View Full Version : New spyware!!!!
Heya guys. I've gotten awesome help with my previous problems. I'm doing my best to avoid getting more, but unfortunately I managed to get myself a new spyware. It's called Smitfraud- C. and Spybot isn't able to delete it. a message pops up saying "Some problems couldn't be fixed; the reason could be that the associated files are still in use (in memory).
Btw, I'm pretty sure this is caused by this virus/spyware that I have right now. I can see an icon that resembles a red shield with a white x over it in the task bar. When I put my mouse over it, it says "Spyware infection detected !". I went for it for the first time because it had "windows" in it, so I thought it was legit. But then it installed something called "Registry cleaner", and I accidently did a scan with it. But as soon as I found out that it was a spyware/virus I uninstalled it. I had like 5 new spywares before I scanned with Spybot, and I managed to get them all away except for one.
Here's a HijackThis logfile:
Logfile of HijackThis v1.99.1
Scan saved at 02:58:06, on 2007-04-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program\ALWILS~1\Avast4\ashDisp.exe
C:\Program\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program\Logitech\Video\LogiTray.exe
C:\ohfab.exe
C:\WINDOWS\system32\tcpipmon.exe
C:\WINDOWS\updater.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\tcpipmon.exe
C:\Program\Ipwindows\ipwins.exe
C:\Program\Logitech\Video\FxSvr2.exe
C:\PROGRAM\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Martin\Mina dokument\Installationer\utorrent_1.6.exe
C:\Documents and Settings\Martin\Mina dokument\Installationer\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O1 - Hosts: L2authd.lineage2.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program\AskTBar\bar\1.bin\ASKTBAR.DLL
O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ShareSearcher] C:\ohfab.exe
O4 - HKLM\..\Run: [tcpipmon] tcpipmon.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\updater.exe 61A847B5BBF72810329B385577FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Steam] "C:\Program\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [BitTorrent] "C:\Program\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Program\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [IpWins] C:\Program\Ipwindows\ipwins.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe (file missing)
O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Thanks a lot in advance!!
I forgot to mention that this is the worst spyware/virus I've had in a long time. I got it after downloading a file I didn't expect to contain it. It was just ONE tiny program I recently finnished a thurough avast virus scan, and it found 8 viruses. It took two days for it to scan, because my computer is chugging/acting a lot slower because of this spyware/virus. I quarantined all the 8 viruses that avast detected, and I got rid of 5/6 spywares with Spybot, so I'm guessing the remaining spyware is the one causing all this.
Like I said before, there's an icon in the taskbar that resembles the Windows Security Center, only that it's slightly bigger. Every 5 minutes a bubble appears from it saying "Your computer is infected!" "Windows has deteced a Spyware" bla bla bla. I'm guessing it's Smitfraud- C., but it might not be. It's a really annoying spyware. It makes my computer AND audio chug A LOT when I open firefox or just any kind of window.
I really need your help!
Thanks in advance.
Oh and also, it's the same spyware that made me download a program called Registry Cleaner. Also, if I open Internet Explorer, there's a taskbar with a lot of unecessary stuff that I've never had before. I'm certain it's from this spyware too.
Hello.
Bumping your topic may delay assistance, read why: If you have waited FOUR days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836)
"BEFORE you POST" Mandatory Steps Before Requesting Assistance (http://forums.spybot.info/showthread.php?t=288)
Where are the results of your on-line anti virus scan?
Also:
2007-04-10
http://forums.spybot.info/showthread.php?t=12810
C:\Program\Java\jre1.5.0_11\bin\jusched.exe
2007-03-10
http://forums.spybot.info/showthread.php?t=11989&page=4
Go here (http://java.sun.com/javase/downloads/index.jsp) and download and install JRE 6.0. Click the link that says Download JRE 6.0 . You will then need to select Accept License Agreement and click the Continue button that is beside it. Then click the link that says Windows Offline Installation, Multi-language. Save it to your Desktop. Then go back to your Desktop and double click jre-6-windows-i586.exe to start the install. Once you have it installed, click Start>Run, type in appwiz.cpl and hit Enter. From the list, uninstall J2SE Runtime Environment 5.0 Update 11.
I don't really understand your post. Are you telling me to continue my old threads, or that I should follow the steps you quoted? I'm kinda new to this, so I don't understand why you would want me to install JRE 6 if I have JRE 11?
I had no choice but to bump this topic because you can't edit. I had to make it clear for you guys so that you understand the situation.
Oh, and about the results of the anti-virus scan, I don't have one, because I didn't think I would need one, as I already succesfully deleted all the viruses. I closed the anti-virus results long time ago, and I don't think I can retrieve them since I never save them.
Thanks a lot in advance.
pskelley
2007-04-12, 00:23
Welcome to the forum, I am sorry you are having a hard time understanding the directions. I will do my best to explain so you can understand. Since a lot of stuff has been posted, I would like you to read the information I am about to post carefully. I hate to be the bearer of bad news, but you have a nasty infection. Have a look: http://www.castlecops.com/o20list-310.html
http://research.sunbelt-software.com/threatdisplay.aspx?name=Backdoor.Win32.Bifrose.aat&threatid=70540
Severe risks are typically installed without user interaction through security exploits, and may allow an attacker to remotely control the infected machine. Such risks may allow the attacker to install additional malware and use the compromised machine to participate in denial of service attacks, spamming, and bot nets, or to transmit sensitive data to a remote server. The malware may be cloaked and not visible to the user. These risks severely compromise the system by lowering security settings, installing 'backdoors,' infecting system files, or spreading to other networked machines.That not all either, I also see PurityScan/Oin which is tough to remove and this piece of junk:
http://www.google.com/search?hl=en&q=tcpipmon.exe&btnG=Google+Search
and this one that I can't even identify, but it may be this: http://www.liutilities.com/products/wintaskspro/processlibrary/updater/
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\updater.exe 61A847B5BBF72810329B385577FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
Because these backdoor trojans has severely compromised your security, I think you should have this information.
A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.
One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063
Please let us know what you have decided to do in your next post.
Thank you
Oh crap, this can't be happening. I simply CAN'T reinstall Windows XP. I won't go through all the trouble of getting what I have, I probably won't be able to anyways.
It's really late, so I'll have to read your post more thuroughly tomorrow to see if there is another choice. Thanks for your answer though!
Well I managed to get rid of updater.exe and the "Spyware detected" crap in the taskbar. Dont know what to do next:(
pskelley
2007-04-12, 23:32
If you have read the information I posted and you are saying you want me to help you clean this computer as good as I can, then post a new HJT log and wait patiently for my next instructions.
Thanks
Yep, I want your help. Thanks!
Here's a fresh HJT Logfile:
Logfile of HijackThis v1.99.1
Scan saved at 14:08:33, on 2007-04-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\ALWILS~1\Avast4\ashDisp.exe
C:\Program\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program\Logitech\Video\LogiTray.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Messenger\MSMSGS.EXE
C:\Program\Ipwindows\ipwins.exe
C:\Program\Logitech\Video\FxSvr2.exe
C:\Program\MSN Messenger\usnsvc.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\Winamp\winamp.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Martin\Mina dokument\Installationer\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O1 - Hosts: L2authd.lineage2.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program\AskTBar\bar\1.bin\ASKTBAR.DLL
O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\updater.exe 61A847B5BBF72810329B385577FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Steam] "C:\Program\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [BitTorrent] "C:\Program\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Program\Logitech\Video\ManifestEngine.exe boot
O4 - HKCU\..\Run: [IpWins] C:\Program\Ipwindows\ipwins.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
pskelley
2007-04-14, 14:52
Thanks for the log, none of this junk is easy to remove and I am going to try to kill PurityScan/OIN manually, so it is important that you follow the directions carefully and in the posted order.
*** Do you know why this is in your Hosts file? O1 - Hosts: L2authd.lineage2.com
1) Your Java program is out of date, see this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
Download the newest version and uninstall all old versions in Add Remove Programs.
2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
3) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
4) Start > Control Panel > Add Remove Programs, uninstall PuritySCAN By OIN, OIN, OuterInfo, Ipwindows, AskTBar and any other program you know does not belong there.
5) Thanks to andymanchesta and anyone else who helped with the fix.
Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
(save those logs and reports until you finish)
6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program\AskTBar\bar\1.bin\ASKTBAR.DLL
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\updater.exe 61A847B5BBF72810329B385577FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU\..\Run: [IpWins] C:\Program\Ipwindows\ipwins.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab G
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
(should be gone)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
7) RIGHT Click on Start then click on Explore. Locate and delete these items if there:
C:\Program\AskTBar\ <<< delete that folder
C:\Program\Ipwindows\ <<< delete that folder
C:\WINDOWS\updater.exe <<< delete that file
C:\WINDOWS\system32\rpcc.dll <<< delete that file
8) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
9) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Restart the computer and post the Report.txt from SDFix, the uninstall list, a new HJT log and any comments you think will help.
Thanks
Okay I've finnished everything above the red text that says "(save those logs and reports until you finish)" Here is the SDFix report (I'll continue with the rest now):
Below files will be copied to Backups folder then removed:
C:\215721~1 - Deleted
C:\XVEKFUF.EXE - Deleted
C:\WINDOWS\system32\rpcc.dll - Deleted
Removing Temp Files
ADS Check:
Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.
Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program\\Steam\\steamapps\\wish_craft@hotmail.com\\counter-strike\\hl.exe"="C:\\Program\\Steam\\steamapps\\wish_craft@hotmail.com\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\mIRC\\mirc.exe"="C:\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program\\Steam\\steamapps\\wish_craft@hotmail.com\\dedicated server\\hlds.exe"="C:\\Program\\Steam\\steamapps\\wish_craft@hotmail.com\\dedicated server\\hlds.exe:*:Enabled:HLDS Launcher"
"C:\\Program\\America's Army\\System\\ArmyOps.exe"="C:\\Program\\America's Army\\System\\ArmyOps.exe:*:Enabled:ArmyOps"
"C:\\Program\\Microsoft Games\\Rise Of Legends\\legends.exe"="C:\\Program\\Microsoft Games\\Rise Of Legends\\legends.exe:*:Enabled:Rise Of Legends"
"C:\\Program\\GameSpy Arcade\\Aphex.exe"="C:\\Program\\GameSpy Arcade\\Aphex.exe:*:Enabled:GameSpy Arcade"
"C:\\Program\\RevConnect\\DCPlusPlus.exe"="C:\\Program\\RevConnect\\DCPlusPlus.exe:*:Enabled:DC++"
"C:\\Program\\iMesh Applications\\iMesh6\\iMesh6.exe"="C:\\Program\\iMesh Applications\\iMesh6\\iMesh6.exe:*:Enabled:iMesh"
"C:\\Program\\EA GAMES\\Battlefield 2\\BF2.exe"="C:\\Program\\EA GAMES\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"
"C:\\Program\\MSN Messenger\\msncall.exe"="C:\\Program\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program\\BitTorrent\\bittorrent.exe"="C:\\Program\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program\\Turbo Torrent\\ttorrent.exe"="C:\\Program\\Turbo Torrent\\ttorrent.exe:*:Enabled:ttorrent"
"C:\\Documents and Settings\\Martin\\Mina dokument\\Installationer\\utorrent_1.6.exe"="C:\\Documents and Settings\\Martin\\Mina dokument\\Installationer\\utorrent_1.6.exe:*:Enabled:µTorrent"
"C:\\Program\\Atari\\Neverwinter Nights 2\\nwn2main.exe"="C:\\Program\\Atari\\Neverwinter Nights 2\\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main"
"C:\\Program\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"="C:\\Program\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD"
"C:\\Program\\Atari\\Neverwinter Nights 2\\nwupdate.exe"="C:\\Program\\Atari\\Neverwinter Nights 2\\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater"
"C:\\Program\\Atari\\Neverwinter Nights 2\\nwn2server.exe"="C:\\Program\\Atari\\Neverwinter Nights 2\\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server"
"C:\\Program\\MSN Messenger\\msnmsgr.exe"="C:\\Program\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program\\MSN Messenger\\livecall.exe"="C:\\Program\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program\\MSN Messenger\\msncall.exe"="C:\\Program\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program\\MSN Messenger\\msnmsgr.exe"="C:\\Program\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program\\MSN Messenger\\livecall.exe"="C:\\Program\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
Remaining Files:
---------------
Backups Folder: - C:\SDFix\backups\backups.zip
Checking For Files with Hidden Attributes:
C:\Program\Steam\steamapps\tekoppen_2001@hotmail.com\counter-strike\cstrike\radial.cdb
C:\Program\Steam\steamapps\tekoppen_2001@hotmail.com\counter-strike\cstrike\radial.idb
Finished
Thanks a lot for your help so far!
Oh and btw, a few things I forgot to point out in my previous post:
Answer to your question about L2authd.lineage2.com being in my hosts folder:
Lineage 2 is the name of an online game I play, but I have no idea what that file is doing there. Should I delete it?
Something I need to point out:
When I entered Add/Remove Programs I could only find "AskTBar", and I obviously deleted it like you instructed me to, but I couldn't find any of the other programs you listed.
pskelley
2007-04-14, 18:14
Finish the balance of the instructions please.
Thanks
Ahhh pskelley, just ignore my other posts. I'll post all the results and conclusions in this post to avoid confusion.
Here is the SDFix report:
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program\\Steam\\steamapps\\wish_craft@hotmail.com\\counter-strike\\hl.exe"="C:\\Program\\Steam\\steamapps\\wish_craft@hotmail.com\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
"C:\\mIRC\\mirc.exe"="C:\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program\\Steam\\steamapps\\wish_craft@hotmail.com\\dedicated server\\hlds.exe"="C:\\Program\\Steam\\steamapps\\wish_craft@hotmail.com\\dedicated server\\hlds.exe:*:Enabled:HLDS Launcher"
"C:\\Program\\America's Army\\System\\ArmyOps.exe"="C:\\Program\\America's Army\\System\\ArmyOps.exe:*:Enabled:ArmyOps"
"C:\\Program\\Microsoft Games\\Rise Of Legends\\legends.exe"="C:\\Program\\Microsoft Games\\Rise Of Legends\\legends.exe:*:Enabled:Rise Of Legends"
"C:\\Program\\GameSpy Arcade\\Aphex.exe"="C:\\Program\\GameSpy Arcade\\Aphex.exe:*:Enabled:GameSpy Arcade"
"C:\\Program\\RevConnect\\DCPlusPlus.exe"="C:\\Program\\RevConnect\\DCPlusPlus.exe:*:Enabled:DC++"
"C:\\Program\\iMesh Applications\\iMesh6\\iMesh6.exe"="C:\\Program\\iMesh Applications\\iMesh6\\iMesh6.exe:*:Enabled:iMesh"
"C:\\Program\\EA GAMES\\Battlefield 2\\BF2.exe"="C:\\Program\\EA GAMES\\Battlefield 2\\BF2.exe:*:Enabled:Battlefield 2"
"C:\\Program\\MSN Messenger\\msncall.exe"="C:\\Program\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program\\BitTorrent\\bittorrent.exe"="C:\\Program\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program\\Turbo Torrent\\ttorrent.exe"="C:\\Program\\Turbo Torrent\\ttorrent.exe:*:Enabled:ttorrent"
"C:\\Documents and Settings\\Martin\\Mina dokument\\Installationer\\utorrent_1.6.exe"="C:\\Documents and Settings\\Martin\\Mina dokument\\Installationer\\utorrent_1.6.exe:*:Enabled:µTorrent"
"C:\\Program\\Atari\\Neverwinter Nights 2\\nwn2main.exe"="C:\\Program\\Atari\\Neverwinter Nights 2\\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main"
"C:\\Program\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"="C:\\Program\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD"
"C:\\Program\\Atari\\Neverwinter Nights 2\\nwupdate.exe"="C:\\Program\\Atari\\Neverwinter Nights 2\\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater"
"C:\\Program\\Atari\\Neverwinter Nights 2\\nwn2server.exe"="C:\\Program\\Atari\\Neverwinter Nights 2\\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server"
"C:\\Program\\MSN Messenger\\msnmsgr.exe"="C:\\Program\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program\\MSN Messenger\\livecall.exe"="C:\\Program\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program\\MSN Messenger\\msncall.exe"="C:\\Program\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program\\MSN Messenger\\msnmsgr.exe"="C:\\Program\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program\\MSN Messenger\\livecall.exe"="C:\\Program\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
Remaining Files:
---------------
Backups Folder: - C:\SDFix\backups\backups.zip
Checking For Files with Hidden Attributes:
C:\Program\Steam\steamapps\tekoppen_2001@hotmail.com\counter-strike\cstrike\radial.cdb
C:\Program\Steam\steamapps\tekoppen_2001@hotmail.com\counter-strike\cstrike\radial.idb
Finished
Here is the uninstall_list:
Ad-Aware SE Personal
Adobe Shockwave Player
America's Army
AquaMark3
ASUSUpdate
avast! Antivirus
Battlefield 2(TM)
DH Driver Cleaner Professional Edition
DivX
DivX Converter
DivX Player
Drivrutiner till Logitech® Camera
EverQuest II
GameSpy Arcade
Google Earth
HijackThis 1.99.1
Java(TM) SE Runtime Environment 6 Update 1
Kaspersky Online Scanner
Logitech QuickCam Software
Microsoft .NET Framework 2.0
mIRC
Mozilla Firefox (1.5.0.11)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 Parser and SDK
Nero 7 Lite 7.7.5.1
NVIDIA Drivers
Oblivion
Panda ActiveScan
QuickTime
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update för Microsoft .NET Framework 2.0 (kB917283)
SILENT HILL 3
SoundMAX
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Steam
Säkerhetsuppdatering för Windows Media Player (KB911564)
Säkerhetsuppdatering för Windows Media Player 6.4 (KB925398)
Säkerhetsuppdatering för Windows Media Player 8 (KB917734)
Säkerhetsuppdatering för Windows Media Player 9 (KB911565)
Säkerhetsuppdatering för Windows Media Player 9 (KB917734)
Säkerhetsuppdatering för Windows XP (KB890046)
Säkerhetsuppdatering för Windows XP (KB893756)
Säkerhetsuppdatering för Windows XP (KB896358)
Säkerhetsuppdatering för Windows XP (KB896422)
Säkerhetsuppdatering för Windows XP (KB896423)
Säkerhetsuppdatering för Windows XP (KB896424)
Säkerhetsuppdatering för Windows XP (KB896428)
Säkerhetsuppdatering för Windows XP (KB899587)
Säkerhetsuppdatering för Windows XP (KB899589)
Säkerhetsuppdatering för Windows XP (KB899591)
Säkerhetsuppdatering för Windows XP (KB900725)
Säkerhetsuppdatering för Windows XP (KB901017)
Säkerhetsuppdatering för Windows XP (KB901214)
Säkerhetsuppdatering för Windows XP (KB902400)
Säkerhetsuppdatering för Windows XP (KB904706)
Säkerhetsuppdatering för Windows XP (KB905414)
Säkerhetsuppdatering för Windows XP (KB905749)
Säkerhetsuppdatering för Windows XP (KB908519)
Säkerhetsuppdatering för Windows XP (KB911562)
Säkerhetsuppdatering för Windows XP (KB911567)
Säkerhetsuppdatering för Windows XP (KB911927)
Säkerhetsuppdatering för Windows XP (KB912919)
Säkerhetsuppdatering för Windows XP (KB913580)
Säkerhetsuppdatering för Windows XP (KB914388)
Säkerhetsuppdatering för Windows XP (KB914389)
Säkerhetsuppdatering för Windows XP (KB916281)
Säkerhetsuppdatering för Windows XP (KB917159)
Säkerhetsuppdatering för Windows XP (KB917344)
Säkerhetsuppdatering för Windows XP (KB917422)
Säkerhetsuppdatering för Windows XP (KB917953)
Säkerhetsuppdatering för Windows XP (KB918118)
Säkerhetsuppdatering för Windows XP (KB918899)
Säkerhetsuppdatering för Windows XP (KB919007)
Säkerhetsuppdatering för Windows XP (KB920213)
Säkerhetsuppdatering för Windows XP (KB920214)
Säkerhetsuppdatering för Windows XP (KB920670)
Säkerhetsuppdatering för Windows XP (KB920683)
Säkerhetsuppdatering för Windows XP (KB920685)
Säkerhetsuppdatering för Windows XP (KB921398)
Säkerhetsuppdatering för Windows XP (KB921883)
Säkerhetsuppdatering för Windows XP (KB922616)
Säkerhetsuppdatering för Windows XP (KB922760)
Säkerhetsuppdatering för Windows XP (KB922819)
Säkerhetsuppdatering för Windows XP (KB923191)
Säkerhetsuppdatering för Windows XP (KB923414)
Säkerhetsuppdatering för Windows XP (KB923689)
Säkerhetsuppdatering för Windows XP (KB923694)
Säkerhetsuppdatering för Windows XP (KB923789)
Säkerhetsuppdatering för Windows XP (KB923980)
Säkerhetsuppdatering för Windows XP (KB924191)
Säkerhetsuppdatering för Windows XP (KB924270)
Säkerhetsuppdatering för Windows XP (KB924496)
Säkerhetsuppdatering för Windows XP (KB924667)
Säkerhetsuppdatering för Windows XP (KB925454)
Säkerhetsuppdatering för Windows XP (KB925486)
Säkerhetsuppdatering för Windows XP (KB925902)
Säkerhetsuppdatering för Windows XP (KB926255)
Säkerhetsuppdatering för Windows XP (KB926436)
Säkerhetsuppdatering för Windows XP (KB927779)
Säkerhetsuppdatering för Windows XP (KB927802)
Säkerhetsuppdatering för Windows XP (KB928090)
Säkerhetsuppdatering för Windows XP (KB928255)
Säkerhetsuppdatering för Windows XP (KB928843)
Säkerhetsuppdatering för Windows XP (KB929969)
Säkerhetsuppdatering för Windows XP (KB930178)
Säkerhetsuppdatering för Windows XP (KB931261)
Säkerhetsuppdatering för Windows XP (KB931784)
Säkerhetsuppdatering för Windows XP (KB932168)
TeamSpeak 2 RC2
Uppdatering för Windows XP (KB898461)
Uppdatering för Windows XP (KB900485)
Uppdatering för Windows XP (KB908531)
Uppdatering för Windows XP (KB910437)
Uppdatering för Windows XP (KB911280)
Uppdatering för Windows XP (KB916595)
Uppdatering för Windows XP (KB920872)
Uppdatering för Windows XP (KB922582)
Uppdatering för Windows XP (KB929338)
Uppdatering för Windows XP (KB931836)
Ventrilo Client
VideoLAN VLC media player 0.8.5
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
ZoneAlarm
Here is a fresh HJT logfile:
Logfile of HijackThis v1.99.1
Scan saved at 18:06:56, on 2007-04-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program\ALWILS~1\Avast4\ashDisp.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program\Logitech\Video\LogiTray.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Messenger\MSMSGS.EXE
C:\Program\Logitech\Video\FxSvr2.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Martin\Mina dokument\Installationer\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Steam] "C:\Program\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [BitTorrent] "C:\Program\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Program\Logitech\Video\ManifestEngine.exe boot
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
All your steps worked wonders. All your steps were successfuly (can't find the right word atm) made. You guys are awesome, you should recieve some kind of award!! This place always manages to help me get rid of all my malware.
Oh, and a few things I think you should know about:
- I could only find "AskTBar" in the Add/Remove programs list.
- I couldn't find R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL in HJT.
- I couldn't find O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program\AskTBar\SrchAstt\1.bin\A5SRCHAS.DLL in HJT.
- I couldn't find O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program\AskTBar\bar\1.bin\ASKTBAR.DLL in HJT.
- I couldn't find O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll in HJT (I guess that's good since you pointed out that it shouldn't be found)
Thanks a lot for your help!
pskelley
2007-04-14, 18:33
Thanks, all is looking good :bigthumb: anymore malware issues?
Uninstall List: I'm looking for security issues and malware, good chance for you to look for stuff you no longer use.
I see no problems, if all is back to normals then you are good to go. Do this first:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
Valuable information:
http://users.telenet.be/bluHow to prevent Malware
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Everything seems good to me too. I've disabled and enabled system restore, so everything should be fine now. Thanks a lot!!!!;33
pskelley
2007-04-17, 13:21
As the problem appears to be resolved this topic has been closed.
If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.
Thanks