Jump to content


Privacy_Danger

Started by Concie, Jun 28 2007 01:02 PM

  • You cannot reply to this topic
9 replies to this topic

#1 OFFLINE   Concie

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 28 June 2007 - 01:02 PM

Hello all.
Got the Privacy_Danger problem asof this afternoon, tried some things, which all failed. So I did a search on the internet, to see if others had this problem too. Have to say, it really made my smile when I found this forum and saw that it could be taken care off. ^_^
Anyway, just rebooted, and made an hijackthis log. I really hope you guys can help me out aswell!

----

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 15:52:45, on 28-6-2007
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\CTHELPER.EXE
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\D-Tools\daemon.exe
D:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Cleanup\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\PowerISO\PWRISOVM.EXE
D:\Program Files\Winamp\winampa.exe
D:\WINDOWS\System32\ctfmon.exe
D:\steam\steam.exe
D:\Program Files\StatBar\StatBar.exe
C:\WinZip\WZQKPICK.EXE
D:\Program Files\Acrobat 7.0\Reader\reader_sl.exe
D:\Program Files\Sitecom\IVT BlueSoleil\BlueSoleil.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\Program Files\Sitecom\IVT BlueSoleil\BTNtService.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\Documents and Settings\ernst gooris\Bureaublad\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/N.../3560/homepage/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: MSVPS System - {49CF52D7-8D58-4E22-A874-AAD721F5B523} - D:\WINDOWS\ddesupport.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [yaemu.exe] D:\WINDOWS\System32\yaemu.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Cleanup\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] D:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [pnaqv.exe] D:\WINDOWS\System32\pnaqv.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "d:\steam\steam.exe" -silent
O4 - HKCU\..\Run: [StatBar] D:\Program Files\StatBar\StatBar.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = D:\Program Files\Sitecom\IVT BlueSoleil\BlueSoleil.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postb...l/sesam/CAX.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{05029083-AFA6-4C73-8E3E-DBE073A68798}: NameServer = 85.255.116.165,85.255.112.141
O17 - HKLM\System\CCS\Services\Tcpip\..\{721C858A-0216-487A-8F70-CA30AC283614}: NameServer = 85.255.116.165,85.255.112.141
O17 - HKLM\System\CCS\Services\Tcpip\..\{79449571-3271-4C10-9F43-377DE2966100}: NameServer = 85.255.116.165,85.255.112.141
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD83CF97-9D3D-4483-A315-A292BBB62DE1}: NameServer = 85.255.116.165,85.255.112.141
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.165 85.255.112.141
O17 - HKLM\System\CS1\Services\Tcpip\..\{05029083-AFA6-4C73-8E3E-DBE073A68798}: NameServer = 85.255.116.165,85.255.112.141
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.165 85.255.112.141
O17 - HKLM\System\CS2\Services\Tcpip\..\{05029083-AFA6-4C73-8E3E-DBE073A68798}: NameServer = 85.255.116.165,85.255.112.141
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.165 85.255.112.141
O20 - Winlogon Notify: winvew32 - winvew32.dll (file missing)
O21 - SSODL: msole - {9D6FAF06-220C-4E09-B88D-35A40859F57D} - D:\WINDOWS\msole.dll
O21 - SSODL: msdde - {CF97F52C-2FB5-425A-A183-4BC69EAD71A4} - D:\WINDOWS\msdde.dll
O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\System32\browseui.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - D:\Program Files\Sitecom\IVT BlueSoleil\BTNtService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZONELABS\vsmon.exe
O24 - Desktop Component 0: Privacy Protection - file:///D:\WINDOWS\privacy_danger\index.htm

--
End of file - 7982 bytes

#2 OFFLINE   AndyManchesta

    Power Member

  • Spyware Moderators
  • 1,821 posts
  • Gender:Male
  • Location:Manchester. UK
  • Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 28 June 2007 - 10:30 PM

Hi Concie, Welcome to the forum,

Why do you not have any Service Packs installed ? :blink: :blink:

You should print out these instructions, or copy them to a Notepad file and save it to your desktop, because you will not be able to connect to the Internet to read from this site.

Run Hijack This and choose Do A System Scan then place a check next to these entries

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = ht*p://gomyron.com/NjU2NA==/2/3560/homepage/
O2 - BHO: MSVPS System - {49CF52D7-8D58-4E22-A874-AAD721F5B523} - D:\WINDOWS\ddesupport.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [yaemu.exe] D:\WINDOWS\System32\yaemu.exe
O4 - HKLM\..\Run: [pnaqv.exe] D:\WINDOWS\System32\pnaqv.exe
O20 - Winlogon Notify: winvew32 - winvew32.dll (file missing)
O21 - SSODL: msole - {9D6FAF06-220C-4E09-B88D-35A40859F57D} - D:\WINDOWS\msole.dll
O21 - SSODL: msdde - {CF97F52C-2FB5-425A-A183-4BC69EAD71A4} - D:\WINDOWS\msdde.dll
O24 - Desktop Component 0: Privacy Protection - file:///D:\WINDOWS\privacy_danger\index.htm

Close all open browser and other windows except for Hijack This and press the Fix Checked button

Download SmitfraudFix and save it to your system,

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Please download FixWareout from one of these sites:

http://downloads.sub.../Fixwareout.exe
http://download.blee.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; reboot reboot your computer when prompted to do so. Your system may take longer than usual to load but this is normal.

Once the desktop loads please post the text that will open (report.txt), the Smitfraudfix log (C:\Rapport.txt) and a new Hijackthis log.

Cheers

Andy

#3 OFFLINE   Concie

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 29 June 2007 - 12:00 AM

Hello Andy, first of all, thanks for replying on this late time of the day. =)
I followed all the steps you explained. No more red background, or pop-ups, so I assume its going great. Thanks a lot allready.

Here are the 3 reports.
1st Fixwareout
2nd Smitfraud
3rd HijackThis

----

Fixwareout Last edited 6/27/2007
Post this report in the forums please
...
»»»»»Prerun check

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.116.165" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{05029083-AFA6-4C73-8E3E-DBE073A68798}
"nameserver"="85.255.116.165,85.255.112.141" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{721C858A-0216-487A-8F70-CA30AC283614}
"nameserver"="85.255.116.165,85.255.112.141" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{79449571-3271-4C10-9F43-377DE2966100}
"nameserver"="85.255.116.165,85.255.112.141" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{BD83CF97-9D3D-4483-A315-A292BBB62DE1}
"nameserver"="85.255.116.165,85.255.112.141" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{05029083-AFA6-4C73-8E3E-DBE073A68798}
"DhcpNameServer"="85.255.116.165,85.255.112.141" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{721C858A-0216-487A-8F70-CA30AC283614}
"DhcpNameServer"="85.255.116.165,85.255.112.141" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{79449571-3271-4C10-9F43-377DE2966100}
"DhcpNameServer"="85.255.116.165,85.255.112.141" <Value cleared.

De DNS-omzettingscache is leeggemaakt.


System was rebooted successfully.

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
D:\WINDOWS\System32\essxu.exe Deleted
D:\WINDOWS\System32\aeols.exe Deleted
D:\WINDOWS\System32\mrrtk.exe Deleted
D:\WINDOWS\System32\qylca.exe Deleted
D:\WINDOWS\System32\urovc.exe Deleted
D:\WINDOWS\System32\uqyob.exe Deleted
D:\WINDOWS\System32\qnwoc.exe Deleted
D:\WINDOWS\System32\jprkv.exe Deleted
D:\WINDOWS\System32\xmgsh.exe Deleted
D:\WINDOWS\System32\poaag.exe Deleted
D:\WINDOWS\System32\bcnjk.exe Deleted
D:\WINDOWS\System32\vptep.exe Deleted
D:\WINDOWS\System32\nnqob.exe Deleted
D:\WINDOWS\System32\qcacu.exe Deleted
D:\WINDOWS\System32\jqire.exe Deleted
D:\WINDOWS\System32\yjowu.exe Deleted
D:\WINDOWS\System32\tqrco.exe Deleted
D:\WINDOWS\System32\yzzxx.exe Deleted
....
»»»»» Misc files.
D:\WINDOWS\System32\hgqhp.exe Deleted
D:\WINDOWS\System32\kernel32.exe Deleted
....
»»»»» Checking for older varients.
....
»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE D:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"WINDVDPatch"="CTHELPER.EXE"
"UpdReg"="D:\\WINDOWS\\UpdReg.EXE"
"Jet Detection"="\"D:\\Program Files\\Creative\\SBLive\\PROGRAM\\ADGJDet.exe\""
"QuickTime Task"="\"D:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"DAEMON Tools-1033"="\"D:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"SunJavaUpdateSched"="D:\\Program Files\\Java\\jre1.5.0_02\\bin\\jusched.exe"
"NvMediaCenter"="RUNDLL32.EXE D:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"AVG7_CC"="D:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"Zone Labs Client"="\"D:\\Cleanup\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"PWRISOVM.EXE"="D:\\Program Files\\PowerISO\\PWRISOVM.EXE"
"WinampAgent"="D:\\Program Files\\Winamp\\winampa.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\\WINDOWS\\System32\\ctfmon.exe"
"Steam"="\"d:\\steam\\steam.exe\" -silent"
"StatBar"="D:\\Program Files\\StatBar\\StatBar.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»

----

SmitFraudFix v2.197

Scan done at 1:31:49,54, vr 29-06-2007
Run from D:\Documents and Settings\ernst gooris\Bureaublad\SmitfraudFix
OS: Microsoft Windows XP [versie 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

D:\WINDOWS\main_uninstaller.exe Deleted
D:\WINDOWS\msole.dll Deleted
D:\WINDOWS\msdde.dll Deleted
D:\WINDOWS\privacy_danger\ Deleted
D:\DOCUME~1\ERNSTG~1\BUREAU~1\Error Cleaner.url Deleted
D:\DOCUME~1\ERNSTG~1\BUREAU~1\Privacy Protector.url Deleted
D:\DOCUME~1\ERNSTG~1\BUREAU~1\Spyware?Malware Protection.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{05029083-AFA6-4C73-8E3E-DBE073A68798}: DhcpNameServer=85.255.116.165,85.255.112.141
HKLM\SYSTEM\CCS\Services\Tcpip\..\{05029083-AFA6-4C73-8E3E-DBE073A68798}: NameServer=85.255.116.165,85.255.112.141
HKLM\SYSTEM\CCS\Services\Tcpip\..\{721C858A-0216-487A-8F70-CA30AC283614}: DhcpNameServer=85.255.116.165,85.255.112.141
HKLM\SYSTEM\CCS\Services\Tcpip\..\{721C858A-0216-487A-8F70-CA30AC283614}: NameServer=85.255.116.165,85.255.112.141
HKLM\SYSTEM\CCS\Services\Tcpip\..\{79449571-3271-4C10-9F43-377DE2966100}: DhcpNameServer=85.255.116.165,85.255.112.141
HKLM\SYSTEM\CCS\Services\Tcpip\..\{79449571-3271-4C10-9F43-377DE2966100}: NameServer=85.255.116.165,85.255.112.141
HKLM\SYSTEM\CCS\Services\Tcpip\..\{BD83CF97-9D3D-4483-A315-A292BBB62DE1}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{BD83CF97-9D3D-4483-A315-A292BBB62DE1}: NameServer=85.255.116.165,85.255.112.141
HKLM\SYSTEM\CS1\Services\Tcpip\..\{05029083-AFA6-4C73-8E3E-DBE073A68798}: DhcpNameServer=85.255.116.165,85.255.112.141
HKLM\SYSTEM\CS1\Services\Tcpip\..\{05029083-AFA6-4C73-8E3E-DBE073A68798}: NameServer=85.255.116.165,85.255.112.141
HKLM\SYSTEM\CS1\Services\Tcpip\..\{721C858A-0216-487A-8F70-CA30AC283614}: DhcpNameServer=85.255.116.165,85.255.112.141
HKLM\SYSTEM\CS1\Services\Tcpip\..\{721C858A-0216-487A-8F70-CA30AC283614}: NameServer=85.255.116.165,85.255.112.141
HKLM\SYSTEM\CS1\Services\Tcpip\..\{79449571-3271-4C10-9F43-377DE2966100}: DhcpNameServer=85.255.116.165,85.255.112.141
HKLM\SYSTEM\CS1\Services\Tcpip\..\{79449571-3271-4C10-9F43-377DE2966100}: NameServer=85.255.116.165,85.255.112.141
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BD83CF97-9D3D-4483-A315-A292BBB62DE1}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BD83CF97-9D3D-4483-A315-A292BBB62DE1}: NameServer=85.255.116.165,85.255.112.141
HKLM\SYSTEM\CS2\Services\Tcpip\..\{05029083-AFA6-4C73-8E3E-DBE073A68798}: DhcpNameServer=85.255.116.165,85.255.112.141
HKLM\SYSTEM\CS2\Services\Tcpip\..\{05029083-AFA6-4C73-8E3E-DBE073A68798}: NameServer=85.255.116.165,85.255.112.141
HKLM\SYSTEM\CS2\Services\Tcpip\..\{721C858A-0216-487A-8F70-CA30AC283614}: DhcpNameServer=85.255.116.165,85.255.112.141
HKLM\SYSTEM\CS2\Services\Tcpip\..\{721C858A-0216-487A-8F70-CA30AC283614}: NameServer=85.255.116.165,85.255.112.141
HKLM\SYSTEM\CS2\Services\Tcpip\..\{79449571-3271-4C10-9F43-377DE2966100}: DhcpNameServer=85.255.116.165,85.255.112.141
HKLM\SYSTEM\CS2\Services\Tcpip\..\{79449571-3271-4C10-9F43-377DE2966100}: NameServer=85.255.116.165,85.255.112.141
HKLM\SYSTEM\CS2\Services\Tcpip\..\{BD83CF97-9D3D-4483-A315-A292BBB62DE1}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{BD83CF97-9D3D-4483-A315-A292BBB62DE1}: NameServer=85.255.116.165,85.255.112.141
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: NameServer=85.255.116.165 85.255.112.141
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: NameServer=85.255.116.165 85.255.112.141
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: NameServer=85.255.116.165 85.255.112.141


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

----

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 1:50:42, on 29-6-2007
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\Program Files\Sitecom\IVT BlueSoleil\BTNtService.exe
D:\WINDOWS\System32\nvsvc32.exe
D:\WINDOWS\System32\CTHELPER.EXE
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\D-Tools\daemon.exe
D:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\Cleanup\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\PowerISO\PWRISOVM.EXE
D:\Program Files\Winamp\winampa.exe
D:\WINDOWS\System32\ctfmon.exe
D:\steam\steam.exe
D:\Program Files\StatBar\StatBar.exe
C:\WinZip\WZQKPICK.EXE
D:\Program Files\Sitecom\IVT BlueSoleil\BlueSoleil.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\ernst gooris\Bureaublad\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] D:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Cleanup\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] D:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "d:\steam\steam.exe" -silent
O4 - HKCU\..\Run: [StatBar] D:\Program Files\StatBar\StatBar.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlueSoleil.lnk = D:\Program Files\Sitecom\IVT BlueSoleil\BlueSoleil.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postb...l/sesam/CAX.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\System32\browseui.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - D:\Program Files\Sitecom\IVT BlueSoleil\BTNtService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - D:\WINDOWS\system32\ZONELABS\vsmon.exe

--
End of file - 6229 bytes

----

I am allready very happy with this progress, I hope everything is solved now! In the meanwhile I took some time to read around on this forum, and I'll follow the tips you guys gave on defending against Spyware. I also really like CCleaner.

#4 OFFLINE   AndyManchesta

    Power Member

  • Spyware Moderators
  • 1,821 posts
  • Gender:Male
  • Location:Manchester. UK
  • Interests:Music, Movies, Website Building &amp; Design, Malware Testing/Research and spending time with friends &amp; family.

Posted 29 June 2007 - 01:12 AM

Hi Concie.

That's looking much better but its likely there's more files on your system that will not show in tools like HijackThis so its best to run a online scanner next, you really need to consider upgrading your version of XP as its well out of date, running Windows without any service packs is very risky as there is far too many security holes which attackers can use to get trojans on your system, if the version of Windows isnt legit then you should look at ways of getting a genuine installation so that you can get it fully updated as it will keep getting infected in its current state, if the version of Windows is legit then visit http://windowsupdate.microsoft.com/ and get all the available updates then reboot when prompted and keep revisiting until there is no more high priority updates available.

Run Hijack This and choose Do A System Scan then place a check next to these entries

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm

Close all open browser and other windows except for Hijack This and press the Fix Checked button

Download AVG Anti-Spyware
  • Load AVG and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Click on the Scanner tab at the top and then click on Complete System Scan
  • AVG will list any infections found on the left, when the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG will then display "All actions have been applied" on the right.
  • Click on "Save Report", then "Save Report As". This will create a text file which you can then save to the Desktop and post back
Finally Run Kaspersky WebScanner
  • Please go HERE and click Kaspersky Online Scanner
  • Read and Accept the Agreement
  • You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • If you see a Windows dialog asking if you want to install this software, click the Install button.
  • The program will launch and then begin downloading the latest definition files,
  • When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
  • Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.
  • When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
Please then post back the AVG Antispyware log and the Kaspersky log then we can take it from there

Cheers

#5 OFFLINE   Concie

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 29 June 2007 - 01:44 PM

View PostAndyManchesta, on Jun 29 2007, 03:12 AM, said:

Hi Concie.

That's looking much better but its likely there's more files on your system that will not show in tools like HijackThis so its best to run a online scanner next, you really need to consider upgrading your version of XP as its well out of date, running Windows without any service packs is very risky as there is far too many security holes which attackers can use to get trojans on your system, if the version of Windows isnt legit then you should look at ways of getting a genuine installation so that you can get it fully updated as it will keep getting infected in its current state, if the version of Windows is legit then visit http://windowsupdate.microsoft.com/ and get all the available updates then reboot when prompted and keep revisiting until there is no more high priority updates available.

Oh, I did not know that it was that dangerous to not-upgrade. Thing is tho, as of September I can buy winXP cheap, from a student-site. (as my study-year hasnt started yet) So I am going to wait for that. You have certainly convinced me of getting the legit windows, cause I do ofcourse want a save system, and now that I have seen what kind of trouble I can get into without it...

Here are the reports. Before I ran AVG Anti-spyware and Kaspersky, I also ran AVG (free edition). Which Changed and Deleted the following 2 files.
D:\WindowsSystem32\drovers\etc\hosts -> Changed.
D:\System Volume Information\_restore{1F84C355-C0AB..etc}\RP515\A0152687.exe (Trojan horse Generic5.BKW) -> Deleted.

Here's the AVG Anti-Spyware report

----

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 13:47:21 29-6-2007

+ Scan result:



D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP516\A0153123.dll -> Adware.Agent : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP516\A0153124.dll -> Adware.Agent : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Error during cleaning.
HKU\S-1-5-21-1085031214-725345543-839522115-1003\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP516\A0153122.exe -> Downloader.Agent.bjc : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP516\A0153160.exe -> Downloader.Small.tc : Cleaned with backup (quarantined).
D:\Documents and Settings\ernst gooris\Cookies\ernst gooris@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
D:\Documents and Settings\ernst gooris\Cookies\ernst gooris@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
D:\Documents and Settings\ernst gooris\Cookies\ernst gooris@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.7:D:\Documents and Settings\ernst gooris\Application Data\Mozilla\Firefox\Profiles\xzrsivw4.Ernst\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.8:D:\Documents and Settings\ernst gooris\Application Data\Mozilla\Firefox\Profiles\xzrsivw4.Ernst\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.9:D:\Documents and Settings\ernst gooris\Application Data\Mozilla\Firefox\Profiles\xzrsivw4.Ernst\cookies.txt -> TrackingCookie.Netflame : Cleaned.
D:\Documents and Settings\ernst gooris\Cookies\ernst gooris@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Cleaned.
D:\Documents and Settings\ernst gooris\Cookies\ernst gooris@weborama[1].txt -> TrackingCookie.Weborama : Cleaned.
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP516\A0153142.exe -> Trojan.DNSChanger.hd : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP516\A0153143.exe -> Trojan.DNSChanger.hd : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP516\A0153144.exe -> Trojan.DNSChanger.hd : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP516\A0153145.exe -> Trojan.DNSChanger.hd : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP516\A0153146.exe -> Trojan.DNSChanger.hd : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP516\A0153147.exe -> Trojan.DNSChanger.hd : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP516\A0153148.exe -> Trojan.DNSChanger.hd : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP516\A0153149.exe -> Trojan.DNSChanger.hd : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP516\A0153150.exe -> Trojan.DNSChanger.hd : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP516\A0153151.exe -> Trojan.DNSChanger.hd : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP516\A0153152.exe -> Trojan.DNSChanger.hd : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP516\A0153153.exe -> Trojan.DNSChanger.hd : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP516\A0153154.exe -> Trojan.DNSChanger.hd : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP516\A0153155.exe -> Trojan.DNSChanger.hd : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP516\A0153156.exe -> Trojan.DNSChanger.hd : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP516\A0153157.exe -> Trojan.DNSChanger.hd : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP516\A0153158.exe -> Trojan.DNSChanger.hd : Cleaned with backup (quarantined).
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP516\A0153159.exe -> Trojan.DNSChanger.hd : Cleaned with backup (quarantined).
D:\Program Files\BitLord\Downloads\SONY.Vegas.6.0c.FULL.Include.Keymaker-PDX.zip/KEYGEN/SONYkeygen.exe -> Trojan.Pakes.edg : Cleaned with backup (quarantined).
D:\Vegas install\KEYGEN\SONYkeygen.exe -> Trojan.Pakes.edg : Cleaned with backup (quarantined).


::Report end

----

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, June 29, 2007 3:24:41 PM
Operating System: Microsoft Windows XP Professional, (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 29/06/2007
Kaspersky Anti-Virus database records: 355352
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 69882
Number of viruses found: 11
Number of infected objects: 70 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:02:50

Infected Object Name / Virus Name / Last Action
C:\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\SmitfraudFix.exe RarSFX: infected - 2 skipped
D:\WINDOWS\system32\config\SECURITY Object is locked skipped
D:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
D:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
D:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
D:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
D:\WINDOWS\system32\config\SAM Object is locked skipped
D:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
D:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\system Object is locked skipped
D:\WINDOWS\system32\config\software Object is locked skipped
D:\WINDOWS\system32\config\default Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
D:\WINDOWS\system32\lmpuy.exe Infected: Trojan.Win32.DNSChanger.fb skipped
D:\WINDOWS\Temp\ZLT020b2.TMP Object is locked skipped
D:\WINDOWS\Temp\ZLT020c9.TMP Object is locked skipped
D:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
D:\WINDOWS\Debug\oakley.log Object is locked skipped
D:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
D:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
D:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
D:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
D:\WINDOWS\Internet Logs\ERNST.ldb Object is locked skipped
D:\WINDOWS\SchedLgU.Txt Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
D:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Geschiedenis\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\ernst gooris\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\ernst gooris\NTUSER.DAT.LOG Object is locked skipped
D:\Documents and Settings\ernst gooris\Local Settings\Temp\~DFBAF6.tmp Object is locked skipped
D:\Documents and Settings\ernst gooris\Local Settings\Temp\Perflib_Perfdata_d8.dat Object is locked skipped
D:\Documents and Settings\ernst gooris\Local Settings\Temp\Perflib_Perfdata_af0.dat Object is locked skipped
D:\Documents and Settings\ernst gooris\Local Settings\Geschiedenis\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\ernst gooris\Local Settings\Geschiedenis\History.IE5\MSHist012007062920070630\index.dat Object is locked skipped
D:\Documents and Settings\ernst gooris\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\ernst gooris\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\ernst gooris\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\ernst gooris\Mijn documenten\other stuff\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
D:\Documents and Settings\ernst gooris\Mijn documenten\other stuff\mirc616.exe mIRC: infected - 1 skipped
D:\Documents and Settings\ernst gooris\Bureaublad\Security\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
D:\Documents and Settings\ernst gooris\Bureaublad\Security\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
D:\Documents and Settings\ernst gooris\Bureaublad\Security\SmitfraudFix.exe RarSFX: infected - 2 skipped
D:\Documents and Settings\ernst gooris\Bureaublad\Security\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
D:\Documents and Settings\ernst gooris\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\ernst gooris\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\count.jar-1de9bb6a-1cd3a952.zip.bac_a02936/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\count.jar-1de9bb6a-1cd3a952.zip.bac_a02936/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\count.jar-1de9bb6a-1cd3a952.zip.bac_a02936/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\count.jar-1de9bb6a-1cd3a952.zip.bac_a02936 ZIP: infected - 3 skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\count.jar-1de9bb6a-1cd3a952.zip.bac_a02936 CryptFF.b: infected - 3 skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\count.jar-59e10998-46188dbc.zip.bac_a02936/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\count.jar-59e10998-46188dbc.zip.bac_a02936/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\count.jar-59e10998-46188dbc.zip.bac_a02936/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\count.jar-59e10998-46188dbc.zip.bac_a02936 ZIP: infected - 3 skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\count.jar-59e10998-46188dbc.zip.bac_a02936 CryptFF.b: infected - 3 skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\count.jar-652b4e66-1c98baf3.zip.bac_a02936/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\count.jar-652b4e66-1c98baf3.zip.bac_a02936/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\count.jar-652b4e66-1c98baf3.zip.bac_a02936/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\count.jar-652b4e66-1c98baf3.zip.bac_a02936 ZIP: infected - 3 skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\count.jar-652b4e66-1c98baf3.zip.bac_a02936 CryptFF.b: infected - 3 skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\classload.jar-2fa9f21f-4ced6d9b.zip.bac_a02936/GetAccess.class Infected: Trojan.Java.ClassLoader.c skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\classload.jar-2fa9f21f-4ced6d9b.zip.bac_a02936/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\classload.jar-2fa9f21f-4ced6d9b.zip.bac_a02936/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\classload.jar-2fa9f21f-4ced6d9b.zip.bac_a02936/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\classload.jar-2fa9f21f-4ced6d9b.zip.bac_a02936 ZIP: infected - 4 skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\classload.jar-2fa9f21f-4ced6d9b.zip.bac_a02936 CryptFF.b: infected - 4 skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\jd1.exe.bac_a02936 Infected: Trojan.Win32.OpenPort.c skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\exefile[1].exe.bac_a02936 Infected: Trojan-Downloader.Win32.Small.cis skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\A0080033.exe.bac_a02936 Infected: Trojan-Downloader.Win32.Small.cis skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\A0080096.exe.bac_a02936 Infected: Trojan-Downloader.Win32.Small.cis skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\A0080168.exe.bac_a02936 Infected: Trojan-Downloader.Win32.Small.cis skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\A0080234.exe.bac_a02936 Infected: Trojan-Downloader.Win32.Small.cis skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\A0080302.exe.bac_a02936 Infected: Trojan-Downloader.Win32.Small.cis skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\A0080375.exe.bac_a02936 Infected: Trojan-Downloader.Win32.Small.cis skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\A0080414.exe.bac_a02936 Infected: Trojan-Downloader.Win32.Small.cis skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\A0080429.exe.bac_a02936 Infected: Trojan-Downloader.Win32.Small.cis skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\MFEX-1.DAT.bac_a02936 Infected: Trojan-Downloader.Win32.Small.cis skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\A0080474.exe.bac_a02936 Infected: Trojan-Downloader.Win32.Small.cis skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\A0080500.exe.bac_a02936 Infected: Trojan-Downloader.Win32.Small.cis skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\A0080566.exe.bac_a02936 Infected: Trojan-Downloader.Win32.Small.cis skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\A0080646.exe.bac_a02936 Infected: Trojan-Downloader.Win32.Small.cis skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\A0081646.exe.bac_a02936 Infected: Trojan-Downloader.Win32.Small.cis skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\A0081665.exe.bac_a02936 Infected: Trojan-Downloader.Win32.Small.cis skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\A0081706.exe.bac_a02936 Infected: Trojan-Downloader.Win32.Small.cis skipped
D:\Documents and Settings\ernst gooris\.housecall\Quarantine\A0081717.exe.bac_a02936 Infected: Trojan-Downloader.Win32.Small.cis skipped
D:\Documents and Settings\ernst gooris\UserData\index.dat Object is locked skipped
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP502\A0149239.exe Infected: Trojan.Win32.DNSChanger.fb skipped
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP502\A0149257.exe Infected: Trojan.Win32.DNSChanger.fb skipped
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP503\A0149304.exe Infected: Trojan.Win32.DNSChanger.fb skipped
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP504\A0149350.exe Infected: Trojan.Win32.DNSChanger.fb skipped
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP505\A0149386.exe Infected: Trojan.Win32.DNSChanger.fb skipped
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP508\A0150386.exe Infected: Trojan.Win32.DNSChanger.fb skipped
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP510\A0150475.exe Infected: Trojan.Win32.DNSChanger.fb skipped
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP511\A0151476.exe Infected: Trojan.Win32.DNSChanger.fb skipped
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP514\A0152479.exe Infected: Trojan.Win32.DNSChanger.fb skipped
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP514\A0152544.exe Infected: Trojan.Win32.DNSChanger.fb skipped
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP514\A0152579.exe Infected: Trojan.Win32.DNSChanger.fb skipped
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP514\A0152591.exe Infected: Trojan.Win32.DNSChanger.fb skipped
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP515\A0152646.exe Infected: Trojan.Win32.DNSChanger.fb skipped
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP515\A0152676.exe Infected: Trojan.Win32.DNSChanger.fb skipped
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP515\A0152694.exe Infected: Trojan.Win32.DNSChanger.fb skipped
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP516\A0152779.exe/data0007 Infected: Trojan-Downloader.Win32.Agent.bjc skipped
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP516\A0152779.exe NSIS: infected - 1 skipped
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP516\A0152977.exe Infected: Trojan.Win32.DNSChanger.fb skipped
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP516\A0153004.exe Infected: Trojan.Win32.DNSChanger.fb skipped
D:\System Volume Information\_restore{1F84C355-C0AB-45ED-B26D-8D8C00FD9195}\RP517\change.log Object is locked skipped
D:\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped

Scan process completed.

----

Seems like a lot of problems.. :(
Thanks again for the help!

#6 OFFLINE   AndyManchesta

    Power Member

  • Spyware Moderators
  • 1,821 posts
  • Gender:Male
  • Location:Manchester. UK
  • Interests:Music, Movies, Website Building &amp; Design, Malware Testing/Research and spending time with friends &amp; family.

Posted 29 June 2007 - 08:22 PM

Hey Concie

Quote

Oh, I did not know that it was that dangerous to not-upgrade. Thing is tho, as of September I can buy winXP cheap, from a student-site. (as my study-year hasnt started yet) So I am going to wait for that. You have certainly convinced me of getting the legit windows, cause I do ofcourse want a save system, and now that I have seen what kind of trouble I can get into without it...

It looks like most of these problems have come from you running an infected keygen file which is a very common trick malware writers use because they dont need to use any exploits to infect your pc as you infect it yourself by running the file, avoid using any crack/serial/keygen sites or downloads as they are very malicious and most of the malware around comes from those sort of sites & files
D:\Vegas install\KEYGEN\SONYkeygen.exe -> Trojan.Pakes.edg

Regarding Windows, it is essential to have a fully patched system these days and even then you need a firewall and Antivirus program running full time, with you running Windows without any Service Packs or the security updates that come with them it would be very easy for a malicious site to run exploits as soon as you open the webpage which could then install rootkits, infostealers, backdoor trojans etc.. without you having to click anything, there is some very nasty infections around these days that will patch essential Windows files and then infections that add rootkits so that Antivirus programs cannot detect them running so keeping Windows up to date to help prevent those sort of problems is very important.

Can you set Windows to show hidden files and folders

Click Start. Goto MyComputer then C:\drive
Select the Tools menu from the top bar and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
UnCheck the "Hide protected operating system files (recommended)" option.

Click Yes to confirm then OK

Set this back once you have checked for the file by opening the same page and pressing the Restore Defaults button then click Apply and OK.

Delete this file

D:\WINDOWS\system32\lmpuy.exe

Delete this folder:

D:\Documents and Settings\ernst gooris\.housecall\Quarantine

Then set Windows to rehide hidden and system files as explained above by clicking the Restore default button.

Please then run CCleaner to remove temp files and folders from your system,

Then clear your System Restore points as some are infected

Click Start Menu > All Programs > Accessories > System Tools > SystemRestore

Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created. Then press OK to clear the temp files found in the initial scan and close Disk Cleanup


Please then open HijackThis, click Config... in the bottom right of the scan screen, click Open hosts file manager and this will then display the contents of the hosts file, please then click Open in Notepad and copy and paste the contents of the notepad file back on here so we can make sure the hosts file is correct.

Click the back button on HijackThis to return to the Misc Tools menu (or click Config... again to open the menu) Then click the Open Uninstall Manager... button.
The Add/Remove Programs Manager panel should appear.
In this panel click the Save list button.
Save the uninstall_list.txt file to your desktop and copy and paste the contents back in your next reply.

Please then post back the Uninstall list and the hosts file list and let us know if your still having any problems.

Thanks

Andy

#7 OFFLINE   Concie

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 30 June 2007 - 01:27 PM

Hey Andy, Im going to a be a lot more carefull with files I download, I guess I was very naive to believe there was nothing wrong with the keygen programs. :( Im also going to try and get a legit version of windows faster, I will see what I can do about that.
I took all the steps as you described, but the only thing I got in the "Open hosts file manager" was this:

127.0.0.1 localhost

---

Here's the uninstall_list:

AC3Filter (remove only)
Adobe Reader 7.0.8
ASUSDVD XP
AVG 7.5
AVG Anti-Spyware 7.5
BitLord 1.1
BitTornado 0.3.7
BlueSoleil 2.3.2.3 Release
BSC Cleanitol TM
CCleaner (remove only)
Columbus Terrain Mod 1.0 english
Command & Conquer Generals
Command and ConquerTM Generals Zero Hour
Cycledog Tree Mod 1.0 english
DAEMON Tools
DivX Codec
DivX Converter
DivX Player
Dungeon Siege 2
Dungeon Siege 2 Broken World
eMule
FFUR 2007 1.0
Flashpoint Resistance uninstall
Fraps (remove only)
Game Cam Lite
HijackThis 2.0.0
Hitman Pro
IrfanView (remove only)
IsoBuster 1.6
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 2
Kaspersky Online Scanner
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft Office 2000 Professional
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
mIRC
Mozilla Firefox (1.0.3)
MS Access 97 SP2
MSN Messenger 7.5
NetworkAddonMod Beta Version 2006.12.24
NVIDIA Drivers
OGM to AVI Beta .6
OpenTTD 0.4.8.0
Operation Flashpoint uninstall
Pontifex II
PowerISO
PowerStrip 3 (remove only)
QuickTime
Red Alert Windows 95
SAMSUNG CDMA Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio
SC4DatPacker
Serious Sam: The Second Encounter
SimCity 4 Deluxe
Sony Media Manager 2.0
Sony Vegas 6.0c
Sound Blaster Live! Web 2K/XP
Spybot - Search & Destroy 1.4
Starcraft
StatBar 2.406
Steam
Stronghold Legends
SUPERAntiSpyware Free Edition
TeamSpeak 2 RC2
TeamSpeak 2 Server RC2
Ventrilo Client
VideoLAN VLC media player 0.8.6a
Westwood Chat
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
WinRAR
WinZip
World of Warcraft
WowEquip (remove only)
Xvid 1.1.2 final uninstall
XviD MPEG-4 Codec
ZoneAlarm

---

NetworkAddonMod is a Simcity4 mod, btw.
I hope this looks allright. :)

#8 OFFLINE   AndyManchesta

    Power Member

  • Spyware Moderators
  • 1,821 posts
  • Gender:Male
  • Location:Manchester. UK
  • Interests:Music, Movies, Website Building &amp; Design, Malware Testing/Research and spending time with friends &amp; family.

Posted 30 June 2007 - 06:52 PM

Hi Concie

The hosts file is fine, a default hosts file should only contain the 127.0.0.1 localhost entry so yours is correct, if it would of contained for example Antivirus websites with 127.0.0.1 next to them then it wouldnt of been possible for you to open the sites mentioned as 127.0.0.1 refers to your own machine and alot of malware modifies the hosts file for that reason to block users getting to certain security sites, with AVG detecting a changed hosts file earlier that may of happened on yours but its nice to see it was reset to the default Microsoft hosts file.

Your Add/Remove screen entries are also fine, the version of Java is out of date but the rest looks ok, some older versions of Java are vulnerable to infections so its worth removing them and getting the latest as a couple of trojans try to exploit bugs in older versions to get on the pc,

Goto the Add/Remove screen (Start Menu > Control Panel > Add or Remove Programs) and remove

J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 2

once its removed get the latest version from Sun's website here

http://www.java.com/...nload/index.jsp

I'll add afew basic steps below to help avoid further infections,

Please try get a genuine version of Windows as soon as possible so that you can install updates as explained earlier because in its current state its very likely the machine will become reinfected.

Consider Installing Spywareblaster
SpywareBlaster can help prevent malware installing by adding hundreds of malicious sites to the restricted zone of IE and blocking the common spyware ActiveX controls which prevents the installation of any of them via webpages. A tutorial on using SpywareBlaster can be found here
  • Avoid illegal sites such as warez, cracks, serials etc... because that's where most malware is present.
  • Don't click on links inside Popups, Messenger programs or spam email messages.
  • Download free software only from sites you know and trust.
Please make sure to run your Antivirus software regularly, and to keep it up-to-date and also read Tony Klein's excellent article: So how did I get Infected in the First Place?

These steps will lower the chances of getting more malware issues but let us know if you have questions or problems anytime

Cheers

Andy

#9 OFFLINE   Concie

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 30 June 2007 - 11:30 PM

Hello Andy.

Java is updated, and I've installed spywareblaster. Windows will be taken care of asap.
I want to thank for your patience and help, aswell as the advice you gave me. It has all been very helpfull! :)
I will keep checking on these forums to see if there is some news in the anti-spyware / anti-virus world.
Goodluck to you and the other people of Spyware Hell that spend their time helping others, have a drink on me! :)

#10 OFFLINE   AndyManchesta

    Power Member

  • Spyware Moderators
  • 1,821 posts
  • Gender:Male
  • Location:Manchester. UK
  • Interests:Music, Movies, Website Building &amp; Design, Malware Testing/Research and spending time with friends &amp; family.

Posted 30 June 2007 - 11:41 PM

Your Welcome Concie, Im glad we could help

Happy Surfing :)

Andy
Back to Spyware Hell


  1. Piriform Community Forums
  2. Computer Help and Discussion
  3. Spyware Hell