View Full Version : Can't check any email or use google - Infected w Virtumonde, Winsoftware, Wildtangent
blogaibernukas
2008-08-14, 02:22
That's my log. I'm not very computer savvy, please help!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:12:18 AM, on 8/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Creative\Mixer\CTSVolFE.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy2.esade.es:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.esade.com;*esade.es;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10990D5B-D686-4CD2-81EB-C7540450A1BA} - C:\WINDOWS\system32\geBuVPFV.dll (file missing)
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Program Files\Scpad\scpsssh2.dll
O2 - BHO: (no name) - {476BAA09-EEBD-4ABF-8982-BAD2882A71A8} - C:\WINDOWS\system32\wvUllklj.dll (file missing)
O2 - BHO: (no name) - {514A5C49-0C7D-42c3-A71B-38864A269B7A} - C:\WINDOWS\system32\bgphfbrv.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: {b43edec7-8198-c8fa-7a14-cd3d2cbf8cb6} - {6bc8fbc2-d3dc-41a7-af8c-89187cede34b} - C:\WINDOWS\system32\nvqhof.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar7.dll
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Program Files\GbPlugin\gbiehabn.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar7.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [CTSVolFE.exe] "C:\Program Files\Creative\Mixer\CTSVolFE.exe" /r
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Disk Knight] C:\WINDOWS\Knight.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [604bfdf7] rundll32.exe "C:\WINDOWS\system32\rhvklffi.dll",b
O4 - HKLM\..\Run: [BM6378ce6b] Rundll32.exe "C:\WINDOWS\system32\eqcysodq.dll",s
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: geBuVPFV - geBuVPFV.dll (file missing)
O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Program Files\Scpad\scpLIB.dll
O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Program Files\Scpad\scpLIB.dll
O23 - Service: Microsoft DDE+ server (3a8c9531b83b472a) - Unknown owner - C:\WINDOWS\system32\.3a8c9531b83b472a\3a8c9531b83b472a.exe (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Program Files\GbPlugin\GbpSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 13148 bytes
pskelley
2008-08-16, 04:07
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
2) Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Thanks
blogaibernukas
2008-08-16, 12:25
Hi pskelley, Thank you sooooooooooooo much for helping me, I can't thank you enough!!!
So, here's what happened. I cannot read the website on how to use combofix because Virtumonde or whatever is stopping me from accessing the page. I have tried in several different ways both through Firefox and iExplorer and no luck. If that's the case, can you paste information here on how to use it?
Well, I've downloaded it from the link and put it on my desktop. I tried running it but then it gives me the dark blue windows boot screen saying:
"A problem has been detected and Windows has been shut down to prevent blablabla if it's the first time you see this restart your computer and contact blablabla" and then:
INVALID_KERNEL_HANDLE
***Technical information
*STOP: 0x00000093 (0x000007A8, 0x00000000, 0x00000000, 0x00000000)
"
I have done it twice and get the same response both times. If any other information is needed from the dark blue windows screen please let me know and I'll copy it.
I then re-checked if TeaTimer was disabled in SpyBot and the box was properly unchecked. However the "Resident" icon box inside tools IS CHECKED is that supposed to remain this way?
Then I tried to look for a txt file inside the combofix folder. Did not find a log but found this:
ComboFix 08-08-14.05 - Denise Kenney 2008-08-16 11:03:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.641 [GMT 2:00]
Running from: C:\Documents and Settings\Denise Kenney\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
And then I ran HTJ to post the new log here (below).
Please let me know if there's anything different I can do.
Thank you so much again
L
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10:29 AM, on 8/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Program Files\GbPlugin\gbiehabn.dll
O4 - HKLM\..\Run: [BM6378ce6b] Rundll32.exe "C:\WINDOWS\system32\eqcysodq.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} -
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} -
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} -
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) -
O23 - Service: Microsoft DDE+ server (3a8c9531b83b472a) - Unknown owner - C:\WINDOWS\system32\.3a8c9531b83b472a\3a8c9531b83b472a.exe (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Program Files\GbPlugin\GbpSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 3072 bytes
pskelley
2008-08-16, 17:15
Thanks for the HJT log, it gives me an idea of what combofix did, but I need that log. To explain, combofix has a database that is constantly changing as malware changes. sUBs keys to several common malware issues, but there is no way he can get everything in the database, it would be hugh. I know some stuff was removed, but the log also shows all files installed during the infection period. Hopefully my trained eye can spot bad files not in the database. Here is what the log will look a lot like.
http://forums.spybot.info/showthread.php?t=32556
Look after the HJT log in post#3. I know it ran or would not have received the notification about Recovery Console. Look on the C:\ drive, should be at C:\combofix.txt.
So, here's what happened. I cannot read the website on how to use combofix...etc.
Not to worry, you got the tool run, we will get to that information later. can you believe how these criminals actually infect you, then block you from the help you need. My suggestion is a firing squad. The computer is your property and these folks would just as likely kick down your front door to gain access to what they want...$$$
INVALID_KERNEL_HANDLE
http://www.google.com/search?hl=en&q=INVALID_KERNEL_HANDLE&btnG=Google+Search
Keep recording any error messages (windows talking to us) and post the information, but we will likely deal with error messages as we kick this junk off your computer. If they do not stop at that point, we will need the exact messages to research the cause.
TeaTimer <<< not showing in the new HJT log so you disabled it correctly.
It all boils down to the fact that I need that log that combofix provided us with. If it is not on the C:\ then run combofix again. If you do not have combofix on the Desktop (cats head) the download it again from this link.
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Then follow the directions:
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply (like point and shoot)
Thanks...Phil
blogaibernukas
2008-08-17, 00:01
Hi Phil,
Thank you for your response again. I think it's not working with Combofix, I mean, I think something is stopping it from doing its job. Maybe there's something I need to do to Windows so it will let it run? Or maybe pause a process or something? I'll describe below exactly what happened and then post all the logs I've found.
So I run Combofix. It says "Preparing to run" and then it beeps and I get a window to confirm that I really want to run it. Then it goes to a small blue screen saying
Attempting to create a system restore (then it apparently accomplishes this)
then
- Scanning for infected files, this might take ten minutes but really infected
- systems will take longer (or something like that)
- Combofix has changed your clock settings, do not change it back....
But then it takes ONLY A FEW SECONDS and goes to the boot dark blue screen, shuts down and says the exact same message I've posted before every time. (I've done it three times) And the clock never changes either.
I cannot access the link you posted, just for the record, so I don't know what it says about the INVALID_KERNEL_HANDLE. I DO get to see the other post though inside the spybot forum, so I know now how it looks like. But wasn't the log supposed to come very obvious, like the HJT?
Then, after the dark blue screen I then have to restart the computer and when it comes back it says:
- The system has recovered from a serious error ....
And then you have the option to send or not the report to windows. SO that's why I think there might be some windows security configuration that is stopping me from running combofix? Any ideas?
Anyways, I went to C: and there was no combofix.txt. Ther is a aaw7boot.log and a Installer.log and a LogiSetup.log and there is a combofix folder. Inside the folder there is a combofix.txt but it says just the following:
COMBOFIX.TXT
ComboFix 08-08-14.05 - Denise Kenney 2008-08-16 22:39:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.642 [GMT 2:00]
Running from: C:\Documents and Settings\Denise Kenney\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
That's all :( and then there is a Pend.txt that says
PEND.TXT:
.:\\\(0!\|0\\0\)
C:\\WINDOWS\\system32\\\(\\\|0!\|0\\0\)
C:\\WINDOWS\\system32\\config\\\(\\\|0!\|0\\0\)
C:\\WINDOWS\\system32\\csrss.exe\\\(0!\|0\\0\)
C:\\WINDOWS\\system32\\drivers\\\(\\\|0!\|0\\0\)
C:\\WINDOWS\\system32\\hal.dll\\\(0!\|0\\0\)
C:\\WINDOWS\\system32\\lsass.exe\\\(0!\|0\\0\)
C:\\WINDOWS\\system32\\ntdll.dll\\\(0!\|0\\0\)
C:\\WINDOWS\\system32\\services.exe\\\(0!\|0\\0\)
C:\\WINDOWS\\system32\\smss.exe\\\(0!\|0\\0\)
C:\\WINDOWS\\system32\\svchost.exe\\\(0!\|0\\0\)
C:\\WINDOWS\\system32\\userinit.exe\\\(0!\|0\\0\)
C:\\WINDOWS\\system32\\wbem\\\(\\\|0!\|0\\0\)
C:\\WINDOWS\\system32\\winlogon.exe\\\(0!\|0\\0\)
C:\\boot.ini\\\(0!\|0\\0\)
C:\\ntdetect.com\\\(0!\|0\\0\)
C:\\ntldr\\\(0!\|0\\0\)
C:\\WINDOWS\\\(\\\|0!\|0\\0\)
C:\\WINDOWS\\explorer.exe\\\(0!\|0\\0\)
I went and ran the HTJ just in case so here's the new log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:42 PM, on 8/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Program Files\GbPlugin\gbiehabn.dll
O4 - HKLM\..\Run: [BM6378ce6b] Rundll32.exe "C:\WINDOWS\system32\eqcysodq.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} -
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} -
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} -
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) -
O23 - Service: Microsoft DDE+ server (3a8c9531b83b472a) - Unknown owner - C:\WINDOWS\system32\.3a8c9531b83b472a\3a8c9531b83b472a.exe (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgfws8.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Program Files\GbPlugin\GbpSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 3072 bytes
Hope we can find a solution :(
Thanx a bunch!
L
pskelley
2008-08-17, 00:19
Thanks for that feedback, and yes this is a problem. What is this:
C:\Program Files\GbPlugin\GbpSv.exe
http://www.processlibrary.com/directory/files/gbplugin/337869
http://www.prevx.com/filenames/4020390357407158463-0/GBPSV.EXE.html
Turn that program off or uninstall it and then start from the beginning with combofix instructions and tell me what happens. This item may be blocking our installation.
Thanks
blogaibernukas
2008-08-17, 00:24
Or should I try ctrl+alt+delete and try to find it inside the processes? How do you recommend I stop it?
pskelley
2008-08-17, 01:08
Do you know why that item is on your computer?
C:\Program Files\GbPlugin\GbpSv.exe
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Program Files\GbPlugin\gbiehabn.dll
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) -
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Program Files\GbPlugin\GbpSv.exe
http://www.gastecnologia.com.br/site/pt/ <<< what it is
It is some kind of security program, I have never seen it before. That is what they do, block stuff, shame it did not block Vundo. The only way I can think to remove all of that is to uninstall it in Add Remove programs and I still don't know if that is the reason combofix does not install properly.
Let's see if we can use another method.
Remove combofix, to be sure it is gone, do this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
1) Download ResetTeaTimer.bat to the Desktop
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat
to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).
2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
3) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O4 - HKLM\..\Run: Rundll32.exe "C:\WINDOWS\system32\eqcysodq.dll",s
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} -
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} -
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} -
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) Right click Start > Explore and navigate to these files/folders and delete them if there.
C:\WINDOWS\system32\eqcysodq.dll <<< delete that file...it is Vundo and must be deleted.
6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
*Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
7) Download [B]Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.
Thanks
blogaibernukas
2008-08-17, 01:16
I tried deleting and uninstalling and no luck. It just doesn't show on Add/Remove... I also tried to stop the process in Task Manager but it didn't work either. Then since I cannot search with google (bc of my virus) I was trying for answers in the forum and found this
http://forums.spybot.info/showthread.php?t=22881&highlight=gbpsv
It might be from a bank in Brazil but it's controversial (the last person to post thinks there might be a virus version)
Anyway, I'm going to try your new solution now, just wanted to clarify that. will be back soon
L
pskelley
2008-08-17, 02:06
I can show you how to remove it, I just want to be sure it is not something important. If this is your computer and you don't know what it is, I guess not. If you want it gone, let me know.
I will also mention I received a notification from sUBs forum at SWI and another heper asked about an issue where a member only received the header similiar to the way you did, so the glitch may be with combofix. I am tracking that waiting for a response from the creator. In the meantime, let's try to clean the malware from your computer.
Thanks...Phil
blogaibernukas
2008-08-17, 02:21
Hi Phill,
I'm still stuck in Teatimerbat. I open the link you gave me and come across some text (pasted at the end). How exactly do I use it/save it to my desktop and run it? (sorry about my lack of knowledge)
About reming gbpsv I don't think it would be a problem. It's my sister's computer and she's just a regular internet user.
I'll do the other stuff you mentioned while waiting for the response on the bat
Thank you for your help
blogaibernukas
2008-08-17, 02:24
Don't worry. Just runned it with ie not Firefox.
Will go on following instructions
Thanx
blogaibernukas
2008-08-17, 03:51
When trying the first steps (with HJT fix) I was not able to delete eqcysodq.dll I've tried the "fix" button several times and then tried deleting it from the folder!!! Just says "Access is denied"
Do I have to find the other four files you mentioned too (to delete them)? I don't see a path to which folder contains them and the search won't find them either. (I'm talking about the four other ones HJT fixed-below)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} -
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} -
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} -
Just FYI I've uninstalled the AVG anti virus since it was stopping the upgrade for Malwarebytes.
Then everything apparently worked :) At first Malwarebytes said it couldn't delete eqcysodq and asked to restart the computer. When it restarted windows prompted a box that said "eqcysodq.dll cannot be found"
MALWAREBYTES LOG:
Malwarebytes' Anti-Malware 1.24
Database version: 1059
Windows 5.1.2600 Service Pack 2
2:38:19 AM 8/17/2008
mbam-log-8-17-2008 (02-38-19).txt
Scan type: Full Scan (C:\|)
Objects scanned: 89329
Time elapsed: 34 minute(s), 51 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 14
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm6378ce6b (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\WINDOWS\system32\kBin15 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SalesMonitor (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SalesMonitor\Data (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Denise Kenney\Application Data\DriveCleaner Freeware (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Denise Kenney\Application Data\DriveCleaner Freeware\Logs (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
Files Infected:
C:\Documents and Settings\Denise Kenney\Local Settings\Temp\Temporary Internet Files\Content.IE5\8KVK2Q80\Codec[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080816-032506-292.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gddpinds.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rhvklffi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nvqhof.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Denise Kenney\Application Data\DriveCleaner Freeware\Logs\update.log (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\scpsssh2.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\eqcysodq.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\inf\ultra.PNF (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM6378ce6b.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM6378ce6b.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:50:12 AM, on 8/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Program Files\GbPlugin\gbiehabn.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) -
O23 - Service: Microsoft DDE+ server (3a8c9531b83b472a) - Unknown owner - C:\WINDOWS\system32\.3a8c9531b83b472a\3a8c9531b83b472a.exe (file missing)
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Program Files\GbPlugin\GbpSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 2494 bytes
blogaibernukas
2008-08-17, 11:58
I tried navigating this morning (I'm in London) and it's working! I'm starting to feel hopeful and am very thankful for your help!!!!
I ran SpyBot and still shows WinAntivirusPro2007 and WildTangent though, what should I do next?
pskelley
2008-08-17, 14:04
Thanks for returning the log, we seem to be making progress, we will try to work through the issues I see that are left.
1) C:\Program Files\GbPlugin\GbpSv.exe
Could you check with your sister and make sure it is okay to remove that program.
2) I see no antivirus and we need to get one onboard. I see you said this.
Just FYI I've uninstalled the AVG anti virus since it was stopping the upgrade for Malwarebytes.
Please reinstall the antivirus protection, look at this tutorial before you do to see if you can use it.
How to Install Free version AVG 8.0 without LinkScanner feature
http://russelltexas.com/tutorials/avg8install.htm
3) The item you had trouble deleting was deleted on reboot by MBAM
C:\WINDOWS\system32\eqcysodq.dll (Trojan.Agent) -> Delete on reboot.
4) Issues with Spybot not being able to remove what it finds are often caused by an outdated program. Would you look at this information and make sure you are up to date and fully immunized. Then reboot and run Spybot S&D and run it again removing what it finds.
Spybot-S&D 1.6 has arrived! 8. July 2008
http://www.safer-networking.org/en/
http://www.safer-networking.org/en/news/2008-07-08.html
Let me know if this takes care of the problem.
5) I am sure this is malware:
O23 - Service: Microsoft DDE+ server (3a8c9531b83b472a) - Unknown owner - C:\WINDOWS\system32\.3a8c9531b83b472a\3a8c9531b83b472a.exe (file missing
Let's remove that like this:
Disable the Service
Click Start > Run and type services.msc
Scroll down to Microsoft DDE+ server and right click on it. Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.
Then navigate to this file C:\WINDOWS\system32\.3a8c9531b83b472a\3a8c9531b83b472a.exe <<< and delete it.
Once you have the information from sister, AVG 8 installed and that bad service stopped and the file deleted, then post a new HJT log. Along with that log I would like to see here uninstall list. Get that like this.
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)
That stuff will go away once Service Pack #3 is installed.
I understand we are five hours in time difference. I am Clearwater, Fl EST
Thanks
blogaibernukas
2008-08-17, 22:47
Hi Phil,
I'm very glad to hear we're making progress and now I'm enjoying my vacation for the first time without that big problem in my mind, all thanks to your help!!!!!!
I think it's important to note that I think I"m not running as an administrator. My sister forgot the pswd for the administrator and actually never even logged on as this. Not sure if this is of relevance. It always logs in automatically so I just realized this when running spybot in safe mode this time.
Please find below the results for your instructions.
1 - When I was running HJT I saw that's for the bank I used to access from this computer. I no longer access it and we can delete the program now. I asked my sister and she agreed
2 - Done sucessfully! Installed AVG without the Link Scanner feature
3 - Very glad to hear that! Thanx for telling me
4 - I just installed Spybot due to this problem so I was pretty sure I had the latest version but in any case I checked the version and did an update plus immunize. Then tried to fix and those two still remained. It asked me to run again after restart but no luck. Then I tried running in safe mode and still no luck. So they're still showing there.
5 - The STOP under Service Startup was greyed out so I didn't do anything. THen the folder was empty so I just deleted the folder
HTJ
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:29 PM, on 8/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\LVComsX.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Program Files\GbPlugin\gbiehabn.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) -
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Program Files\GbPlugin\GbpSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 2832 bytes
UNINSTALL LIST
Adobe Acrobat - Reader 6.0.2 Update
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 6.0.1
AOLIcon
Apple Mobile Device Support
Apple Software Update
Avanquest update
AVG Free 8.0
Broadcom Management Programs
BUM
Conexant HDA D110 MDC V.92 Modem
Corel Photo Album 6
Dell CinePlayer
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell Support 3.1
DellConnect
Digital Content Portal
Digital Line Detect
Documentation & Support Launcher
EarthLink setup files
EducateU
ELIcon
EphPod
Google Earth
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP Customer Participation Program 7.0
HP Imaging Device Functions 7.0
HP Photosmart and Deskjet 7.0 Software
HP Photosmart Essential
HP Software Update
HP Solution Center 7.0
Intel(R) Graphics Media Accelerator Driver
Intel(R) PROSet/Wireless Software
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 2
Logitech QuickCam
Logitech® Camera Driver
Malwarebytes' Anti-Malware
mCore
MCU
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Project MUI (English) 2007 (Beta)
Microsoft Office Project Professional 2007 (Beta)
Microsoft Office Project Professional 2007 (Beta)
Microsoft Office Proof (English) 2007 (Beta)
Microsoft Office Proof (French) 2007 (Beta)
Microsoft Office Proof (Spanish) 2007 (Beta)
Microsoft Office Shared MUI (English) 2007 (Beta)
Microsoft Office Standard Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
mIWA
Mixer
mLogView
mMHouse
Modem Helper
Motorola Phone Tools
Mozilla Firefox (3.0.1)
mPfMgr
mPfWiz
mProSafe
MSN
mSSO
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Musicmatch® Jukebox
mWlsSafe
mWMI
mXML
mZConfig
NetWaiting
NetZeroInstallers
OfotoNow
QuickSet
QuickTime
Real Alternative 1.51
Roxio DLA
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Search Assist
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Skype 2.5
Sonic Activation Module
Sonic Update Manager
Sound Blaster Audigy ADVANCED MB Demo
Spybot - Search & Destroy
Synaptics Pointing Device Driver
Tiny soft
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
URL Assistant
Viewpoint Media Player
WebCyberCoach 3.2 Dell
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
WordPerfect Office 12
pskelley
2008-08-17, 23:37
Let's see what we can do, looks like you missed this:
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)
No biggie, that stuff will all go away when you install SP#3 which your computer is probably asking to do now. Best to wait until we finish if possible. If other criticals come up you can bypass SP#3 by choosing "custom install" and installing all but SP#3.
Uninstall list: Hackers are using out of date programs to exploit and infect, so it is more imporant than ever to keep all programs up to date. This program is freeware and will do that for you if you wish:
https://psi.secunia.com/ <<< for your information, the programs runs in the system tray for instant notification. I prefer to turn it off in System Configuration Utility (MSConfig) and run it manually from All Programs monthly or so to check for updates, your call if you wish to use it.
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 2
See this information, this is dangerous, once you have the newest version, uninstall those.
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Viewpoint Media Player <<< suggest you uninstall, see this:
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546
I suggest you look at the other programs and uninstall anything no longer needed.
1) Make sure you can view all files and folder:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
2) Start > Control Panel > Add Remove programs > Uninstall GbPlugin if there.
3) Disable the Service
Click Start > Run and type services.msc
Scroll down to Gbp Service and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Program Files\GbPlugin\gbiehabn.dll
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) -
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Program Files\GbPlugin\GbpSv.exe
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Right click Start > Explore and navigate to these files/folders and delete them if there.
C:\Program Files\GbPlugin\ <<< delete that folder and it's contents.
Restart, update and run a System Scan with AVG 8, remove anything it finds (moves it to the Virus Vault where it could be restored if needed) then report back with any issues we need to address.
Thanks...Phil
blogaibernukas
2008-08-18, 01:48
Hi Phil,
So, I tried getting rid of Gbp Service by following your directions but when I try deleting it from the Program Files folder it says it's not possible. I then tried doing it again from the beginning and noticed that when I go to properties and try to disable it from Start up type it won't let me do it. It just goes back to "Automatic" when I click Apply.
Installed the Secunia and updated the suggested programs. However it says
NOTE:
Show only Easy-to-Patch programs is enabled. 18 programs not shown. [?]
If you are technically skilled, we strongly recommend that you disable this feature!
I thought I would post what programs appear when I disable this just in case. They are:
Insecure Programs
This page displays programs that the Secunia PSI has detected on your computer for which there are known security updates available. We recommend, that you update or uninstall all programs listed here. Click any entry on this page to view further details.
Insecure Programs [?] Version Detected [?] Security State [?] Direct [?]
Adobe Flash Player 9.x (General Plug-in) 9.0.16.0 Insecure
Intel PROSet/Wireless Software 10.x 10.1.0.17 Insecure
InterActual Player 2.x 2.2.7.713 Insecure
InterActual Player 2.x 2.2.7.713 Insecure
InterActual Player 2.x 2.2.7.713 Insecure
InterActual Player 2.x 2.2.7.713 Insecure
InterActual Player 2.x 2.2.7.713 Insecure
InterActual Player 2.x 2.2.7.713 Insecure
InterActual Player 2.x 2.2.7.713 Insecure
InterActual Player 2.x 2.2.7.713 Insecure
iTunes 7.x 7.3.2.6 Insecure
Macromedia Flash Player 6.x 6.0.80.0 Insecure
Macromedia Flash Player 6.x 6.0.79.0 Insecure
Microsoft Data Access Components (MDAC) 2.x 2.81.1117.0 Insecure
Microsoft Excel 2003 11.0.5612.0 Insecure
Microsoft Office PowerPoint 2003 Viewer 11.0.5530.0 Insecure
Microsoft Outlook 2003 11.0.5510.0 Insecure
Microsoft Powerpoint 2003 11.0.5529.0 Insecure
Microsoft Word 2003 11.0.5604.0 Insecure
Also, would you teach me how turn the instant notification off? I think I don't know how to do it like you said. What is (MSConfig) and how can I access it?
AVG scan returned no threats, just a couple of warnings that I've fixed.
Thank you for your valuable help!
L
pskelley
2008-08-18, 02:10
1) Gbp Service: Where are you located anyway? UK I think you said, why would you use banking software from Brazil?
I think I mentioned I have never seen this before.
http://www.gastecnologia.com.br/site/pt/ contact them for information about removing their junk.
http://www.gastecnologia.com.br/site/pt/Contact.aspx
2) Secunia PSI <<< I am sorry, I just do not have the time to conduct a tutorial on using this program. If you take the time to look at it, follow the directions, It is far from being difficult.
3) System Configuration Utility (MSConfig)
http://www.netsquirrel.com/msconfig/msconfig_xp.html
Thanks
blogaibernukas
2008-08-18, 02:48
Hi Phil,
You are right, sorry, I'll look for the instructions on Secunia myself.
I am Brazillian but am in London right now. I live abroad so I access my bank from this computer. I used to live with my sister so I used to access it from her computer. I no longer access it from here.
I wrote their makers (Gas Tecnologia) and ask them how to remove it. Meanwhile I have been looking in websites in Portuguese for some advice and am trying a couple of things. Should we try combofix again? Is there anything else I can do while we wait for a response on that?
Please let me know.
L
pskelley
2008-08-18, 02:57
Is there anything else I can do while we wait for a response on that?Not really, I remove malware and as far as I can see that has been done.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
blogaibernukas
2008-08-18, 03:14
I'll begin reading all the info now, thank you a lot!
So regarding those two still showing on spybot I can just ignore them, right?
Thank you for all your help and patience!
L
pskelley
2008-08-18, 03:16
If you are running the newest version of Spybot S&D and fully immunized, then post here:
http://forums.spybot.info/forumdisplay.php?f=4
and see what the Spybot S&D experts have to say.
Thanks
blogaibernukas
2008-08-18, 05:18
Hi Phil,
Me again. So sorry for the confusion, I'm really almost "illiterate" in computers so don't know the difference between all the files that are bad to your computer (malware, spyware, PUP, etc) I went to the other forum you advised and they redirected me here :( So sorry to bug again!
Anything I need to do to stop that from showing in spybot scans? It's not affecting my navigation so far but just trying to prevent it from happening again and wrecking all of our hard work :).
Also, so far no luck with removing that gbpsv.exe :( I read a lot of stuff but I'm affraid to isntall stuff people suggest (Killbox, Process Express, Autoruns, etc) The other problem is also that my sister does not remember the password to log in as an administrator. I guess they bought the computer and just never had to log in this way, therefore I cannot follow some of the suggestions to erase that, but I'll keep on looking tomorrow. Also, tomorrow there might be a response from their makers.
L
blogaibernukas
2008-08-18, 05:20
QUOTE
Don't worry, Pskelly will assist you with that question too. All you need to do is ask.
__________________
Spybot-S&D 1.6.0.30
Windows XP Home Edition SP3 (32-bit); Sony VAIO PCV-RS620G
CPU: Intel Pentium 4, 3.00 Ghz; 512 MB of RAM
-
Geek.
blogaibernukas
2008-08-18, 13:19
Please let me know if I need to start a new thread for that one
pskelley
2008-08-18, 13:55
Post a Spybot S&D log:
on the toolbar menu select mode and switch to advanced, on the left select tools, view report, make sure all the options are selected near the bottom except:
Uncheck[ ] do not report disabled or known legitimate Items,
uncheck[ ] Include a list of services in report.
Uncheck[ ] Include uninstall list in report.
Now select near top-- view report, Press export, and save the log somewhere so you can find it. post the saved log in your next reply.
Thanks
blogaibernukas
2008-08-18, 14:25
--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---
2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-07-07 TeaTimer.exe (1.6.0.20)
2008-08-13 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2007-01-15 advcheck.dll (1.2.1.0)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-06-19 sqlite3.dll
2008-07-07 Tools.dll (2.1.5.7)
2008-08-05 Includes\Adware.sbi
2008-08-12 Includes\AdwareC.sbi
2008-06-03 Includes\Cookies.sbi
2008-06-03 Includes\Dialer.sbi
2008-08-05 Includes\DialerC.sbi
2008-07-23 Includes\HeavyDuty.sbi
2008-07-30 Includes\Hijackers.sbi
2008-08-12 Includes\HijackersC.sbi
2008-08-05 Includes\Keyloggers.sbi
2008-08-12 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2008-08-05 Includes\Malware.sbi
2008-08-12 Includes\MalwareC.sbi
2008-08-05 Includes\PUPS.sbi
2008-08-12 Includes\PUPSC.sbi
2007-11-07 Includes\Revision.sbi
2008-06-18 Includes\Security.sbi
2008-08-12 Includes\SecurityC.sbi
2008-06-03 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2008-08-12 Includes\Spyware.sbi
2008-08-12 Includes\SpywareC.sbi
2008-06-03 Includes\Tracks.uti
2008-08-05 Includes\Trojans.sbi
2008-08-12 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
--- System information ---
Windows XP (Build: 2600) Service Pack 2 (5.1.2600)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB928366)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2
/ MSXML4SP2: Security update for MSXML4 SP2 (KB936181)
/ Step By Step Interactive Training / SP2: Security Update for Step By Step Interactive Training (KB898458)
/ Step By Step Interactive Training / SP2: Security Update for Step By Step Interactive Training (KB923723)
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB936782)
/ Windows Media Player 11: Hotfix for Windows Media Player 11 (KB939683)
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB917734)
/ Windows XP: Security Update for Windows XP (KB923689)
/ Windows XP: Security Update for Windows XP (KB941569)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB928090)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB929969)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB931768)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB933566)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB937143)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB938127)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB939653)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB942615)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB944533)
/ Windows XP / SP0: Hotfix for Windows Internet Explorer 7 (KB947864)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB950759)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB885855
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Windows XP Hotfix - KB889673
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Windows XP Hotfix - KB892627
/ Windows XP / SP3: Windows XP Hotfix - KB893056
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Hotfix for Windows XP (KB896256)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896422)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896424)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899588)
/ Windows XP / SP3: Security Update for Windows XP (KB899589)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Update for Windows XP (KB900485)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Security Update for Windows XP (KB904706)
/ Windows XP / SP3: Update for Windows XP (KB904942)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Hotfix for Windows XP (KB906569)
/ Windows XP / SP3: Security Update for Windows XP (KB908519)
/ Windows XP / SP3: Update for Windows XP (KB908531)
/ Windows XP / SP3: Hotfix for Windows XP (KB908673)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP / SP3: Update for Windows XP (KB911280)
/ Windows XP / SP3: Security Update for Windows XP (KB911562)
/ Windows XP / SP3: Security Update for Windows XP (KB911567)
/ Windows XP / SP3: Security Update for Windows XP (KB911927)
/ Windows XP / SP3: Security Update for Windows XP (KB912812)
/ Windows XP / SP3: Security Update for Windows XP (KB912919)
/ Windows XP / SP3: Update for Windows XP (KB912945)
/ Windows XP / SP3: Security Update for Windows XP (KB913580)
/ Windows XP / SP3: Security Update for Windows XP (KB914388)
/ Windows XP / SP3: Security Update for Windows XP (KB914389)
/ Windows XP / SP3: Hotfix for Windows XP (KB914440)
/ Windows XP / SP3: Hotfix for Windows XP (KB915865)
/ Windows XP / SP3: Security Update for Windows XP (KB916281)
/ Windows XP / SP3: Update for Windows XP (KB916595)
/ Windows XP / SP3: Security Update for Windows XP (KB917159)
/ Windows XP / SP3: Security Update for Windows XP (KB917344)
/ Windows XP / SP3: Security Update for Windows XP (KB917422)
/ Windows XP / SP3: Security Update for Windows XP (KB917953)
/ Windows XP / SP3: Security Update for Windows XP (KB918118)
/ Windows XP / SP3: Security Update for Windows XP (KB918439)
/ Windows XP / SP3: Security Update for Windows XP (KB918899)
/ Windows XP / SP3: Security Update for Windows XP (KB919007)
/ Windows XP / SP3: Security Update for Windows XP (KB920213)
/ Windows XP / SP3: Security Update for Windows XP (KB920214)
/ Windows XP / SP3: Security Update for Windows XP (KB920670)
/ Windows XP / SP3: Security Update for Windows XP (KB920683)
/ Windows XP / SP3: Security Update for Windows XP (KB920685)
/ Windows XP / SP3: Update for Windows XP (KB920872)
/ Windows XP / SP3: Security Update for Windows XP (KB921398)
/ Windows XP / SP3: Security Update for Windows XP (KB921503)
/ Windows XP / SP3: Security Update for Windows XP (KB921883)
/ Windows XP / SP3: Update for Windows XP (KB922582)
/ Windows XP / SP3: Security Update for Windows XP (KB922616)
/ Windows XP / SP3: Security Update for Windows XP (KB922760)
/ Windows XP / SP3: Security Update for Windows XP (KB922819)
/ Windows XP / SP3: Security Update for Windows XP (KB923191)
/ Windows XP / SP3: Security Update for Windows XP (KB923414)
/ Windows XP / SP3: Security Update for Windows XP (KB923694)
/ Windows XP / SP3: Security Update for Windows XP (KB923980)
/ Windows XP / SP3: Security Update for Windows XP (KB924191)
/ Windows XP / SP3: Security Update for Windows XP (KB924270)
/ Windows XP / SP3: Security Update for Windows XP (KB924496)
/ Windows XP / SP3: Security Update for Windows XP (KB924667)
/ Windows XP / SP3: Security Update for Windows XP (KB925454)
/ Windows XP / SP3: Security Update for Windows XP (KB925486)
/ Windows XP / SP3: Security Update for Windows XP (KB925902)
/ Windows XP / SP3: Hotfix for Windows XP (KB926239)
/ Windows XP / SP3: Security Update for Windows XP (KB926255)
/ Windows XP / SP3: Security Update for Windows XP (KB926436)
/ Windows XP / SP3: Security Update for Windows XP (KB927779)
/ Windows XP / SP3: Security Update for Windows XP (KB927802)
/ Windows XP / SP3: Update for Windows XP (KB927891)
/ Windows XP / SP3: Security Update for Windows XP (KB928255)
/ Windows XP / SP3: Security Update for Windows XP (KB928843)
/ Windows XP / SP3: Security Update for Windows XP (KB929123)
/ Windows XP / SP3: Update for Windows XP (KB929338)
/ Windows XP / SP3: Security Update for Windows XP (KB929969)
/ Windows XP / SP3: Security Update for Windows XP (KB930178)
/ Windows XP / SP3: Update for Windows XP (KB930916)
/ Windows XP / SP3: Security Update for Windows XP (KB931261)
/ Windows XP / SP3: Security Update for Windows XP (KB931784)
/ Windows XP / SP3: Update for Windows XP (KB931836)
/ Windows XP / SP3: Security Update for Windows XP (KB932168)
/ Windows XP / SP3: Update for Windows XP (KB932823-v3)
/ Windows XP / SP3: Update for Windows XP (KB933360)
/ Windows XP / SP3: Security Update for Windows XP (KB933729)
/ Windows XP / SP3: Security Update for Windows XP (KB935839)
/ Windows XP / SP3: Security Update for Windows XP (KB935840)
/ Windows XP / SP3: Security Update for Windows XP (KB936021)
/ Windows XP / SP3: Update for Windows XP (KB936357)
/ Windows XP / SP3: Security Update for Windows XP (KB937894)
/ Windows XP / SP3: Update for Windows XP (KB938828)
/ Windows XP / SP3: Security Update for Windows XP (KB938829)
/ Windows XP / SP3: Security Update for Windows XP (KB941202)
/ Windows XP / SP3: Security Update for Windows XP (KB941568)
/ Windows XP / SP3: Security Update for Windows XP (KB941644)
/ Windows XP / SP3: Security Update for Windows XP (KB941693)
/ Windows XP / SP3: Update for Windows XP (KB942763)
/ Windows XP / SP3: Security Update for Windows XP (KB943055)
/ Windows XP / SP3: Security Update for Windows XP (KB943460)
/ Windows XP / SP3: Security Update for Windows XP (KB943485)
/ Windows XP / SP3: Security Update for Windows XP (KB944653)
/ Windows XP / SP3: Security Update for Windows XP (KB945553)
/ Windows XP / SP3: Security Update for Windows XP (KB946026)
/ Windows XP / SP3: Security Update for Windows XP (KB948590)
/ Windows XP / SP3: Security Update for Windows XP (KB948881)
/ Windows XP / SP3: Security Update for Windows XP (KB950749)
/ Windows XP / SP4: Security Update for Windows XP (KB950760)
/ Windows XP / SP4: Security Update for Windows XP (KB950762)
/ Windows XP / SP4: Security Update for Windows XP (KB951376)
/ Windows XP / SP4: Security Update for Windows XP (KB951376-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951698)
/ Windows XP / SP4: Security Update for Windows XP (KB951748)
/ Windows XP OOB / SP10: High Definition Audio Driver Package - KB835221
--- Startup entries list ---
Located: HK_LM:Run,
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: HK_LM:Run, AVG8_TRAY
command: C:\PROGRA~1\AVG\AVG8\avgtray.exe
file: C:\PROGRA~1\AVG\AVG8\avgtray.exe
size: 1232152
MD5: 348A781AEF0870A56549F53BB37A233A
Located: HK_LM:Run, iTunesHelper
command: "C:\Program Files\iTunes\iTunesHelper.exe"
file: C:\Program Files\iTunes\iTunesHelper.exe
size: 267064
MD5: C211025F578AACFF167F05C19EA0BC78
Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 413696
MD5: F34EB5D4F145ED5FE50033CA3A41ED24
Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
file: C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
size: 144784
MD5: 6AB4C021FBD36DC6764924C312428D97
Located: HK_CU:Run, DellSupport
where: PE_C_ADMINISTRATOR...
command: "C:\Program Files\Dell Support\DSAgnt.exe" /startup
file: C:\Program Files\Dell Support\DSAgnt.exe
size: 332800
MD5: A40D952C0355C85867517AA529A06741
Located: HK_CU:Run, ModemOnHold
where: PE_C_ADMINISTRATOR...
command: C:\Program Files\NetWaiting\netWaiting.exe
file: C:\Program Files\NetWaiting\netWaiting.exe
size: 20480
MD5: 676B1D0BFA5EF8005395AB43F33DE1F1
Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-3422659222-3953710222-2854813571-1005...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8
Located: Startup (user), Secunia PSI (RC3).lnk
where: C:\Documents and Settings\Denise Kenney\Start Menu\Programs\Startup...
command: C:\Program Files\Secunia\PSI (RC3)\psi.exe
file: C:\Program Files\Secunia\PSI (RC3)\psi.exe
size: 663552
MD5: A53A32D97CD02E0319765EA55B5F9FEA
Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, igfxcui
command: igfxdev.dll
file: igfxdev.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!
--- Browser helper object list ---
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: SSVHelper Class
Path: C:\Program Files\Java\jre1.6.0_07\bin\
Long name: ssv.dll
Short name:
Date (created): 8/17/2008 10:03:10 PM
Date (last access): 8/17/2008 11:27:28 PM
Date (last write): 6/10/2008 4:27:02 AM
Filesize: 509328
Attributes: archive
MD5: F921D875A1CBD69A6A462BA2514BC831
CRC32: 38AC9EE2
Version: 6.0.70.6
{C41A1C0E-EA6C-11D4-B1B8-444553540007} (G-Buster Browser Defense ABN AMRO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: G-Buster Browser Defense ABN AMRO
CLSID name: GbIehObj Class
Path: C:\Program Files\GbPlugin\
Long name: gbiehabn.dll
Short name:
Date (created): 6/28/2007 8:03:48 AM
Date (last access): 8/18/2008 10:29:32 AM
Date (last write): 8/15/2007 5:14:04 PM
Filesize: 207280
Attributes: archive
MD5: E481C8708AB29D6215C778AE6834A589
CRC32: C49BCB81
Version: 3.6.5.3
--- ActiveX list ---
{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_07
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.6.0_07\bin\
Long name: npjpi160_07.dll
Short name: NPJPI1~1.DLL
Date (created): 6/10/2008 2:32:34 AM
Date (last access): 8/17/2008 11:27:28 PM
Date (last write): 6/10/2008 4:27:02 AM
Filesize: 132496
Attributes: archive
MD5: 7C83A2809E13950359189767AC9D5DB8
CRC32: 925C2A88
Version: 6.0.70.6
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_07
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_07\bin\
Long name: npjpi160_07.dll
Short name: NPJPI1~1.DLL
Date (created): 6/10/2008 2:32:34 AM
Date (last access): 8/18/2008 12:24:36 PM
Date (last write): 6/10/2008 4:27:02 AM
Filesize: 132496
Attributes: archive
MD5: 7C83A2809E13950359189767AC9D5DB8
CRC32: 925C2A88
Version: 6.0.70.6
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_07
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.6.0_07\bin\
Long name: npjpi160_07.dll
Short name: NPJPI1~1.DLL
Date (created): 6/10/2008 2:32:34 AM
Date (last access): 8/18/2008 12:24:36 PM
Date (last write): 6/10/2008 4:27:02 AM
Filesize: 132496
Attributes: archive
MD5: 7C83A2809E13950359189767AC9D5DB8
CRC32: 925C2A88
Version: 6.0.70.6
{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Flash\
Long name: Flash9f.ocx
Short name:
Date (created): 3/25/2008 3:32:42 AM
Date (last access): 8/18/2008 11:40:12 AM
Date (last write): 3/25/2008 3:32:42 AM
Filesize: 2991488
Attributes: readonly archive
MD5: 48FDF435B8595604E54125B321924510
CRC32: 12335E29
Version: 9.0.124.0
--- Process list ---
PID: 0 ( 0) [System]
PID: 764 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 820 ( 764) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 844 ( 764) \??\C:\WINDOWS\system32\winlogon.exe
size: 502272
PID: 920 ( 844) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 932 ( 844) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 1128 ( 920) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1192 ( 920) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1232 ( 920) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1280 ( 920) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1416 ( 920) C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
size: 114753
MD5: ED9C755312F29D55B8C815EEC7115635
PID: 1448 ( 920) C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
size: 540745
MD5: B792F2C647B1FC3E4987DE582EE00FE3
PID: 1524 ( 920) C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
size: 262217
MD5: AFB5A2A79BB01699A269C316D8B9BEF1
PID: 1572 ( 920) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1688 ( 920) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1756 (1740) C:\WINDOWS\Explorer.EXE
size: 1033216
MD5: 97BD6515465659FF8F3B7BE375B2EA87
PID: 264 ( 920) C:\Program Files\GbPlugin\GbpSv.exe
size: 45512
MD5: 5530BE6EA933966979583AC7A89C8524
PID: 616 ( 920) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
PID: 724 ( 920) C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
size: 231192
MD5: F43C8FCC7FDB984FD06FE29BAA741947
PID: 788 ( 920) C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
size: 217164
MD5: 6F81C8A63FB824EB8A2401AB45795553
PID: 896 ( 920) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 464 ( 724) C:\Program Files\AVG\AVG8\avgrsx.exe
size: 287000
MD5: BA1CE056CE1466CA28CE118585EA86C4
PID: 2136 ( 920) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: F1958FBF86D5C004CF19A5951A9514B7
PID: 2856 (1756) C:\PROGRA~1\AVG\AVG8\avgtray.exe
size: 1232152
MD5: 348A781AEF0870A56549F53BB37A233A
PID: 2864 (1756) C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
size: 144784
MD5: 6AB4C021FBD36DC6764924C312428D97
PID: 2876 (1756) C:\Program Files\iTunes\iTunesHelper.exe
size: 267064
MD5: C211025F578AACFF167F05C19EA0BC78
PID: 2904 (1756) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8
PID: 2916 (1756) C:\Program Files\Secunia\PSI (RC3)\psi.exe
size: 663552
MD5: A53A32D97CD02E0319765EA55B5F9FEA
PID: 3072 ( 920) C:\Program Files\iPod\bin\iPodService.exe
size: 503608
MD5: 0DC1C51D6C7448E270B7D2552F7A4779
PID: 352 (1756) C:\Program Files\Internet Explorer\iexplore.exe
size: 625664
MD5: 232B22817B90AE0AFF2D189E3E3735AC
PID: 3228 (1756) C:\Program Files\Internet Explorer\iexplore.exe
size: 625664
MD5: 232B22817B90AE0AFF2D189E3E3735AC
PID: 3588 (1756) C:\Program Files\Internet Explorer\iexplore.exe
size: 625664
MD5: 232B22817B90AE0AFF2D189E3E3735AC
PID: 1732 (1756) C:\Program Files\Internet Explorer\iexplore.exe
size: 625664
MD5: 232B22817B90AE0AFF2D189E3E3735AC
PID: 3612 (1128) C:\Program Files\MSN Messenger\msnmsgr.exe
size: 5674352
MD5: C4281AD865739E71FD1E4DAC19A68D60
PID: 3756 ( 920) C:\Program Files\MSN Messenger\usnsvc.exe
size: 97136
MD5: C5B70A6AA947667CE0E5FC84A05EC8B6
PID: 3640 (1756) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4891472
MD5: 3B1B5D09D3C9C4CD39D4DB06ED7A0855
PID: 4 ( 0) System
--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 8/18/2008 12:24:36 PM
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.msn.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.google.com/ie
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://www.google.com/search?q=%s
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.msn.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://www.google.com/ie
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip
Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider
Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7989D87E-6B52-4554-A5AE-48B41EC5C29A}] SEQPACKET 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7989D87E-6B52-4554-A5AE-48B41EC5C29A}] DATAGRAM 5
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E7790F31-EF1B-426C-989F-5BEF705BA825}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E7790F31-EF1B-426C-989F-5BEF705BA825}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{17C8B74D-0EEA-411B-A992-1C22E4768C76}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{17C8B74D-0EEA-411B-A992-1C22E4768C76}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C2EDA8AC-AA8E-4B94-A969-3E8A846D6C8F}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C2EDA8AC-AA8E-4B94-A969-3E8A846D6C8F}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{EA219350-B25F-4304-B0A7-CA6C15D25C3F}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{EA219350-B25F-4304-B0A7-CA6C15D25C3F}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C8FB8631-14EB-4BD0-9EBA-74664FE3AF1E}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C8FB8631-14EB-4BD0-9EBA-74664FE3AF1E}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *
Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP
Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS
Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace
Namespace Provider 3: mdnsNSP
GUID: {B600E6E9-553B-4A19-8696-335E5C896153}
Filename: C:\Program Files\Bonjour\mdnsNSP.dll
Description: Apple Rendezvous protocol
DB filename: %ProgramFiles%\Rendezvous\bin\mdnsNSP.dll
DB protocol: mdnsNSP
pskelley
2008-08-18, 15:45
No help there, since this is only two items, could you run Spybot S&D and post all of the information Spybot S&D presents you with. You are checking all red items and telling Spybot to remove them...yes? I am looking for the location of the junk on your computer.
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
Then post it here along with the information I requested above.
Thanks
blogaibernukas
2008-08-18, 18:41
Hi,
Sorry, it took me a bit bc I had to figure out how to turn off AVG. And also it took Kapersky three times to properly install. But then I guess everything went ok from there
Kapersky process was slightly different than the steps I'll write exactly what happened just in case it's of relevance
- There was no "next" here * Once the files have been downloaded click on NEXT
- I clicked on a button that said "settings" didn't find "scan settings" hope it's the same * Now click on Scan Settings
* In the scan settings make that the following are selected:
- This option wasn't there * Scan using the following Anti-Virus database: * Standard
Ok from here * Scan Options:
Here's what it came up with:
And Here's the info I got from Running Spybot again (not on safe mode though, if you think it would help to run it on safe mode please let me know but I have already tried a couple of times and do not get very different results)
It came up with four things this time
- Double Click (1 entries Browser)
Tracking cookie (Internet Explorer: Denise Kenney)
Internet Explorer (Denise Kenney): Cookie: denise kenney@doubleclick.net/ ()
- WebTrends live (1 entries Browser)
Tracking cookie (Internet Explorere: Denise Kenney)
Internet Explorer (Denise Kenney): Cookie: denise kenney@statse.webtrendslive.com/ ()
- WildTangent (3 entries PUPS)
(SBI $3A3BDC07) Program directory
C:\WINDOWS\wt\
(SBI$76830867) Program directory
C:\WINDOWS\wt\wtupdates\
(SBI $7E3A8D37) Program directory
C:\WINDOWS\wt\webdriver\
- Winsoftware.WinAntiVirusPro2007 (1 entries Trojans)
(SBI $35B8f581) Program directory
c:\UWA7P\
Then I check everything and click on the button Fix selected problems
It says - You are about to remove these entries. Do you want to continue?
I click Yes and it comes up with: Some problems coudn't be fixed; the reason could be that the associated files are still in use (in memory). This could be fixed after a restar. May Spybot-S&D run on your next system startup?
Then I click Yes but next time it starts up it runs and says the same thing, that it's in use
Than it says 4 problems could not be fixed and a "close sing" appears on the side of each of those four last files.
I'm not sure that's exactly what you wanted but I'll paste the log here just in case I missed something when copying the above
Hint of the Day: Click the bar at the right of this to see more information! ()
WildTangent: [SBI $3A3BDC07] Program directory (Directory, fixing failed)
C:\WINDOWS\wt\
WildTangent: [SBI $76830867] Program directory (Directory, fixing failed)
C:\WINDOWS\wt\wtupdates\
WildTangent: [SBI $7E3A8D37] Program directory (Directory, fixing failed)
C:\WINDOWS\wt\webdriver\
Winsoftware.WinAntiVirusPro2007: [SBI $35B8F581] Program directory (Directory, fixing failed)
c:\UWA7P\
DoubleClick: Tracking cookie (Internet Explorer: Denise Kenney) (Cookie, fixed)
WebTrends live: Tracking cookie (Internet Explorer: Denise Kenney) (Cookie, fixed)
--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---
2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-07-07 TeaTimer.exe (1.6.0.20)
2008-08-13 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2007-01-15 advcheck.dll (1.2.1.0)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-06-19 sqlite3.dll
2008-07-07 Tools.dll (2.1.5.7)
2008-08-05 Includes\Adware.sbi (*)
2008-08-12 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-06-03 Includes\Dialer.sbi (*)
2008-08-05 Includes\DialerC.sbi (*)
2008-07-23 Includes\HeavyDuty.sbi (*)
2008-07-30 Includes\Hijackers.sbi (*)
2008-08-12 Includes\HijackersC.sbi (*)
2008-08-05 Includes\Keyloggers.sbi (*)
2008-08-12 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-08-05 Includes\Malware.sbi (*)
2008-08-12 Includes\MalwareC.sbi (*)
2008-08-05 Includes\PUPS.sbi (*)
2008-08-12 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-18 Includes\Security.sbi (*)
2008-08-12 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-08-12 Includes\Spyware.sbi (*)
2008-08-12 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti
2008-08-05 Includes\Trojans.sbi (*)
2008-08-12 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
Thank you
L
pskelley
2008-08-18, 19:50
1) First two are tracking cookies, they are a part of doing business on the internet. If you want to control those, see this information:
http://www.mvps.org/winhelp2002/cookies.htm
http://www.microsoft.com/windows/ie/using/howto/privacy/config.mspx
Keep in mind certain sites require cookies for security. I once blocked all cookies and then I could not access online banking until I used the override feature to allow the banks cookie.
2) WildTanget: I consider it adware and do not allow it on my computers. If you remove it (and use any games requiring it) they may not work.
C:\WINDOWS\wt\ <<< navigate to the folder in red and delete it and the contents. You may need hidden files and folder enabled:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
and you may have to delete that folder in Safe Mode:
http://spyware-free.us/tutorials/safemode/
3) Winsoftware.WinAntiVirusPro2007:
c:\UWA7P\ <<< navigate to the folder in red and delete it and the contents.
4) Run Clean Manager
http://spyware-free.us/tutorials/cleanmgr/
Empty the Recycle Bin on the Desktop and restart the computer so the changes can go into effect.
(I wish to point out this is all basic computing 101)
http://www.google.com/search?hl=en&q=basic+computing+tutorials&btnG=Google+Search
Thanks
blogaibernukas
2008-08-19, 02:22
I REALLY don't know how to thank you.
Besides getting rid of all the malware I've learned A LOT!!! Yes, I can see that's really basic and the tutorials are great. Thank you!
In fact, all the tutorials and tips are really helpful and when I get home I'm going to put all that in practice with my own computer as well.
Wanted to upgrade the service pack but since this is my sister's computer I don't want to take the risk to lose her files, plus it' s a laptop, no floppy, no Recovery System backup or any of that. But I'll do it on mine for sure
It was all really helpful!!!!
Have a great summer!
L