Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: Help Please. I have 2 Viruses that I know of and probably more

  1. 2007-10-17, 08:20 #1
    8trac
    8trac is offline
    Junior Member
    Join Date
    Oct 2007
    Posts
    18

    Default Help Please. I have 2 Viruses that I know of and probably more

    As far as I know there's 2 viruses present and I'm pretty sure there's some spyware too. Any ideas?
  2. 2007-10-17, 12:55 #2
    ken545
    ken545 is offline
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Hello 8trac
    Welcome to Safer Networking.

    Please read Before You Post


    Please reply to this thread only and not start any new topics for the same problem or else your posts are going to be all over the forum and we wont be able to keep track of you, also by replying to yourself, you took yourself out of the zero replies category that our helpers look for to work logs. I have archived your previous posts so reply to this one by posting a new HJT log please.
  3. 2007-10-18, 05:57 #3
    8trac
    8trac is offline
    Junior Member
    Join Date
    Oct 2007
    Posts
    18

    Default HJT report

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:55:39 PM, on 10/17/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS.0\System32\smss.exe
    C:\WINDOWS.0\system32\winlogon.exe
    C:\WINDOWS.0\system32\services.exe
    C:\WINDOWS.0\system32\lsass.exe
    C:\WINDOWS.0\system32\svchost.exe
    C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
    C:\WINDOWS.0\System32\svchost.exe
    C:\WINDOWS.0\system32\spoolsv.exe
    c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
    C:\WINDOWS.0\Explorer.EXE
    C:\WINDOWS.0\system32\RunDll32.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
    C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
    C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
    C:\WINDOWS.0\system32\RUNDLL32.EXE
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
    C:\WINDOWS.0\system32\ctfmon.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
    C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS.0\system32\nvsvc32.exe
    C:\WINDOWS.0\system32\oodag.exe
    C:\WINDOWS.0\system32\svchost.exe
    C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
    C:\Program Files\Microsoft Windows OneCare Live\winss.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Logitech\QuickCam10\COCIManager.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS.0\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
    O1 - Hosts: 66.98.148.65 auto.search.msn.com
    O1 - Hosts: 66.98.148.65 auto.search.msn.es
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
    O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
    O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS.0\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [Love default global mess] C:\Documents and Settings\All Users.WINDOWS.0\Application Data\great coal love default\safe creative.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Balmdrv] C:\DOCUME~1\ADMINI~1.JER\APPLIC~1\DRAWUP~1\Style Readme.exe
    O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
    O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe
    O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS.0\system32\oodag.exe
    O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

    --
    End of file - 8497 bytes
  4. 2007-10-18, 11:18 #4
    ken545
    ken545 is offline
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Good Morning,


    We need to disable the Tea Timer in Spybot Search and Destroy as to not interfere with the fix.
    • Open Spybot and go to Mode> Advanced Mode> Tools> Resident and take the checkmark out of Tea Timer



    Please Download No Lop to your desktop

    • First close any other programs you have running as this will require a reboot
    • Double click NoLop.exe to run it
    • Now click the button labeled "Search and Destroy"
      <<your computer will now be scanned for infected files>>
    • When scanning is finished you will be prompted to reboot only if infected, Click OK
    • Now click the "REBOOT" Button.
    • A Message should pop-up from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log after completing the next steps.
    --If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.

    Post a new HJT log please along with the Nolop log
  5. 2007-10-19, 07:29 #5
    8trac
    8trac is offline
    Junior Member
    Join Date
    Oct 2007
    Posts
    18

    Default

    NoLop! Log by Skate_Punk_21

    Please Note: any existing old logs will have now been renamed to NoLop!OLD.log

    Fix running from: C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Desktop
    [10/19/2007]
    [1:26:18 AM]

    ---Infection Files Found/Removed---
    NO INFECTION FILES FOUND - Cleaning Aborted.

    ---Listing AppData sub directories---

    C:\Documents and Settings\Administrator\Application Data\Microsoft
    C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Adobe
    C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Adobeum -- EMPTY Directory
    C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Apple Computer
    C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Avg7
    C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Azureus
    C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Command & Conquer 3 Tiberium Wars
    C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Divx
    C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Draw Up
    C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Dvdcss
    C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Google
    C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Identities
    C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Leadertech
    C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Macromedia
    C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Microsoft
    C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Microsoft Games -- EMPTY Directory
    C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Mozilla
    C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Securom
    C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Sun
    C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Teleca
    C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Thunderbird
    C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Utorrent
    C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Vlc
    C:\Documents and Settings\All Users\Application Data\Adobe -- EMPTY Directory
    C:\Documents and Settings\All Users\Application Data\Adobe Systems
    C:\Documents and Settings\All Users\Application Data\Apple Computer
    C:\Documents and Settings\All Users\Application Data\Cyberlink
    C:\Documents and Settings\All Users\Application Data\Kazaa Lite
    C:\Documents and Settings\All Users\Application Data\Microsoft
    C:\Documents and Settings\All Users\Application Data\Nview_profiles -- EMPTY Directory
    C:\Documents and Settings\All Users\Application Data\Pace Anti-piracy
    C:\Documents and Settings\All Users\Application Data\Quicktime
    C:\Documents and Settings\All Users\Application Data\Sony Ericsson
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    C:\Documents and Settings\All Users\Application Data\Symantec
    C:\Documents and Settings\All Users\Application Data\Teleca
    C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
    C:\Documents and Settings\All Users.windows.0\Application Data\Adobe
    C:\Documents and Settings\All Users.windows.0\Application Data\Apple Computer
    C:\Documents and Settings\All Users.windows.0\Application Data\Avg7
    C:\Documents and Settings\All Users.windows.0\Application Data\Azureus
    C:\Documents and Settings\All Users.windows.0\Application Data\Google
    C:\Documents and Settings\All Users.windows.0\Application Data\Google Updater
    C:\Documents and Settings\All Users.windows.0\Application Data\Great Coal Love Default
    C:\Documents and Settings\All Users.windows.0\Application Data\Kaspersky Lab
    C:\Documents and Settings\All Users.windows.0\Application Data\Logitech
    C:\Documents and Settings\All Users.windows.0\Application Data\Microsoft
    C:\Documents and Settings\All Users.windows.0\Application Data\Nvidia
    C:\Documents and Settings\All Users.windows.0\Application Data\Nview_profiles -- EMPTY Directory
    C:\Documents and Settings\All Users.windows.0\Application Data\Sony Ericsson
    C:\Documents and Settings\All Users.windows.0\Application Data\Spybot - Search & Destroy
    C:\Documents and Settings\All Users.windows.0\Application Data\Teleca
    C:\Documents and Settings\All Users.windows.0\Application Data\Windows Genuine Advantage
    C:\Documents and Settings\All Users.windows.0\Application Data\Wlinstaller
    C:\Documents and Settings\Default User\Application Data\Microsoft
    C:\Documents and Settings\Default User.windows.0\Application Data\Microsoft
    C:\Documents and Settings\Localservice\Application Data\Microsoft
    C:\Documents and Settings\Localservice.nt Authority\Application Data\Avg7 -- EMPTY Directory
    C:\Documents and Settings\Localservice.nt Authority\Application Data\Microsoft
    C:\Documents and Settings\Networkservice\Application Data\Microsoft
    C:\Documents and Settings\Networkservice.nt Authority\Application Data\Microsoft


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:27:53 AM, on 10/19/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS.0\System32\smss.exe
    C:\WINDOWS.0\system32\winlogon.exe
    C:\WINDOWS.0\system32\services.exe
    C:\WINDOWS.0\system32\lsass.exe
    C:\WINDOWS.0\system32\svchost.exe
    C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
    C:\WINDOWS.0\System32\svchost.exe
    C:\WINDOWS.0\system32\spoolsv.exe
    c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS.0\system32\nvsvc32.exe
    C:\WINDOWS.0\system32\oodag.exe
    C:\WINDOWS.0\system32\svchost.exe
    C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
    C:\Program Files\Microsoft Windows OneCare Live\winss.exe
    C:\Program Files\Windows Live\Messenger\usnsvc.exe
    C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
    C:\WINDOWS.0\Explorer.EXE
    C:\WINDOWS.0\system32\RunDll32.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
    C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
    C:\WINDOWS.0\system32\RUNDLL32.EXE
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
    C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
    C:\WINDOWS.0\system32\ctfmon.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Logitech\QuickCam10\COCIManager.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
    O1 - Hosts: 66.98.148.65 auto.search.msn.com
    O1 - Hosts: 66.98.148.65 auto.search.msn.es
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
    O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
    O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS.0\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [Love default global mess] C:\Documents and Settings\All Users.WINDOWS.0\Application Data\great coal love default\safe creative.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Balmdrv] C:\DOCUME~1\ADMINI~1.JER\APPLIC~1\DRAWUP~1\Style Readme.exe
    O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
    O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe
    O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS.0\system32\oodag.exe
    O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

    --
    End of file - 8112 bytes
  6. 2007-10-19, 12:53 #6
    ken545
    ken545 is offline
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    The people that write this garbage are constantly updating and adding files, you do have a LOP infection the scan just did not pick it up.

    We need to make sure all hidden files are showing :
    • Click Start.
    • Open My Computer.
    • Select the Tools menu and click Folder Options.
    • Select the View tab.
    • Under the Hidden files and folders heading select Show hidden files and folders.
    • Uncheck the Hide file extensions for known types option.
    • Uncheck the Hide protected operating system files (recommended) option.
    • Click Yes to confirm.
    • Click OK.

    Once your system is clean, we suggest that you reverse this to keep critical windows files from accidently being deleted.


    Open HijackThis > Do a System Scan Only, close your browser and all open windows, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

    O1 - Hosts: 66.98.148.65 auto.search.msn.com
    O1 - Hosts: 66.98.148.65 auto.search.msn.es

    O4 - HKLM\..\Run: [Love default global mess] C:\Documents and Settings\All Users.WINDOWS.0\Application Data\great coal love default\safe creative.exe
    O4 - HKCU\..\Run: [Balmdrv] C:\DOCUME~1\ADMINI~1.JER\APPLIC~1\DRAWUP~1\Style Readme.exe


    Delete the files in RED


    C:\Documents and Settings\All Users.WINDOWS.0\Application Data\great coal love default
    C:\DOCUME~1\ADMINI~1.JER\APPLIC~1\DRAWUP~1



    Run this free online virus scanner.

    Run Panda's ActiveScan from here and perform a full system scan.
    • Once you are on the Panda site click the "Scan your PC" button
    • A new window will open...click the big "Check Now" button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
    • If you are on a slow connection it will take about 15 minuites for the scanner to load.
    • Click on "Local Disks" to start the scan
    • Once scan is done, click "see report" then "save report"
    • Save the log someplace you can find
    • Reboot
    • Post the Panda scan results in your next reply



    Post the Panda report and a New HJT log please
  7. 2007-10-19, 18:20 #7
    8trac
    8trac is offline
    Junior Member
    Join Date
    Oct 2007
    Posts
    18

    Default

    Hello Hello

    So I fixed those entries using HijackThis, and deleted the two file folders in red.

    HERE's the Panda Scan Log

    Incident Status Location

    Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[ad.yieldmanager.com/]
    Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.tribalfusion.com/]
    Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.2o7.net/]
    Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.ads.pointroll.com/]
    Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.adtech.de/]
    Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.adultfriendfinder.com/]
    Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.atdmt.com/]
    Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.bs.serving-sys.com/]
    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.com.com/]
    Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.gostats.com/]
    Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.hotlog.ru/]
    Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.overture.com/]
    Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.questionmarket.com/]
    Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.realmedia.com/]
    Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.serving-sys.com/]
    Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.toplist.cz/]
    Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.trafficmp.com/]
    Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.weborama.fr/]
    Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.xiti.com/]
    Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[www.burstbeacon.com/]
    Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@2o7[2].txt
    Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@ads.pointroll[1].txt
    Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@atdmt[2].txt
    Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@atwola[1].txt
    Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@azjmp[1].txt
    Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@bs.serving-sys[2].txt
    Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@citi.bridgetrack[2].txt
    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@com[1].txt
    Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@go[2].txt
    Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@perf.overture[1].txt
    Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@questionmarket[2].txt
    Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@serving-sys[2].txt
    Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@stat.onestat[2].txt
    Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@tribalfusion[1].txt
    Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@2o7[1].txt

    HJT report in next post
  8. 2007-10-19, 18:21 #8
    8trac
    8trac is offline
    Junior Member
    Join Date
    Oct 2007
    Posts
    18

    Default

    HJT report (ran out of room on previous post)

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:18:12 PM, on 10/19/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS.0\System32\smss.exe
    C:\WINDOWS.0\system32\winlogon.exe
    C:\WINDOWS.0\system32\services.exe
    C:\WINDOWS.0\system32\lsass.exe
    C:\WINDOWS.0\system32\svchost.exe
    C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
    C:\WINDOWS.0\System32\svchost.exe
    C:\WINDOWS.0\system32\spoolsv.exe
    c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
    C:\WINDOWS.0\Explorer.EXE
    C:\WINDOWS.0\system32\RunDll32.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
    C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
    C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
    C:\WINDOWS.0\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
    C:\WINDOWS.0\system32\ctfmon.exe
    C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS.0\system32\nvsvc32.exe
    C:\WINDOWS.0\system32\oodag.exe
    C:\WINDOWS.0\system32\svchost.exe
    C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
    C:\Program Files\Microsoft Windows OneCare Live\winss.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Logitech\QuickCam10\COCIManager.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\Program Files\Windows Live\Messenger\usnsvc.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
    O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
    O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS.0\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe
    O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [Balmdrv] C:\DOCUME~1\ADMINI~1.JER\APPLIC~1\DRAWUP~1\Style Readme.exe
    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
    O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe
    O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS.0\system32\oodag.exe
    O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

    --
    End of file - 7799 bytes
  9. 2007-10-19, 18:36 #9
    ken545
    ken545 is offline
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    This one still has to go. Remove it with HJT

    O4 - HKCU\..\Run: [Balmdrv] C:\DOCUME~1\ADMINI~1.JER\APPLIC~1\DRAWUP~1\Style Readme.exe

    C:\Documents and Setting\Administrator\Jer <-- Cant see full name \Application Data\DRAWUP~1 <--Delete this file in Red


    All Panda found were cookies

    Post a new HJT log please
  10. 2007-10-19, 22:26 #10
    8trac
    8trac is offline
    Junior Member
    Join Date
    Oct 2007
    Posts
    18

    Default

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:26:01 PM, on 10/19/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS.0\System32\smss.exe
    C:\WINDOWS.0\system32\winlogon.exe
    C:\WINDOWS.0\system32\services.exe
    C:\WINDOWS.0\system32\lsass.exe
    C:\WINDOWS.0\system32\svchost.exe
    C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
    C:\WINDOWS.0\System32\svchost.exe
    C:\WINDOWS.0\system32\spoolsv.exe
    c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
    C:\WINDOWS.0\Explorer.EXE
    C:\WINDOWS.0\system32\RunDll32.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
    C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
    C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
    C:\WINDOWS.0\system32\RUNDLL32.EXE
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
    C:\WINDOWS.0\system32\ctfmon.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
    C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS.0\system32\nvsvc32.exe
    C:\WINDOWS.0\system32\oodag.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\WINDOWS.0\system32\svchost.exe
    C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
    C:\Program Files\Microsoft Windows OneCare Live\winss.exe
    C:\Program Files\Logitech\QuickCam10\COCIManager.exe
    C:\Program Files\Windows Live\Messenger\usnsvc.exe
    C:\Program Files\Steam\Steam.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
    O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
    O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
    O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS.0\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe
    O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
    O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe
    O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS.0\system32\oodag.exe
    O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

    --
    End of file - 7825 bytes
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules