Avast WEBforum
Other => Viruses and worms => Topic started by: Capricho on April 28, 2008, 04:21:57 PM
-
This is the Report after having problems with Win32:Virtumonde-IS (Adw)
Microsoft Windows XP Home Edition 5.1.2600.2.1252.34.1033.18.63 [GMT 2:00]
Running from: C:\Program Files\Combo-Fix.exe
* Created a new restore point
C:\Program Files\180solutions
C:\Program Files\Common Files\SLMSS
C:\Program Files\ISTsvc
C:\Program Files\screensavers.com
C:\Program Files\screensavers.com\Installer\temp\dm767.tmp
C:\Program Files\screensavers.com\Wallpaper\Blue Bottles.jpg
C:\Program Files\screensavers.com\Wallpaper\Flower Cubes.jpg
C:\Program Files\screensavers.com\Wallpaper\Goldfish.jpg
C:\Program Files\screensavers.com\Wallpaper\swpstart.exe
C:\Program Files\screensavers.com\Wallpaper\Thumbs.db
C:\WINDOWS\system32\csloa.dll
C:\WINDOWS\system32\kdsya.exe
.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.
2008-04-28 15:46 . 2008-04-28 15:46 1,778,287 --a------ C:\Program Files\Combo-Fix.exe
2008-04-11 17:35 . 2004-07-13 21:12 69,632 --------- C:\WINDOWS\erase_SR.exe
2008-04-11 17:08 . 2008-04-11 17:08 <DIR> d-------- C:\Program Files\XoftSpySE
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-03 13:34 100,208 ----a-w C:\Documents and Settings\Ana Hernandez\Application Data\GDIPFONTCACHEV1.DAT
2008-02-28 05:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-02-28 05:06 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-02-28 05:05 --------- d-----w C:\Program Files\AVS4YOU
2006-03-15 09:32 7,531,962 ----a-w C:\Program Files\Accesoremoto a Hogskolan.exe
2004-04-18 14:48 1,649,697 ----a-w C:\Program Files\AWA005XDGI.EXE
2004-04-18 14:33 9,491,469 ----a-w C:\Program Files\TMQ0003BKM.EXE
2004-04-18 12:28 3,056,430 ----a-w C:\Program Files\MI-Z32280803CS04US.EXE
2004-04-12 18:36 9,294,960 ----a-w C:\Program Files\Media Player XP.exe
2005-11-04 16:14 80 --sh--r C:\WINDOWS\system32\09669F2157.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1}]
C:\PROGRA~1\BARGAI~1\bin2\apuc.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [ ]
"Cpusave32"="c:\windows\system32\cpusave32.exe" [ ]
"Sndcompat"="c:\windows\system32\sndcompat.exe" [ ]
"Pwr32ctr"="c:\windows\system32\pwr32ctr.exe" [ ]
"Monitormgt"="c:\windows\system32\monitormgt.exe" [ ]
"Pixelsvr"="c:\windows\system32\pixelsvr.exe" [ ]
"Info32x"="c:\windows\system32\info32x.exe" [ ]
"Pixel32"="c:\windows\system32\pixel32.exe" [ ]
"Sndbass"="c:\windows\system32\sndbass.exe" [ ]
"Imagemgt32"="c:\windows\system32\imagemgt32.exe" [ ]
"Cabchk32"="c:\windows\system32\cabchk32.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:56 15360]
"Octoshape Streaming Services"="C:\Program Files\Octoshape Streaming Services\Ana Hernandez\OctoshapeClient.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-23 06:58 68856]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-08-06 12:43 23165736]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2001-08-03 19:21 1409024]
"Adulteras en directo"="C:\Adulteras en directo\Adulteras en directo.exe" [ ]
"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-08-27 12:58 684032]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-11-13 15:43 98304]
"Sndcompat"="c:\windows\system32\sndcompat.exe" [ ]
"LWBMOUSE"="C:\PROGRA~1\WHEELM~1\WHEELM~1\3.11\LWB3DAPP.EXE" [ ]
"Pixelsvr"="c:\windows\system32\pixelsvr.exe" [ ]
"Vidcompat"="c:\windows\system32\vidcompat.exe" [ ]
"Sndbass"="c:\windows\system32\sndbass.exe" [ ]
"Dvdcompat"="c:\windows\system32\dvdcompat.exe" [ ]
"Dx8compat"="c:\windows\system32\dx8compat.exe" [ ]
"jqiuax"="ujtcclh.exe" []
"Cabchk32"="c:\windows\system32\cabchk32.exe" [ ]
"Monitormgt"="c:\windows\system32\monitormgt.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-05-06 13:14 98304]
"STOPzilla"="C:\Program Files\STOPzilla!\Stopzilla.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-10-09 19:24 180269]
"OpwareSE2"="D:\OmnipageSE\OpwareSE2.exe" [2003-05-08 12:00 49152]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VAIO Action Setup (Server).lnk - C:\Program Files\Sony\VAIO Action Setup\VAServ.exe [2001-09-08 12:51:48 40960]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Software Kodak EasyShare.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 02:22:40 757760]
Kodak software updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 14:12:08 16423]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll 2004-07-13 22:14 24673 C:\WINDOWS\system32\ckpNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= sonymjpg.dll
"VIDC.CTRX"= ctrxvid.drv
"MSVideo"= lvfwwdmt.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\support.com\\client\\bin\\tgcmd.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\WINDOWS\\System32\\dpvsetup.exe"=
"C:\\WINDOWS\\System32\\rundll32.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Marratech\\Marratech6.1\\bin\\Marratech.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 19:31]
R1 SonyFanC;FAN Control Device Service;C:\WINDOWS\system32\Drivers\SonyFanC.sys [2001-09-06 16:21]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
R2 V7;V7;C:\WINDOWS\system32\drivers\V7.sys [2000-03-09 11:24]
S2 STOPzilla NT Service;STOPzilla NT Service;C:\Program Files\STOPzilla!\szntsvc.exe []
S3 adiusbae;USB ADSL LAN Adapter;C:\WINDOWS\system32\DRIVERS\adiusbae.sys [2002-08-15 11:25]
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys [2001-08-17 12:11]
S3 Boonty Games;Boonty Games;"C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe" [2005-11-06 20:40]
S3 WrKPoET2000;WrKPoET2000;C:\Program Files\WinPoET Broadband Connection\WrKPoET2000.sys []
.
Contents of the 'Scheduled Tasks' folder
"2002-01-08 17:30:38 C:\WINDOWS\Tasks\Registration reminder 1.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2002-01-08 17:30:40 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-28 16:03:10
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"LVCOMS"="C:\\Program Files\\Common Files\\Logitech\\QCDriver\\LVCOMS.EXE"
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASWUPDSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\SYSTEM32\NVSVC32.EXE
C:\PROGRAM FILES\CHECKPOINT\SECUREMOTE\BIN\SR_WATCHDOG.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2008-04-28 16:11:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-28 14:11:12
Pre-Run: 2,204,708,864 bytes free
Post-Run: 3,525,083,136 bytes free
159 --- E O F --- 2008-03-12 08:27:33
-
This really should have gone together with your original topic, http://forum.avast.com/index.php?topic=34721.0 (http://forum.avast.com/index.php?topic=34721.0) to keep everything together.
-
Sorry...
-
By the way, after scanning with ComboFix, I still have the problems that i used to have. That is, whenever I search something on Yahoo.com or other servers I am relaunched to other pages by, for example, http://partners.mamma.com (although I have included this site in the restricted zone of Internet Options)
Is that the normal problem when having this type of rootkit?
Thanks
-
A rootkit doesn't actually have a specific thing it does, its task is to remain hidden and usually launches other malware (frequently that it also hides).
The redirects are either browser hijack or a modified HOSTS file.
HOSTS file redirect - 127.0.0.1 check your HOSTS file using notepad or a text editor of your choice, C:\WINDOWS\system32\drivers\etc\hosts or do a search for HOSTS to find it if not there. http://en.wikipedia.org/wiki/Hosts_file (http://en.wikipedia.org/wiki/Hosts_file)
-
Since there isn't anything relevent in your other thread, please stay iin this one.
Check the Hosts as DavidR suggests, then post a hijackthis log.
Click here (http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis) to download HJTsetup.exe
- Save HJTsetup.exe to your desktop.
- Doubleclick on the HJTsetup.exe icon on your desktop.
- By default it will install to C:\Program Files\Hijack This.
- Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
- Put a check by Create a desktop icon then click Next again.
- Continue to follow the rest of the prompts from there.
- At the final dialogue box click Finish and it will launch Hijack This.
- Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
- Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
- Come back here to this thread and Paste the log in your next reply.
- DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
-
Hi!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:06, on 2008-04-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\program files\support.com\client\bin\tgcmd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\OmnipageSE\OpwareSE2.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lexin.nada.kth.se/sve-spa.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lexin.nada.kth.se/sve-spa.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: UrlCatcher Class - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\bin2\apuc.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [Adulteras en directo] C:\Adulteras en directo\Adulteras en directo.exe /nostart
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [Sndcompat] c:\windows\system32\sndcompat.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\PROGRA~1\WHEELM~1\WHEELM~1\3.11\LWB3DAPP.EXE
O4 - HKLM\..\Run: [Pixelsvr] c:\windows\system32\pixelsvr.exe
O4 - HKLM\..\Run: [Vidcompat] c:\windows\system32\vidcompat.exe
O4 - HKLM\..\Run: [Sndbass] c:\windows\system32\sndbass.exe
O4 - HKLM\..\Run: [Dvdcompat] c:\windows\system32\dvdcompat.exe
O4 - HKLM\..\Run: [Dx8compat] c:\windows\system32\dx8compat.exe
O4 - HKLM\..\Run: [jqiuax] ujtcclh.exe autorun
O4 - HKLM\..\Run: [Cabchk32] c:\windows\system32\cabchk32.exe
O4 - HKLM\..\Run: [Monitormgt] c:\windows\system32\monitormgt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OpwareSE2] "D:\OmnipageSE\OpwareSE2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Cpusave32] c:\windows\system32\cpusave32.exe
O4 - HKCU\..\Run: [Sndcompat] c:\windows\system32\sndcompat.exe
O4 - HKCU\..\Run: [Pwr32ctr] c:\windows\system32\pwr32ctr.exe
O4 - HKCU\..\Run: [Monitormgt] c:\windows\system32\monitormgt.exe
O4 - HKCU\..\Run: [Pixelsvr] c:\windows\system32\pixelsvr.exe
O4 - HKCU\..\Run: [Info32x] c:\windows\system32\info32x.exe
O4 - HKCU\..\Run: [Pixel32] c:\windows\system32\pixel32.exe
O4 - HKCU\..\Run: [Sndbass] c:\windows\system32\sndbass.exe
O4 - HKCU\..\Run: [Imagemgt32] c:\windows\system32\imagemgt32.exe
O4 - HKCU\..\Run: [Cabchk32] c:\windows\system32\cabchk32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape Streaming Services\Ana Hernandez\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Software Kodak EasyShare.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {4BEDE7F3-2238-4D7D-9F31-38BDDDA2573B} - (no file)
O9 - Extra button: Microsoft® JavaScript® Console - {4C9FC05C-5889-42E1-B533-A65D02A80101} - C:\WINDOWS\System32\COMDLG32.OCX
O9 - Extra 'Tools' menuitem: JavaScript Console - {4C9FC05C-5889-42E1-B533-A65D02A80101} - C:\WINDOWS\System32\COMDLG32.OCX
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - C:\WINDOWS\System32\c_10230.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Microsoft® JavaScript® Console - {DEF0C3FE-F2E5-4FA1-8703-CA94873FA8DB} - C:\WINDOWS\System32\COMDLG32.OCX
O9 - Extra 'Tools' menuitem: JavaScript Console - {DEF0C3FE-F2E5-4FA1-8703-CA94873FA8DB} - C:\WINDOWS\System32\COMDLG32.OCX
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
-
I could not send it in one message, so here is the rest of it
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft® JavaScript® Console - {DEF0C3FE-F2E5-4FA1-8703-CA94873FA8DB} - C:\WINDOWS\System32\COMDLG32.OCX (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {DEF0C3FE-F2E5-4FA1-8703-CA94873FA8DB} - C:\WINDOWS\System32\COMDLG32.OCX (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.www.bibproxy.du.se/lib/dalarna/support/plugins/ebraryRdr.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {73F0FD85-BD47-4A95-86D1-DE38860462C1} (PremiumHTML Class) - http://213.201.69.103/data/dialercab/IberoDialerHTML.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.gamehouse.com/realarcade-webgames/bejeweled2/popcaploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C994046-C3C6-40BF-BE41-D29D92CFAF54}: NameServer = 85.255.114.27,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D16AAF7-3771-4812-9D43-B7ACC4DE414E}: NameServer = 85.255.114.27,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{C76096FF-AFB1-4048-87D7-DE326BB13A93}: NameServer = 85.255.114.27,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{DDCA8A52-9680-44B4-A8E3-47BFD5487E8A}: NameServer = 85.255.114.27,85.255.112.87
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.27 85.255.112.87
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.27 85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.27 85.255.112.87
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Unknown owner - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe (file missing)
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: STOPzilla NT Service - Unknown owner - C:\Program Files\STOPzilla!\szntsvc.exe (file missing)
O24 - Desktop Component 0: (no name) - http://www.diariodecadiz.es/carnaval/img/agr4.JPG
O24 - Desktop Component 1: (no name) - http://www.free-languages.com/images/t.gif
O24 - Desktop Component 2: (no name) - http://clavecorp.grupo-sm.com/imagen/dicclave.gif
O24 - Desktop Component 3: (no name) - http://us.i1.yimg.com/us.yimg.com/i/fifa/gen/back2.gif
O24 - Desktop Component 4: (no name) - http://www.sedl.org/loteced/images/LOTECED_top_bar.jpg
--
End of file - 13055 bytes
-
Open HJT, do a system scan only, check mark the following lines, if present
O2 - BHO: UrlCatcher Class - {CE31A1F7-3D90-4874-8FBE-A5D97F8BC8F1} - C:\PROGRA~1\BARGAI~1\bin2\apuc.dll (file missing)
O4 - HKLM\..\Run: [Adulteras en directo] C:\Adulteras en directo\Adulteras en directo.exe /nostart
O4 - HKLM\..\Run: [Sndcompat] c:\windows\system32\sndcompat.exe
O4 - HKLM\..\Run: [Pixelsvr] c:\windows\system32\pixelsvr.exe
O4 - HKLM\..\Run: [Vidcompat] c:\windows\system32\vidcompat.exe
O4 - HKLM\..\Run: [Sndbass] c:\windows\system32\sndbass.exe
O4 - HKLM\..\Run: [Dvdcompat] c:\windows\system32\dvdcompat.exe
O4 - HKLM\..\Run: [Dx8compat] c:\windows\system32\dx8compat.exe
O4 - HKLM\..\Run: [jqiuax] ujtcclh.exe autorun
O4 - HKLM\..\Run: [Cabchk32] c:\windows\system32\cabchk32.exe
O4 - HKLM\..\Run: [Monitormgt] c:\windows\system32\monitormgt.exe
O4 - HKCU\..\Run: [Cpusave32] c:\windows\system32\cpusave32.exe
O4 - HKCU\..\Run: [Sndcompat] c:\windows\system32\sndcompat.exe
O4 - HKCU\..\Run: [Pwr32ctr] c:\windows\system32\pwr32ctr.exe
O4 - HKCU\..\Run: [Monitormgt] c:\windows\system32\monitormgt.exe
O4 - HKCU\..\Run: [Pixelsvr] c:\windows\system32\pixelsvr.exe
O4 - HKCU\..\Run: [Info32x] c:\windows\system32\info32x.exe
O4 - HKCU\..\Run: [Pixel32] c:\windows\system32\pixel32.exe
O4 - HKCU\..\Run: [Sndbass] c:\windows\system32\sndbass.exe
O4 - HKCU\..\Run: [Imagemgt32] c:\windows\system32\imagemgt32.exe
O4 - HKCU\..\Run: [Cabchk32] c:\windows\system32\cabchk32.exe
O9 - Extra button: (no name) - {869EE607-5376-486d-8DAC-EDC8E239AD5F} - C:\WINDOWS\System32\c_10230.dll (file missing)
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C994046-C3C6-40BF-BE41-D29D92CFAF54}: NameServer = 85.255.114.27,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{9D16AAF7-3771-4812-9D43-B7ACC4DE414E}: NameServer = 85.255.114.27,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{C76096FF-AFB1-4048-87D7-DE326BB13A93}: NameServer = 85.255.114.27,85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\..\{DDCA8A52-9680-44B4-A8E3-47BFD5487E8A}: NameServer = 85.255.114.27,85.255.112.87
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.27 85.255.112.87
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.27 85.255.112.87
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.27 85.255.112.87
Close All other browser/windows, click fix. Close HJT
What do you know about these? They are desktop components.
O24 - Desktop Component 0: (no name) - http://www.diariodecadiz.es/carnaval/img/agr4.JPG
O24 - Desktop Component 1: (no name) - http://www.free-languages.com/images/t.gif
O24 - Desktop Component 2: (no name) - http://clavecorp.grupo-sm.com/imagen/dicclave.gif
O24 - Desktop Component 3: (no name) - http://us.i1.yimg.com/us.yimg.com/i/fifa/gen/back2.gif
O24 - Desktop Component 4: (no name) - http://www.sedl.org/loteced/images/LOTECED_top_bar.jpg
Please download FixWareout from
http://downloads.subratam.org/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is NORMAL.
Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://"http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html")
Double Click mbam-setup.exe to install the application.- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Please post the fixwareout results, malwarebytes result and a new HJT log.
Thanks
-
Here goes the Fixwareout log
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{0A89AF12-67AB-45B0-856D-C166FC75D94D}
"DhcpNameServer"="85.255.114.27,85.255.112.87" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{9D16AAF7-3771-4812-9D43-B7ACC4DE414E}
"DhcpNameServer"="85.255.114.27,85.255.112.87" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{DDCA8A52-9680-44B4-A8E3-47BFD5487E8A}
"DhcpNameServer"="85.255.114.27,85.255.112.87" <Value cleared.
Successfully flushed the DNS Resolver Cache.
System was rebooted successfully.
~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"ZTgServerSwitch"="c:\\program files\\support.com\\client\\bin\\tgcmd.exe /server"
"AdaptecDirectCD"="C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe"
"LVCOMS"="C:\\Program Files\\Common Files\\Logitech\\QCDriver\\LVCOMS.EXE"
"LWBMOUSE"="C:\\PROGRA~1\\WHEELM~1\\WHEELM~1\\3.11\\LWB3DAPP.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"STOPzilla"="\"C:\\Program Files\\STOPzilla!\\Stopzilla.exe\" /autorun"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"OpwareSE2"="\"D:\\OmnipageSE\\OpwareSE2.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\jusched.exe\""
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Octoshape Streaming Services"="\"C:\\Program Files\\Octoshape Streaming Services\\Ana Hernandez\\OctoshapeClient.exe\" -inv:bootrun"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
-
Malwarebytes' Anti-Malware 1.11
Database version: 707
Scan type: Quick Scan
Objects scanned: 36739
Time elapsed: 18 minute(s), 51 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 15
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\apuc.urlcatcher (Adware.Bargain.Buddy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\apuc.urlcatcher.1 (Adware.Bargain.Buddy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c6906a23-4717-4e1f-b6fd-f06ebed14177} (Adware.Bargain.Buddy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{4eb7bbe8-2e15-424b-9ddb-2cdb9516a2a3} (Adware.Bargain.Buddy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{aa4939c3-deca-4a48-a454-97cd587c0ef5} (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{eee4a2e5-9f56-432f-a6ed-f6f625b551e0} (Adware.NetOptimizer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WSEM Update (Adware.NetOptimizer) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> Quarantined and deleted successfully.
-
The Desktop items are OK, but I do not know
O24 - Desktop Component 3: (no name) - http://us.i1.yimg.com/us.yimg.com/i/fifa/gen/back2.gif
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:46, on 2008-05-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\OmnipageSE\OpwareSE2.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lexin.nada.kth.se/sve-spa.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://lexin.nada.kth.se/sve-spa.html
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [LWBMOUSE] C:\PROGRA~1\WHEELM~1\WHEELM~1\3.11\LWB3DAPP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OpwareSE2] "D:\OmnipageSE\OpwareSE2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape Streaming Services\Ana Hernandez\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Software Kodak EasyShare.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {4BEDE7F3-2238-4D7D-9F31-38BDDDA2573B} - (no file)
O9 - Extra button: Microsoft® JavaScript® Console - {4C9FC05C-5889-42E1-B533-A65D02A80101} - C:\WINDOWS\System32\COMDLG32.OCX
O9 - Extra 'Tools' menuitem: JavaScript Console - {4C9FC05C-5889-42E1-B533-A65D02A80101} - C:\WINDOWS\System32\COMDLG32.OCX
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Microsoft® JavaScript® Console - {DEF0C3FE-F2E5-4FA1-8703-CA94873FA8DB} - C:\WINDOWS\System32\COMDLG32.OCX
O9 - Extra 'Tools' menuitem: JavaScript Console - {DEF0C3FE-F2E5-4FA1-8703-CA94873FA8DB} - C:\WINDOWS\System32\COMDLG32.OCX
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft® JavaScript® Console - {DEF0C3FE-F2E5-4FA1-8703-CA94873FA8DB} - C:\WINDOWS\System32\COMDLG32.OCX (HKCU)
O9 - Extra 'Tools' menuitem: JavaScript Console - {DEF0C3FE-F2E5-4FA1-8703-CA94873FA8DB} - C:\WINDOWS\System32\COMDLG32.OCX (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.www.bibproxy.du.se/lib/dalarna/support/plugins/ebraryRdr.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {73F0FD85-BD47-4A95-86D1-DE38860462C1} (PremiumHTML Class) - http://213.201.69.103/data/dialercab/IberoDialerHTML.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {C86FF4B0-AA1D-46D4-8612-025FB86583C7} (AstoundLauncher Control) - http://zone.msn.com/bingame/jobo/default/AstoundLauncher.cab#version=1,0,0,10
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
-
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Unknown owner - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe (file missing)
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: STOPzilla NT Service - Unknown owner - C:\Program Files\STOPzilla!\szntsvc.exe (file missing)
O24 - Desktop Component 0: (no name) - http://www.diariodecadiz.es/carnaval/img/agr4.JPG
O24 - Desktop Component 1: (no name) - http://www.free-languages.com/images/t.gif
O24 - Desktop Component 2: (no name) - http://clavecorp.grupo-sm.com/imagen/dicclave.gif
O24 - Desktop Component 3: (no name) - http://us.i1.yimg.com/us.yimg.com/i/fifa/gen/back2.gif
O24 - Desktop Component 4: (no name) - http://www.sedl.org/loteced/images/LOTECED_top_bar.jpg
--
End of file - 10656 bytes
-
Hi Capricho,
Here is the analysis of your hjt logfile for three consequent days to be found here:
http://www.hijackthis.de/logfiles/7fceff8825345bd0c3f31a397c0a7a42.html
polonus
-
Ok, good. We can take care of the 024 line.
This one should go. BOONTY Reason:
http://www.castlecops.com/o23list-1744.html
Your choice though. Let me know and I'll give you hand.
In windows explorer, navigate to this folder. if present
C:\Program Files\Bargain Buddy
And delete the enire Bargain Buddy folder
You may want to uninstall/reinstall these programs as they have missing files.
STOPzilla!
SecuRemote
Open HJT, run a system scan only, check mark these lines if present
O24 - Desktop Component 3: (no name) - http://us.i1.yimg.com/us.yimg.com/i/fifa/gen/back2.gif
Close all other browsers/windows, click fix, close HJT.
How are things at your end?
-
Hi!
I have fixed with HJT
O24 - Desktop Component 3: (no name) - http://us.i1.yimg.com/us.yimg.com/i/fifa/gen/back2.gif
I have not found the folder Bargain Buddy, but everything runs perfectly now.
Thank you so much
-
Good. Clean up the tools you used.
* Click start button, run, then copy and paste the following line into the box and click ok.
ComboFix /u
* Please downloadOTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe)
Double click OTCleanIt, click the Clean Up button.
You may get prompted by your firewall that OTCleanit/OTMoveIt wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
To update your java
*Go to http://java.sun.com/javase/downloads/index.jsp
Scroll down to "Java Runtime Environment (JRE) 6 Update 6...allows end-users to run Java applications".
Click the download button on the right.
> If Information Bar pop-ups up, right-click on it and say it's OK to display the blocked content.
Select the platform (Windows, in your case), mutli language.
Accept the license agreement, click continue.
You do not have to install the Java Web Start ActiveX Control
Scroll down and click on Windows Offline Installation,
Save the file jre-6u6-windows-i586-p.exe to your desktop; do not select Run it. Do not install it yet.
When the download is complete, close your browser.
Open Control Panel > Add/Remove Programs:
Uninstall anything that says Sun Java, Java JRE, or similar.
Close Add/Remove Programs.
In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.
Do NOT delete C:\Program Files\JavaVM <=this folder, if found!
Reboot your computer.
Double-click on the saved file to install the update.
Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.
Adobe Acrobat
If you have the full version of Adobe
Open Acrobat, Click Help and run the Upgrade applet found there. If no update is offered: Use the Preferences, Internet submenu of Acrobat and uncheck to integrate with your Browser. Close Acrobat.
Even if you had the full version of Acrobat or just the reader, download and install Adobe Reader 8.1.2 and use this as the integrated PDF Reader insider your browser.
http://www.adobe.com/products/acrobat/readstep2.html
Select your version of windows from the dropdown menu, click continue. and procede to step 2, which is the download.
You may want to check for other programs that need updating.
* Check if you have insecure applications with Secunia Software Inspector (http://secunia.com/software_inspector/)
Take care and keep safe.
-
Hi,
I have done everything, but I think I have gone too far deleting Java in the Control Panel (Add/remove programs) because when I reboot the computer I could not open the Java 6 installer that I had saved on the desktop. And now Secunia can not perform neither. Should I download Java Applet?
What a mess... I´ve done ::)
-
What error message do you recieve when you try to open jre-6u6-windows-i586-p.exe, which should be the file you downloaded?
-
Hi!
I have tried again today and Java jre6 is now successfully installed.
Thanks for all your help!!!
-
Hi!
I have tried again today and Java jre6 is now successfully installed.
Thanks for all your help!!!
-
You're welcome.
Take care and keep safe.