Jun 21, 2007 7:06 pm

THIS IS FOR Spadess ONLY


Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • In the Processes group click ALL
  • In the Win32 Services group click ALL
  • In the Driver Services group click ALL
  • In the Registry group click ALL
  • In the Files Created Within group click 60 days Make sure Non-Microsoft only is UNCHECKED
  • In the Files Modified Within group select 30 days Make sure Non-Microsoft only is UNCHECKED
  • In the File String Search group select ALL
  • in the Additional scans sections please press select ALL
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Save that notepad file but click on the "Format" menu and make sure that "word wrap" is not checked. If it is then click on it to uncheck it.



It will be best if you can email me it, as its large report (PM you my email address)
Image

Image
User avatar
[Aliens]kronenbourg
Lieutenant General
Lieutenant General
 
Posts: 4665
Joined: Thu Oct 19, 2006 7:20 am
Location: Bradford, England

PreviousNext

Return to Tech-support

Who is online

Users browsing this forum: No registered users and 1 guest

cron