cannot post log because trojan attacking CCleaner and highjacking logs
1
crashes c cleaner
Started by chaffeur, Mar 27 2007 11:33 AM
20 replies to this topic
#1 OFFLINE
-
- Members
-
- 13 posts
Member
- Gender:Male
- Location:West Midlands
Posted 27 March 2007 - 11:33 AM
#2 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 27 March 2007 - 02:10 PM
Hi chaffeur
You have a nasty trojan dialer on your system and its difficult to manually remove as it does everything possible to protect itself, it hooks to explorer.exe using a reg entry then changes the permissions on its reg key to prevent it being removed, it also does that with its file which is random named, if you manually reset its reg entry and remove it then it will put it back instantly, if you remove the file without fixing the reg entry then explorer.exe will not load after reboot (no desktop icons or taskbar) and as you have noticed it crashes explorer if you attempt to run hijackthis or CCleaner and other tools like GMER & Icesword, just moving the mouse over the programs icon will crash explorer and the same if you goto start > run and type the name plus typing the names into search engines will close the browser window instantly,
Ive put a small fixtool together after having problems manually removing it on another log, Ive tested this tool alot of times and its removing but I'll post some steps you can take incase anything goes wrong so you can still start explorer.exe
copy and paste these instructions to notepad and save it to your desktop incase explorer.exe doesnt load and you have to remove its reg entry manually
To run the fix, make sure your running from the Admin account, double click Dfix.exe and it will create a new folder on your desktop named DFix, open the newly created DFix folder and double click fix.bat, it will only take afew seconds to run, first it finds the filename, creates a backups folder, moves the file into the backups folder, stops explorer.exe (you will lose the desktop icons and taskbar) , resets the permissions on its reg entry, removes the reg entry then resets the permissions on its file and then checks if it still exists, if it does then it will repeat the steps, if not then it will end and restart explorer.exe, you should then be able to run HijackThis and post a log and also run CCleaner, if you can then ignore the rest of this post and let us know.
If you have problems and explorer.exe doesnt restart then you will have to remove its reg entry which will be possible as the file would of been moved so it cannot load again, if explorer doesnt restart you will not be able to access the start menu so press Control , Alt & Delete to open Task Manager, then click Applications and New Task, you can then click Browse to find the text file you saved with these instructions and click ok to open it, then type Regedit into Task Manager > New Task and click OK to open the registry editor,
Click the [+] next to HKEY_LOCAL_MACHINE
Click the [+] next to SOFTWARE
Click the [+] next to Microsoft
Click the [+] next to Windows NT
Click the [+] next to Current Version
Finally Click the [+] next to Image File Execution Options
Scroll down the list and find explorer.exe then right click it and choose Permissions, On the permissions for Everyone area place a check next to Full Control then click Apply and OK, right click the explorer.exe key and choose Delete, then go back to Task Manager > Applications > New Task and type explorer.exe and click ok and then it will restart
You should not need the manual instructions as the fixtool should remove it but its best to be safe and provide an alternative just incase its needed,
Let me know if you have any problems or questions
Regards
Andy
EDIT: Removed download link now its been used as a variant of this trojan may also be targetting swreg.exe which is used in the script (more testing needed
)
You have a nasty trojan dialer on your system and its difficult to manually remove as it does everything possible to protect itself, it hooks to explorer.exe using a reg entry then changes the permissions on its reg key to prevent it being removed, it also does that with its file which is random named, if you manually reset its reg entry and remove it then it will put it back instantly, if you remove the file without fixing the reg entry then explorer.exe will not load after reboot (no desktop icons or taskbar) and as you have noticed it crashes explorer if you attempt to run hijackthis or CCleaner and other tools like GMER & Icesword, just moving the mouse over the programs icon will crash explorer and the same if you goto start > run and type the name plus typing the names into search engines will close the browser window instantly,
Ive put a small fixtool together after having problems manually removing it on another log, Ive tested this tool alot of times and its removing but I'll post some steps you can take incase anything goes wrong so you can still start explorer.exe
copy and paste these instructions to notepad and save it to your desktop incase explorer.exe doesnt load and you have to remove its reg entry manually
To run the fix, make sure your running from the Admin account, double click Dfix.exe and it will create a new folder on your desktop named DFix, open the newly created DFix folder and double click fix.bat, it will only take afew seconds to run, first it finds the filename, creates a backups folder, moves the file into the backups folder, stops explorer.exe (you will lose the desktop icons and taskbar) , resets the permissions on its reg entry, removes the reg entry then resets the permissions on its file and then checks if it still exists, if it does then it will repeat the steps, if not then it will end and restart explorer.exe, you should then be able to run HijackThis and post a log and also run CCleaner, if you can then ignore the rest of this post and let us know.
If you have problems and explorer.exe doesnt restart then you will have to remove its reg entry which will be possible as the file would of been moved so it cannot load again, if explorer doesnt restart you will not be able to access the start menu so press Control , Alt & Delete to open Task Manager, then click Applications and New Task, you can then click Browse to find the text file you saved with these instructions and click ok to open it, then type Regedit into Task Manager > New Task and click OK to open the registry editor,
Click the [+] next to HKEY_LOCAL_MACHINE
Click the [+] next to SOFTWARE
Click the [+] next to Microsoft
Click the [+] next to Windows NT
Click the [+] next to Current Version
Finally Click the [+] next to Image File Execution Options
Scroll down the list and find explorer.exe then right click it and choose Permissions, On the permissions for Everyone area place a check next to Full Control then click Apply and OK, right click the explorer.exe key and choose Delete, then go back to Task Manager > Applications > New Task and type explorer.exe and click ok and then it will restart
You should not need the manual instructions as the fixtool should remove it but its best to be safe and provide an alternative just incase its needed,
Let me know if you have any problems or questions
Regards
Andy
EDIT: Removed download link now its been used as a variant of this trojan may also be targetting swreg.exe which is used in the script (more testing needed
)
#3 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 27 March 2007 - 05:40 PM
Thanks for the pm and its nice to hear you got it removed but as I mentioned in the reply its unlikely this trojan is by itself so posting a hijackthis log cannot do any harm now your able to download and run it, if you did want it checking for problems just post on here and I will be notified of any replies
Cheers
Andy
Cheers
Andy
#4 OFFLINE
-
- Members
-
- 13 posts
Member
- Gender:Male
- Location:West Midlands
Posted 28 March 2007 - 04:39 PM
Logfile of HijackThis v1.99.1
Scan saved at 15:59:12, on 27/03/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iolo\System Mechanic 6\SMTrayNotify.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,"c:\windows\lexmarktool.exe",
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Mercora] "C:\Program Files\Tiscali Jukebox\MercoraClient.exe" -startup
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"
O4 - Startup: Registration Brothers In Arms.LNK = D:\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.tiscali.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134553775281
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jin...ows-i586-jc.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (MSN Music Mediabar) - http://sib1.od2.com/common/musicmanager/in...nagerPlugin.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C62A715-0B41-4E9F-8D65-D04AB3FDB278}: NameServer = 212.139.132.53 212.139.132.52
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\RpcSandraSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Scan saved at 15:59:12, on 27/03/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iolo\System Mechanic 6\SMTrayNotify.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,"c:\windows\lexmarktool.exe",
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Mercora] "C:\Program Files\Tiscali Jukebox\MercoraClient.exe" -startup
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"
O4 - Startup: Registration Brothers In Arms.LNK = D:\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.tiscali.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134553775281
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jin...ows-i586-jc.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (MSN Music Mediabar) - http://sib1.od2.com/common/musicmanager/in...nagerPlugin.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C62A715-0B41-4E9F-8D65-D04AB3FDB278}: NameServer = 212.139.132.53 212.139.132.52
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\RpcSandraSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
#5 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 28 March 2007 - 05:08 PM
Hi Chaffeur
There's one item that Id like to get a sample of which is a trojan of some kind but its not in your running processes so it may of already been removed, then just afew entries to fix to clean up abit, because you had a dialer that was preventing you using CCleaner or HijackThis its worth running an online scanner to make sure there is nothing left on the system but we can do abit later and its also worth running the gromozon remover to be sure this dialer isnt related to that infection
Download the Gromozon remover from here
http://www.prevx.com/gromozon.asp
Run the program and follow the prompts then post back the log if it finds any infection,
Run Hijack This and choose Do A System Scan then place a check next to these entries
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,"c:\windows\lexmarktool.exe",
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
Close all open browser and other windows except for Hijack This and press the Fix Checked button
Please download the Suspicious file Packer from Safer-Networking.Org and unzip it to your desktop.
Run SFP.exe.
Please copy the following line into the Step 1: Paste Text window:
c:\windows\lexmarktool.exe
then click "Continue".
This will create a .cab file on your desktop named requested-files[Date/Time].cab
Next please visit SpyKillers forum here
http://www.thespykil...x.php?board=1.0
Read the instructions for uploading files which is the first topic on the forum then start a new Topic named 'File for AndyManchesta', please then upload the requested files.cab archive from your desktop
(Also upload that dialer trojan that we removed which is still in the dfix backups folder)
Once that's done please post a new HijackThis log
Thanks
Andy
There's one item that Id like to get a sample of which is a trojan of some kind but its not in your running processes so it may of already been removed, then just afew entries to fix to clean up abit, because you had a dialer that was preventing you using CCleaner or HijackThis its worth running an online scanner to make sure there is nothing left on the system but we can do abit later and its also worth running the gromozon remover to be sure this dialer isnt related to that infection
Download the Gromozon remover from here
http://www.prevx.com/gromozon.asp
Run the program and follow the prompts then post back the log if it finds any infection,
Run Hijack This and choose Do A System Scan then place a check next to these entries
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,"c:\windows\lexmarktool.exe",
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
Close all open browser and other windows except for Hijack This and press the Fix Checked button
Please download the Suspicious file Packer from Safer-Networking.Org and unzip it to your desktop.
Run SFP.exe.
Please copy the following line into the Step 1: Paste Text window:
c:\windows\lexmarktool.exe
then click "Continue".
This will create a .cab file on your desktop named requested-files[Date/Time].cab
Next please visit SpyKillers forum here
http://www.thespykil...x.php?board=1.0
Read the instructions for uploading files which is the first topic on the forum then start a new Topic named 'File for AndyManchesta', please then upload the requested files.cab archive from your desktop
(Also upload that dialer trojan that we removed which is still in the dfix backups folder)
Once that's done please post a new HijackThis log
Thanks
Andy
#6 OFFLINE
-
- Members
-
- 13 posts
Member
- Gender:Male
- Location:West Midlands
Posted 29 March 2007 - 04:42 PM
AndyManchesta, on Mar 28 2007, 06:08 PM, said:
Hi Chaffeur
There's one item that Id like to get a sample of which is a trojan of some kind but its not in your running processes so it may of already been removed, then just afew entries to fix to clean up abit, because you had a dialer that was preventing you using CCleaner or HijackThis its worth running an online scanner to make sure there is nothing left on the system but we can do abit later and its also worth running the gromozon remover to be sure this dialer isnt related to that infection
Download the Gromozon remover from here
http://www.prevx.com/gromozon.asp
Run the program and follow the prompts then post back the log if it finds any infection,
Run Hijack This and choose Do A System Scan then place a check next to these entries
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,"c:\windows\lexmarktool.exe",
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
Close all open browser and other windows except for Hijack This and press the Fix Checked button
Please download the Suspicious file Packer from Safer-Networking.Org and unzip it to your desktop.
Run SFP.exe.
Please copy the following line into the Step 1: Paste Text window:
c:\windows\lexmarktool.exe
then click "Continue".
This will create a .cab file on your desktop named requested-files[Date/Time].cab
Next please visit SpyKillers forum here
http://www.thespykil...x.php?board=1.0
Read the instructions for uploading files which is the first topic on the forum then start a new Topic named 'File for AndyManchesta', please then upload the requested files.cab archive from your desktop
(Also upload that dialer trojan that we removed which is still in the dfix backups folder)
Once that's done please post a new HijackThis log
Thanks
Andy
There's one item that Id like to get a sample of which is a trojan of some kind but its not in your running processes so it may of already been removed, then just afew entries to fix to clean up abit, because you had a dialer that was preventing you using CCleaner or HijackThis its worth running an online scanner to make sure there is nothing left on the system but we can do abit later and its also worth running the gromozon remover to be sure this dialer isnt related to that infection
Download the Gromozon remover from here
http://www.prevx.com/gromozon.asp
Run the program and follow the prompts then post back the log if it finds any infection,
Run Hijack This and choose Do A System Scan then place a check next to these entries
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,"c:\windows\lexmarktool.exe",
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
Close all open browser and other windows except for Hijack This and press the Fix Checked button
Please download the Suspicious file Packer from Safer-Networking.Org and unzip it to your desktop.
Run SFP.exe.
Please copy the following line into the Step 1: Paste Text window:
c:\windows\lexmarktool.exe
then click "Continue".
This will create a .cab file on your desktop named requested-files[Date/Time].cab
Next please visit SpyKillers forum here
http://www.thespykil...x.php?board=1.0
Read the instructions for uploading files which is the first topic on the forum then start a new Topic named 'File for AndyManchesta', please then upload the requested files.cab archive from your desktop
(Also upload that dialer trojan that we removed which is still in the dfix backups folder)
Once that's done please post a new HijackThis log
Thanks
Andy
Hello aThanks for instructions, sorry have only just got your message, been out of the house. Well. I cannot download Prevx, keep hetting a message stationg that the site is not available!! Oh dear is this something nasty again? the other site will download OK and hijack this works, as does CCleaner
#7 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 29 March 2007 - 05:34 PM
Hey Chaffeur
No problem about the delays, just do the steps in your own time and I'll be notified when you reply, if you can upload the requestedfiles.cab file which I posted in the last reply it will help as I can see what that trojan is thats hooking to userinit on your PC (its always running, even in safe mode with it hooking to that Microsoft file), Im hoping it doesnt exist now but if you follow those steps I'll know for sure plus I can then test it if it is still on your system and find out what its doing.
I'm not sure whats blocking prevx on your PC, maybe your hosts file has been modified but we can look at that abit later when you complete the above steps, Ive attached the gromozon remover to this reply and it creates a log on C:\drive after its run which you can then post back, hopefully it will not find any infection though.
*Note the file is random named to prevent malware interfering with it when it runs so dont worry that it doesnt mention gromozon remover in the name
Cheers
Andy
No problem about the delays, just do the steps in your own time and I'll be notified when you reply, if you can upload the requestedfiles.cab file which I posted in the last reply it will help as I can see what that trojan is thats hooking to userinit on your PC (its always running, even in safe mode with it hooking to that Microsoft file), Im hoping it doesnt exist now but if you follow those steps I'll know for sure plus I can then test it if it is still on your system and find out what its doing.
I'm not sure whats blocking prevx on your PC, maybe your hosts file has been modified but we can look at that abit later when you complete the above steps, Ive attached the gromozon remover to this reply and it creates a log on C:\drive after its run which you can then post back, hopefully it will not find any infection though.
*Note the file is random named to prevent malware interfering with it when it runs so dont worry that it doesnt mention gromozon remover in the name
Cheers
Andy
Attached Files
-
A44255C.zip 543.84K
2 downloads
#8 OFFLINE
-
- Members
-
- 13 posts
Member
- Gender:Male
- Location:West Midlands
Posted 29 March 2007 - 06:33 PM
AndyManchesta, on Mar 29 2007, 06:34 PM, said:
Hey Chaffeur
No problem about the delays, just do the steps in your own time and I'll be notified when you reply, if you can upload the requestedfiles.cab file which I posted in the last reply it will help as I can see what that trojan is thats hooking to userinit on your PC (its always running, even in safe mode with it hooking to that Microsoft file), Im hoping it doesnt exist now but if you follow those steps I'll know for sure plus I can then test it if it is still on your system and find out what its doing.
I'm not sure whats blocking prevx on your PC, maybe your hosts file has been modified but we can look at that abit later when you complete the above steps, Ive attached the gromozon remover to this reply and it creates a log on C:\drive after its run which you can then post back, hopefully it will not find any infection though.
*Note the file is random named to prevent malware interfering with it when it runs so dont worry that it doesnt mention gromozon remover in the name
Cheers
Andy
No problem about the delays, just do the steps in your own time and I'll be notified when you reply, if you can upload the requestedfiles.cab file which I posted in the last reply it will help as I can see what that trojan is thats hooking to userinit on your PC (its always running, even in safe mode with it hooking to that Microsoft file), Im hoping it doesnt exist now but if you follow those steps I'll know for sure plus I can then test it if it is still on your system and find out what its doing.
I'm not sure whats blocking prevx on your PC, maybe your hosts file has been modified but we can look at that abit later when you complete the above steps, Ive attached the gromozon remover to this reply and it creates a log on C:\drive after its run which you can then post back, hopefully it will not find any infection though.
*Note the file is random named to prevent malware interfering with it when it runs so dont worry that it doesnt mention gromozon remover in the name
Cheers
Andy
Hello again Andy have sent through that CAB file. The Prevx ran perfectly and told me that it had removed the dread gomozon . I was distracted by a call for supper, and inadvertently pressed the download prev1 whichj it proceeded to do, its now loaded! You must think this a bit of a nut house down here! Do I do another HJT log and send through. How do I get at the Prevx log to send on, is that possible? I really am grateful for all the help you are giving (not to mentiontime)
#9 OFFLINE
-
- Members
-
- 13 posts
Member
- Gender:Male
- Location:West Midlands
Posted 29 March 2007 - 07:20 PM
Hello Andy here is the latest HJT LogLogfile of HijackThis v1.99.1
Scan saved at 20:10:32, on 29/03/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Mercora] "C:\Program Files\Tiscali Jukebox\MercoraClient.exe" -startup
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"
O4 - Startup: Registration Brothers In Arms.LNK = D:\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.tiscali.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134553775281
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jin...ows-i586-jc.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (MSN Music Mediabar) - http://sib1.od2.com/common/musicmanager/in...nagerPlugin.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C62A715-0B41-4E9F-8D65-D04AB3FDB278}: NameServer = 212.139.132.53 212.139.132.52
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\RpcSandraSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.ex
Scan saved at 20:10:32, on 29/03/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Mercora] "C:\Program Files\Tiscali Jukebox\MercoraClient.exe" -startup
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"
O4 - Startup: Registration Brothers In Arms.LNK = D:\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.tiscali.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1134553775281
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jin...ows-i586-jc.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (MSN Music Mediabar) - http://sib1.od2.com/common/musicmanager/in...nagerPlugin.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C62A715-0B41-4E9F-8D65-D04AB3FDB278}: NameServer = 212.139.132.53 212.139.132.52
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\RpcSandraSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.ex
#10 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 30 March 2007 - 10:19 AM
Hi Chaffeur
Thanks for uploading the files, the .cab archive was empty so it would of already been removed from your system at some stage, Ive merged your 3 topics here into this one, to reply just use the
button at the bottom of the page rather than starting a new topic,
The Gromozon remover would of created a logfile on c:\drive named gromozon_removal.log, please open that and copy and paste the contents into your next reply,
Prevx is a nice program so its fine that you have installed it although it wasnt needed to run the gromozon tool, it is a trial though so once it detects any infection it then allows you to use it free for 1 month, after this has expired it will not remove any malware it finds unless you pay for it, you can then either decide to pay for it or uninstall it,
As you already have AVG AntiSpy, AVG AntiVirus plus SpySweeper running you may notice a slowdown if you have too many protection programs on the system all running at the same time and providing real time protection, if you do then Prevx can be removed using the Add/Remove screen but you may as well keep it for the trial period and then decide if you want to pay to keep it or uninstall it, its also worth running a full system scan to see if it detects any additional problems on your PC.
Please do an online scan with Kaspersky WebScanner.
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.Click OK
Now under select a target to scan: This program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected. Save the file to your desktop.
Copy and paste that information in your next post.
Then download combofix.exe and save it to your desktop.
Double click combofix.exe & follow the prompts.
When it's finished, it will produce a log of what it found. Please post the contents of that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running as it may cause it to stall
Please then post back the Gromozon remover log (C:\gromozon_removal.log) , Kaspersky log and the Comboscan log
Let me know if you have any problems
Cheers
Andy
Thanks for uploading the files, the .cab archive was empty so it would of already been removed from your system at some stage, Ive merged your 3 topics here into this one, to reply just use the
button at the bottom of the page rather than starting a new topic, The Gromozon remover would of created a logfile on c:\drive named gromozon_removal.log, please open that and copy and paste the contents into your next reply,
Prevx is a nice program so its fine that you have installed it although it wasnt needed to run the gromozon tool, it is a trial though so once it detects any infection it then allows you to use it free for 1 month, after this has expired it will not remove any malware it finds unless you pay for it, you can then either decide to pay for it or uninstall it,
As you already have AVG AntiSpy, AVG AntiVirus plus SpySweeper running you may notice a slowdown if you have too many protection programs on the system all running at the same time and providing real time protection, if you do then Prevx can be removed using the Add/Remove screen but you may as well keep it for the trial period and then decide if you want to pay to keep it or uninstall it, its also worth running a full system scan to see if it detects any additional problems on your PC.
Please do an online scan with Kaspersky WebScanner.
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
- The program will launch and then begin downloading the latest definition files:
- Once the files have been downloaded click on NEXT
- Now click on Scan Settings
- In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
- Scan Options:
- Scan Archives
Scan Mail Bases
- Select My Computer
- Now click on the Save as Text button:
Double click combofix.exe & follow the prompts.
When it's finished, it will produce a log of what it found. Please post the contents of that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running as it may cause it to stall
Please then post back the Gromozon remover log (C:\gromozon_removal.log) , Kaspersky log and the Comboscan log
Let me know if you have any problems
Cheers
Andy
#11 OFFLINE
-
- Members
-
- 13 posts
Member
- Gender:Male
- Location:West Midlands
Posted 30 March 2007 - 03:59 PM
emoval tool loaded into memory
------------------------------------
Executing rootkit removal engine....
------------------------------------
Disabling rootkit file: C:\WINDOWS\system32\imjp8r.ime
Resetting file permissions...
Clearing attributes...
Removing file...
Rootkit removed! Cleaning up...
Removing temp files...
Scanning: C:\WINDOWS
Scanning: C:\Program Files\Common Files
Trojan.Gromozon Removed
file for andymanchesta
------------------------------------
Executing rootkit removal engine....
------------------------------------
Disabling rootkit file: C:\WINDOWS\system32\imjp8r.ime
Resetting file permissions...
Clearing attributes...
Removing file...
Rootkit removed! Cleaning up...
Removing temp files...
Scanning: C:\WINDOWS
Scanning: C:\Program Files\Common Files
Trojan.Gromozon Removed
file for andymanchesta
#12 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 30 March 2007 - 06:05 PM
Cheers for the log, nice to see it got rid of the baddie
Your HijackThis log looks fine now so I'll wait to see the results from Kaspersky and Comboscan to see if there's anything left to remove
Thanks
Your HijackThis log looks fine now so I'll wait to see the results from Kaspersky and Comboscan to see if there's anything left to remove
Thanks
#13 OFFLINE
-
- Members
-
- 13 posts
Member
- Gender:Male
- Location:West Midlands
Posted 30 March 2007 - 07:28 PM
to andy manchesta. Heres the logs thanks for your help. I certainly learnt a lot these past few days. Thanks so muc for all your patience and time. Did you see supplemenrt from times? or areyou in it? Regards chaffeur
Attached Files
-
ComboFix.txt 8.9K
5 downloads
-
text.check.html 86.96K
3 downloads
#14 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 31 March 2007 - 05:02 AM
Good Morning Chaffeur,
I didnt see the times article, what was it about ?
There's just one problem showing there, you have had a Trojan.Wareout infection on your system at some stage but with UnSpyPc being involved it could of been a long time ago so may not be active now, this entry is added by that trojan
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"="csipj.exe"
Its also showing UnSpyPc in the Autorun's Disabled key which is also added by that trojan,
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\AutorunsDisabled]
"UnSpyPC"="\"C:\\Program Files\\UnSpyPC\\UnSpyPC.exe\""
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://www.bleepingc.../Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. Please reboot your computer when prompted. Your system may take longer than usual to load but this is normal.
Once the desktop loads please post the text that will open (report.txt) back on here.
Next open notepad (Start Menu > Run > type notepad and press ok) then copy and paste the contents of the code box into Notepad making REGEDIT4 the top line.
Goto File on the top bar of Notepad and choose Save As, on the Save As Type area change it to all files then name it fix.reg and save it to your desktop, double click fix.reg(or right click and choose Merge) and allow it to be merged into the registry which will remove the entries.
Finally generate a report of the Add/Remove screen entries:
Open Hijackthis, and click the Misc Tools button.
Then click the Open Uninstall Manager... button.
The Add/Remove Programs Manager panel should appear.
In this panel click the Save list button.
Save the uninstall_list.txt file to your desktop and copy and paste the contents back in your next reply.
Cheers
Andy
I didnt see the times article, what was it about ?
There's just one problem showing there, you have had a Trojan.Wareout infection on your system at some stage but with UnSpyPc being involved it could of been a long time ago so may not be active now, this entry is added by that trojan
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"="csipj.exe"
Its also showing UnSpyPc in the Autorun's Disabled key which is also added by that trojan,
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\AutorunsDisabled]
"UnSpyPC"="\"C:\\Program Files\\UnSpyPC\\UnSpyPC.exe\""
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://www.bleepingc.../Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. Please reboot your computer when prompted. Your system may take longer than usual to load but this is normal.
Once the desktop loads please post the text that will open (report.txt) back on here.
Next open notepad (Start Menu > Run > type notepad and press ok) then copy and paste the contents of the code box into Notepad making REGEDIT4 the top line.
REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\AutorunsDisabled] "UnSpyPC"=-
Goto File on the top bar of Notepad and choose Save As, on the Save As Type area change it to all files then name it fix.reg and save it to your desktop, double click fix.reg(or right click and choose Merge) and allow it to be merged into the registry which will remove the entries.
Finally generate a report of the Add/Remove screen entries:
Open Hijackthis, and click the Misc Tools button.
Then click the Open Uninstall Manager... button.
The Add/Remove Programs Manager panel should appear.
In this panel click the Save list button.
Save the uninstall_list.txt file to your desktop and copy and paste the contents back in your next reply.
Cheers
Andy
#15 OFFLINE
-
- Members
-
- 13 posts
Member
- Gender:Male
- Location:West Midlands
Posted 31 March 2007 - 09:56 AM
Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="csipj.exe"
»»»»» System restarted
»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
C:\WINDOWS\Help\SPAlert.chm Deleted
C:\WINDOWS\System32\close.bmp Deleted
C:\WINDOWS\System32\dating.bmp Deleted
C:\WINDOWS\System32\gambling.bmp Deleted
C:\WINDOWS\System32\idesk.conf Deleted
C:\WINDOWS\System32\insurance.bmp Deleted
C:\WINDOWS\System32\pharmacy.bmp Deleted
C:\WINDOWS\System32\spyware.bmp Deleted
C:\WINDOWS\System32\xxx.bmp Deleted
....
»»»»» Checking for older varients.
....
Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.
Click browse, find the file then click submit.
http://www.virustota...h/index_en.html
Or http://virusscan.jotti.org/
»»»»» Other
Good morning Andy, gosk your up and about early!! What I call the crack of doom! Have now risaen refreshed, breakfasted, and done the ixawaere
»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"SoundMan"="SOUNDMAN.EXE"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Mercora"="\"C:\\Program Files\\Tiscali Jukebox\\MercoraClient.exe\" -startup"
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"AVG7_CC"="\"C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe\" /STARTUP"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"PrevxOne"="\"C:\\Program Files\\Prevx1\\PXConsole.exe\""
"SpySweeper"="C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe /startintray"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"TRIXX"="\"C:\\Program Files\\TRIXX\\TRIXX.exe\" -s"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSystemAnalyzer"="\"C:\\Program Files\\iolo\\System Mechanic 6\\SMSystemAnalyzer.exe\""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="\"C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe\""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
"UnSpyPC"="\"C:\\Program Files\\UnSpyPC\\UnSpyPC.exe\""
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="csipj.exe"
»»»»» System restarted
»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
C:\WINDOWS\Help\SPAlert.chm Deleted
C:\WINDOWS\System32\close.bmp Deleted
C:\WINDOWS\System32\dating.bmp Deleted
C:\WINDOWS\System32\gambling.bmp Deleted
C:\WINDOWS\System32\idesk.conf Deleted
C:\WINDOWS\System32\insurance.bmp Deleted
C:\WINDOWS\System32\pharmacy.bmp Deleted
C:\WINDOWS\System32\spyware.bmp Deleted
C:\WINDOWS\System32\xxx.bmp Deleted
....
»»»»» Checking for older varients.
....
Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.
Click browse, find the file then click submit.
http://www.virustota...h/index_en.html
Or http://virusscan.jotti.org/
»»»»» Other
Good morning Andy, gosk your up and about early!! What I call the crack of doom! Have now risaen refreshed, breakfasted, and done the ixawaere
»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"SoundMan"="SOUNDMAN.EXE"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Mercora"="\"C:\\Program Files\\Tiscali Jukebox\\MercoraClient.exe\" -startup"
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"AVG7_CC"="\"C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe\" /STARTUP"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"PrevxOne"="\"C:\\Program Files\\Prevx1\\PXConsole.exe\""
"SpySweeper"="C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe /startintray"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"TRIXX"="\"C:\\Program Files\\TRIXX\\TRIXX.exe\" -s"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSystemAnalyzer"="\"C:\\Program Files\\iolo\\System Mechanic 6\\SMSystemAnalyzer.exe\""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="\"C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe\""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""
"UnSpyPC"="\"C:\\Program Files\\UnSpyPC\\UnSpyPC.exe\""
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»
#16 OFFLINE
-
- Members
-
- 13 posts
Member
- Gender:Male
- Location:West Midlands
Posted 31 March 2007 - 10:16 AM
ABBYY FineReader 6.0
Active Security Monitor 1.0.0.315
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Photoshop 7.0
Adobe Reader 7.0.9
Adobe Shockwave Player
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI HYDRAVISION
ATITool Overclocking Utility
AVG 7.5
AVG Anti-Spyware 7.5
BitComet 0.84
Brothers In Arms
CCleaner (remove only)
CCScore
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Download Accelerator Plus (DAP)
East-Tec Eraser 2006 Version 7.2
EPSON CardMonitor
EPSON Copy Utility 3
EPSON PhotoQuicker3.5
EPSON PhotoStarter3.1
EPSON Print CD
EPSON PRINT Image Framer Tool2.1
EPSON Printer Software
EPSON Scan
EPSON Smart Panel
ESPR300 Reference Guide
ESPR300 Software Guide
ESPR300 Standalone Guide
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSEMAIL
ESSgui
ESShelp
ESSini
ESSPCD
ESSSONIC
ESSTOOLS
essvatgt
essvcpt
ESSvpaht
ESSvpot
FLAC Installer 1.1.3b (remove only)
GiPo@MoveOnBoot 1.9.5
Google Toolbar for Internet Explorer
Google Video Player
HijackThis 1.99.1
HLPIndex
HLPSFO
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
IntelliSMS Outlook Addin
iolo technologies' System Mechanic 6
iTunes
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Kaspersky Online Scanner
Kodak EasyShare software
Kodak Memory Albums
KSU
LimeWire 4.12.6
Logitech Print Service
Logitech QuickCam Software
Logitech® Camera Driver
MadOnion.com/3DMark2001 SE
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Publisher 2002
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0.0.2)
Mozilla Firefox (2.0.0.3)
MSN Music Mediabar
MSN Toolbar
MSP3885-E 56K PCI Modem
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
Nero
Notifier
OfotoXMI
Orban/Coding Technologies AAC/aacPlus Player Plugin™ 1.0
OTtBP
OTtBPSDK
PartyPoker
Perf2480P_2580P Reference Guide
PhotoImpression 5
PIF DESIGNER2.1
Planet Earth Screen Saver
Presto! BizCard 4.1 Eng
Prevx1
QuickTime
RealArcade
RealPlayer
SAGEM F@st 800-840
Sapphire TRIXX
ScanToWeb
Security Task Manager 1.7
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
SFR
SHASTA
SiSoftware Sandra Lite XI (Win64/32/CE)
SKIN0001
SKINXSDK
Skype 2.5
Sonic CinePlayer DVD Pack
Spy Sweeper
StrongestGuard
Tiscali Jukebox v4.1.2.86
TreeSize Professional 4.1.1
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
VPRINTOL
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Vista Upgrade Advisor
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WIRELESS
Yahoo! Toolbar
ZoneAlarm
Hello again Andy, here we are, as requested, just noticed my typing is still appalling!! must improve 50 times!!! warm regards Chaffeur
Active Security Monitor 1.0.0.315
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Photoshop 7.0
Adobe Reader 7.0.9
Adobe Shockwave Player
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI HYDRAVISION
ATITool Overclocking Utility
AVG 7.5
AVG Anti-Spyware 7.5
BitComet 0.84
Brothers In Arms
CCleaner (remove only)
CCScore
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Download Accelerator Plus (DAP)
East-Tec Eraser 2006 Version 7.2
EPSON CardMonitor
EPSON Copy Utility 3
EPSON PhotoQuicker3.5
EPSON PhotoStarter3.1
EPSON Print CD
EPSON PRINT Image Framer Tool2.1
EPSON Printer Software
EPSON Scan
EPSON Smart Panel
ESPR300 Reference Guide
ESPR300 Software Guide
ESPR300 Standalone Guide
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSEMAIL
ESSgui
ESShelp
ESSini
ESSPCD
ESSSONIC
ESSTOOLS
essvatgt
essvcpt
ESSvpaht
ESSvpot
FLAC Installer 1.1.3b (remove only)
GiPo@MoveOnBoot 1.9.5
Google Toolbar for Internet Explorer
Google Video Player
HijackThis 1.99.1
HLPIndex
HLPSFO
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
IntelliSMS Outlook Addin
iolo technologies' System Mechanic 6
iTunes
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Kaspersky Online Scanner
Kodak EasyShare software
Kodak Memory Albums
KSU
LimeWire 4.12.6
Logitech Print Service
Logitech QuickCam Software
Logitech® Camera Driver
MadOnion.com/3DMark2001 SE
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Publisher 2002
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0.0.2)
Mozilla Firefox (2.0.0.3)
MSN Music Mediabar
MSN Toolbar
MSP3885-E 56K PCI Modem
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
Nero
Notifier
OfotoXMI
Orban/Coding Technologies AAC/aacPlus Player Plugin™ 1.0
OTtBP
OTtBPSDK
PartyPoker
Perf2480P_2580P Reference Guide
PhotoImpression 5
PIF DESIGNER2.1
Planet Earth Screen Saver
Presto! BizCard 4.1 Eng
Prevx1
QuickTime
RealArcade
RealPlayer
SAGEM F@st 800-840
Sapphire TRIXX
ScanToWeb
Security Task Manager 1.7
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
SFR
SHASTA
SiSoftware Sandra Lite XI (Win64/32/CE)
SKIN0001
SKINXSDK
Skype 2.5
Sonic CinePlayer DVD Pack
Spy Sweeper
StrongestGuard
Tiscali Jukebox v4.1.2.86
TreeSize Professional 4.1.1
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
VPRINTOL
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Vista Upgrade Advisor
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WIRELESS
Yahoo! Toolbar
ZoneAlarm
Hello again Andy, here we are, as requested, just noticed my typing is still appalling!! must improve 50 times!!! warm regards Chaffeur
#17 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 31 March 2007 - 12:15 PM
Hey Chaffeur
Yeah, I was up very early today, just had afew things to sort out but I have a nice lazy day planned now just watching Liverpool vs Arsenal then will watch Man United play abit later, its a shame to stay in the house as its lovely weather here but Ive just got back home so Im happy to watch abit of football and take it easy .gif)
Cheers for the logs, they look fine, just a couple of optional items
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Both of these can be removed from the Add/Remove screen and then update to the latest version, its common for them to leave older versions on the system when it updates itself so its easier to remove them first then visit Sun's website Here and get the latest version,
PartyPoker
If you installed PartyPoker and wish to use it then its fine to ignore and leave on the PC, If you didn't install it intentionally then it can be removed from the Add/Remove screen (Start Menu > Control Panel > Add or Remove Programs), because in some cases, these programs are supported by malware and get installed without consent.
Remove this folder if it still exists
C:\Program Files\UnSpyPC
Can you then check one of your Add/Remove screen entries as Im not familiar with it unless you know the program,
Open Hijackthis, and click the Misc Tools button again
Then click the Open Uninstall Manager... button.
The Add/Remove Programs Manager panel will open
On the list to the left, left click StrongestGuard
On the right side you will see 2 boxes, one shows Name and the other shows Uninstall Command
Can you left click the Uninstall Command line and cover all the text inside the box then copy it and paste it back on here, Im just curious where its pointing for the uninstaller as it might help show what put it there
Thanks
Yeah, I was up very early today, just had afew things to sort out but I have a nice lazy day planned now
just watching Liverpool vs Arsenal then will watch Man United play abit later, its a shame to stay in the house as its lovely weather here but Ive just got back home so Im happy to watch abit of football and take it easy Cheers for the logs, they look fine, just a couple of optional items
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Both of these can be removed from the Add/Remove screen and then update to the latest version, its common for them to leave older versions on the system when it updates itself so its easier to remove them first then visit Sun's website Here and get the latest version,
PartyPoker
If you installed PartyPoker and wish to use it then its fine to ignore and leave on the PC, If you didn't install it intentionally then it can be removed from the Add/Remove screen (Start Menu > Control Panel > Add or Remove Programs), because in some cases, these programs are supported by malware and get installed without consent.
Remove this folder if it still exists
C:\Program Files\UnSpyPC
Can you then check one of your Add/Remove screen entries as Im not familiar with it unless you know the program,
Open Hijackthis, and click the Misc Tools button again
Then click the Open Uninstall Manager... button.
The Add/Remove Programs Manager panel will open
On the list to the left, left click StrongestGuard
On the right side you will see 2 boxes, one shows Name and the other shows Uninstall Command
Can you left click the Uninstall Command line and cover all the text inside the box then copy it and paste it back on here, Im just curious where its pointing for the uninstaller as it might help show what put it there
Thanks
#18 OFFLINE
-
- Members
-
- 13 posts
Member
- Gender:Male
- Location:West Midlands
Posted 01 April 2007 - 07:20 PM
"C:\Program Files\Internet Explorer\iexplore.exe" "http://no[Modified]etol.com/uninstall.php"
Andy Manchesta, herewith that detail you requested, Ive never heard of this. Hope its not another nasty?
Hope you enjoyed the foot ball/and had relaxing weekend. regards chaffeur
Andy Manchesta, herewith that detail you requested, Ive never heard of this. Hope its not another nasty?
Hope you enjoyed the foot ball/and had relaxing weekend. regards chaffeur
#19 OFFLINE
-
- Spyware Moderators
-
- 1,821 posts
Power Member
- Gender:Male
- Location:Manchester. UK
- Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.
Posted 01 April 2007 - 08:03 PM
Thanks Chaffeur
I had a good weekend thanks, Hope yours has been nice as well
That entry is related to Trojan Gromozon, it's added by the LinkOptimizer part of the infection, Ive just checked the page and it looks like a fake uninstaller, the source code of the page shows its not capable of uninstalling anything as it just shows a button named Uninstall, when you click that it shows ThankYou but it wouldnt remove anything from the system so its maybe just to confuse infected users and could possibly have exploit codes added at some stage to load something else on the system if someone visits there
Lets remove it, Open the same screen on HijackThis
Open Hijackthis, and click the Misc Tools button
Then click the Open Uninstall Manager... button.
On the list to the left, left click StrongestGuard
On the right side click the Delete this entry button and then click Yes at the prompt,
Everything else is looking fine, hows things running and is there any remaining problems ?
Andy
I had a good weekend thanks, Hope yours has been nice as well
That entry is related to Trojan Gromozon, it's added by the LinkOptimizer part of the infection, Ive just checked the page and it looks like a fake uninstaller, the source code of the page shows its not capable of uninstalling anything as it just shows a button named Uninstall, when you click that it shows ThankYou but it wouldnt remove anything from the system so its maybe just to confuse infected users and could possibly have exploit codes added at some stage to load something else on the system if someone visits there
Lets remove it, Open the same screen on HijackThis
Open Hijackthis, and click the Misc Tools button
Then click the Open Uninstall Manager... button.
On the list to the left, left click StrongestGuard
On the right side click the Delete this entry button and then click Yes at the prompt,
Everything else is looking fine, hows things running and is there any remaining problems ?
Andy
#20 OFFLINE
-
- Members
-
- 13 posts
Member
- Gender:Male
- Location:West Midlands
Posted 01 April 2007 - 08:37 PM
Hello again Andy, yes very good, eat rather too well and the wine flowed (we have visitors). Have followed instructions and stongestguard no more!! Delighted you enjoyed the football. Computer running like a "teenager" now , thanks to your efforts, for which my sincere thanks, will watch the posts and furm with renewed interest , feel its a personal friend Kind regards Chaffeur
