View Full Version : Infected with downloader.obfuskated
AVG tells me its found it everytime it scans but cannot get rid of it, i was on this not long ago, Shaba helped me remover malware i think and other nusiances! but this has appeared now, help much appreciated
Laura
Logfile of HijackThis v1.99.1
Scan saved at 18:32:09, on 02/05/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\BTBROA~1\Help\SMARTB~1\BTHelpNotifier.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\SYSTEM32\sistray.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\Yahoo!\browser\YBrowser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/scotland
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=8116
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [VirusScan] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~1\Help\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: Broadband Desktop Help.lnk = C:\Program Files\BT Broadband 2091\Help\bin\matcli.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,83/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-gb/1,0,0,20/mcgdmgr.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
pskelley
2007-05-04, 13:28
Hi Laura and welcome back to the forum, since I see no required online antivirus scan I must assume you missed these important instructions:
"BEFORE you POST" Mandatory Steps Before Requesting Assistance
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
You can wait on that scan until we see if we need it, HJT just can't see everything and it can not see whatever AVG is finding. I need to know exactly what this is AVG is finding, what the name and the pathway (location) is.
Please read this information: http://www.microsoft.com/windows/support/endofsupport.mspx
I am concerned that you have not downloaded SP2 in light of the fact that Windows no longer offers support for the version you are running. This means you cannot receive the Critical Updates needed to keep your Operating System safe.
If you are not aware of the need to do this, please do not until we are sure your computer is clean. Here is some information you should have.
http://www.microsoft.com/windowsxp/sp2/sp2_whattoknow.mspx
Thanks
:oops: I think i am on Service Pack 1. Ok, il do a scan with AVG is that right? And then post the results?
Sorry i understand now, im just using the Virus Scanner CA online one just now
pskelley
2007-05-04, 18:43
Understand, you have told me you have this being identified by AVG:
Infected with downloader.obfuskated
I need more information, that is very generic. I need to know what the location or the name of the item is.
See the google: http://www.google.com/search?hl=en&q=downloader.obfuskated&btnG=Google+Search
It may even be a false positive from AVG, we need to have more information than you provided.
Thanks
Ok i did an online scan, it found 2 virus. How do i upload a log of it or something?
In the meantime, il run AVG and post the results?
ok dont know if this helps, this was the results of the online virusscan, iv just re-written the results -
1)
File: 4714f487-62189145
Infection: Java/ByteVerify!exploit
Status: Infected
Path: C:\Documents and Settings\Laura Rennie\Application Data\Sun\Java\Deployment\cache\6.0\7\
2)
File: FirstApplet.class-3aec8c0a-3f69f7f0.class
Infection: Java/ByteVerify!exploit
Status: Infected
Path: C:\Documents and Settings\Laura Rennie\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\
Ive went into my AVG Virus Vault, it lists the virus names as Downloader.Obfuskated and the different filennames are
- A0159111.exe
- c698e977.exe
- gdnFR2218.exe
It gives paths too if you want me to type them up?
Ok here are the full pathnames anyway if this helps:
- C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\A0159111.exe
- C:\WINDOWS\SYSTEM32\c698e977.exe
- C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gdnFR2218.exe
- C:\WINDOWS\Downloaded Program Files\CONFLICT.2\gdnFR2218.exe
- C:\WINDOWS\Documents and Settings\Laura Rennie\Local Settings\Application Data\c698e977.exe
pskelley
2007-05-04, 20:52
Thanks for the information, the first two called: Infection: Java/ByteVerify!exploit can be removed by cleaning the Java cache carefully like this:
http://support.f-secure.com/enu/home/virusproblem/howtoclean/cleanjavacache.shtml
The three that are here: AVG Virus Vault and quarantined, delete everything in that vault.
These instructions will show you how to do this near the end of the tutorial:
http://wiki.pomona.edu/bin/view/FAQ/AVGAntiVirus
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\A0159111.exe
This one is backed up in your System Restore files, follow these instructions to clean those files:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
I think a good spyware scan should be run on your computer. Do not confuse this with your antivirus program, it is a different program offered by Grisoft that scans for spyware. Follow the directions in this link to download, install, update and run AVG AntiSpyware 7.5. Make sure you delete or at least quarantine anything it finds and save the scan report to post for me to view. http://forums.security-central.us/showthread.php?t=3165
Thanks
Here's the AVG Anti-Spyware scan:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 19:21:06 09/05/2007
+ Scan result:
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@metacafe.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@4.adbrite[2].txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@adbrite[1].txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@ads.adbrite[2].txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@ads.addynamix[2].txt -> TrackingCookie.Addynamix : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@adrevolver[2].txt -> TrackingCookie.Adrevolver : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@adtech[2].txt -> TrackingCookie.Adtech : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@bluestreak[1].txt -> TrackingCookie.Bluestreak : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@burstnet[1].txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@www.burstnet[1].txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@casalemedia[1].txt -> TrackingCookie.Casalemedia : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@com[1].txt -> TrackingCookie.Com : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@connextra[2].txt -> TrackingCookie.Connextra : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@fastclick[2].txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@search.live[2].txt -> TrackingCookie.Live : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@data3.perf.overture[1].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@perf.overture[1].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@ads.pointroll[2].txt -> TrackingCookie.Pointroll : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@ads-205.quarterserver[1].txt -> TrackingCookie.Quarterserver : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@questionmarket[1].txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@real[2].txt -> TrackingCookie.Real : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@realmedia[1].txt -> TrackingCookie.Realmedia : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@revsci[2].txt -> TrackingCookie.Revsci : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@serving-sys[2].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@specificclick[2].txt -> TrackingCookie.Specificclick : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@statcounter[2].txt -> TrackingCookie.Statcounter : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@anad.tacoda[2].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@m.webtrends[2].txt -> TrackingCookie.Webtrends : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@zedo[2].txt -> TrackingCookie.Zedo : No action taken.
::Report end
Sorry this is report where they've been deleted :
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 19:21:06 09/05/2007
+ Scan result:
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@metacafe.122.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@4.adbrite[2].txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@adbrite[1].txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@ads.adbrite[2].txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@ads.addynamix[2].txt -> TrackingCookie.Addynamix : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@adrevolver[2].txt -> TrackingCookie.Adrevolver : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@adtech[2].txt -> TrackingCookie.Adtech : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@bluestreak[1].txt -> TrackingCookie.Bluestreak : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@burstnet[1].txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@www.burstnet[1].txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@casalemedia[1].txt -> TrackingCookie.Casalemedia : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@com[1].txt -> TrackingCookie.Com : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@connextra[2].txt -> TrackingCookie.Connextra : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@fastclick[2].txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@search.live[2].txt -> TrackingCookie.Live : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@data3.perf.overture[1].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@perf.overture[1].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@ads.pointroll[2].txt -> TrackingCookie.Pointroll : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@ads-205.quarterserver[1].txt -> TrackingCookie.Quarterserver : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@questionmarket[1].txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@real[2].txt -> TrackingCookie.Real : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@realmedia[1].txt -> TrackingCookie.Realmedia : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@revsci[2].txt -> TrackingCookie.Revsci : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@serving-sys[2].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@specificclick[2].txt -> TrackingCookie.Specificclick : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@statcounter[2].txt -> TrackingCookie.Statcounter : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@anad.tacoda[2].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@m.webtrends[2].txt -> TrackingCookie.Webtrends : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\Laura Rennie\Cookies\laura rennie@zedo[2].txt -> TrackingCookie.Zedo : No action taken.
::Report end
pskelley
2007-05-09, 21:25
You posted the same report twice? Please post the correct one and since a few days have gone by, post a new HJT log and let me know how the computer is running. I don't need to see cookies as long as they are deleted, you may edit them out.
Thanks...Phil
Oh right, I saved the scan when it was done and thats what i uploaded? did u want something different?
Heres' the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 19:32:48, on 09/05/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\BTBROA~1\Help\SMARTB~1\BTHelpNotifier.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\BT Broadband 2091\Help\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/scotland
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=8116
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [VirusScan] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~1\Help\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0\aoltray.exe
O4 - Global Startup: Broadband Desktop Help.lnk = C:\Program Files\BT Broadband 2091\Help\bin\matcli.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-gb/4,0,0,83/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-gb/1,0,0,20/mcgdmgr.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
pskelley
2007-05-09, 23:16
You posted the same AVG Anti-Spyware report twice. The scan found nothing but cookies, if you deleted them, that is fine. If you are having no problems now then since we cleaned the System Restore files, you need this information.
AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Thanks you very much for all your help, so does that mean i have a clean machine now? And if so, how do i go about installing SP2?
pskelley
2007-05-10, 17:08
As far as I can see, your computer is clean of malware, I posted one link earlier, but will post it again with a couple of other informational links. You used to be able to order the CD free, but I believe they charge for it now. When you are ready, just click
Internet Explorer > Tools > Windows Update.
SP2 CD
http://www.microsoft.com/windowsxp/downloads/updates/sp2/cdorder/en_us/default.mspx
What you should know
http://www.microsoft.com/windowsxp/sp2/sp2_whattoknow.mspx
http://www.microsoft.com/windowsxp/sp2/sysreqs.mspx
system requirements
If you have any issues you can get help here: http://support.microsoft.com/
Thanks
Thanks for your help again, Il be making a donation for the several times this has helped :)
Laura
pskelley
2007-05-14, 14:16
As the problem appears to be resolved this topic has been closed.
If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.
Thanks