View Full Version : spyware quake
This little gem appeared on my husband's pc two days ago. As well as all the popups, internet explorer has been hijacked by bestsecurityguide.com which is not allowing access to any other website.
I have probably made some mistakes, for which I apologise in advance, but this is what I have done so far:
1) Downloaded Spybot and Hijackthis onto my pc, burnt them to CD-ROM and installed them on my husband's pc.
2) Created a restore point
3) Run Spybot and let it fix the red entries.
4) Rebooted. The annoying popups had disappeared but the browser was unchanged.
5) Run HijackThis and deleted 3 obvious entries: one about MediaGateway.exe, one about SpywareQuake.exe and one about zangocash.com.
6) Rebooted. Still no change to the browser so have rerun HijackThis and offer the log file for your help, please.
Logfile of HijackThis v1.99.1
Scan saved at 14:30:08, on 13/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
O2 - BHO: Nothing - {7a932ed2-1737-4ab8-b84d-c71779958551} - C:\WINDOWS\System32\hpD75C.tmp
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://www.myweatherford.com/dana-cached/setup/NeoterisSetup.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093935040761
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
pskelley
2006-04-13, 19:13
Hello and welcome to the forum. tashi Pinned a fix for this junk at the top of the page. You may want to review all Pinned information to see if anything applies to you. http://forums.spybot.info/showthread.php?t=3261
We may still have to run the fix for Smitfraud because I still see a marker for it in the log. Let's do this and see what happens.
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
O2 - BHO: Nothing - {7a932ed2-1737-4ab8-b84d-c71779958551} - C:\WINDOWS\System32\hpD75C.tmp
(this next toolbar is probably not working with the missing file. You will want to download it again when we are done if you use it)
O3 - Toolbar: BT Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll (file missing)
(next two are Alexa toolbar related and resource wasters, leave them only if you use Alexa)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINDOWS\System32\hpD75C.tmp >>> file (if there)
C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.
In the Control Panel click Display > Desktop > Customize desktop > Website > Uncheck "Security Info" if present.
post a new HJT log and let me know how the computer is running.
Thanks...pskelley
Safer Networking Forums
Thanks for replying quickly.
I have followed your instructions and internet explorer is now behaving properly. Running HijackThis produced the following report:
Logfile of HijackThis v1.99.1
Scan saved at 19:19:58, on 13/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com/?.home=ytie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/?.home=ytie
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://www.myweatherford.com/dana-cached/setup/NeoterisSetup.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093935040761
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
However, Spybot is still reporting:
Vcodec: Data (File, nothing done)
C:\Windows\system32\ncompat.tlb
What should I do next, please?
pskelley
2006-04-14, 00:28
http://www.sophos.com/virusinfo/analyses/trojpuperac.html
Advanced tab: The files hpXXXX.tmp and msvol.tlb is detected as Troj/Puper-AC. The file ncompat.tlb can be deleted safely.
see here: http://forums.spybot.info/showthread.php?t=3205 where otter357 neglected to run the tool posted on #14 post in the thread. This was why I said we might need to run that fix I gave you the link to.
Since that is the only item you are having a problem with, just delete that file as suggested by Sophos. I would like to take one more look since this SpywareQuake fix was not run according to protocol.
C:\Windows\system32\ncompat.tlb <<< delete that file, if it gives you any problems, try this:
How to use the Delete on Reboot tool
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now, otherwise click on the No button to reboot later.
Once this completed, then do this:
Please do an online scan with Kaspersky Online Scanner
http://www.kaspersky.com/virusscanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
Scan using the following Anti-Virus database:
Extended (If available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post, along with any other comments you think I should have.
Thanks...Phil
Well, well well, what a lot of nasties have managed to infiltrate my husband's computer - despite regular scanning.
I deleted ncompat.tlb, ran SmitRem.exe and the Kaspersky scan. The log files are attached.
Thanks, Helen
pskelley
2006-04-14, 22:01
Hi Helen, I apologize but I prefer not to open attachments. Please copy/paste the two reports direct to the the thread. The Kaspersky scan, you may edit out any cookies (delete them) and any infected System Restore files, we will be cleaning them as part of the cleanup.
Thanks...Phil:wink::
Hi Phil,
My apologies, I won't make that mistake again!
Cheers, Helen
smitRem © log file
version 2.8
by noahdfear
Microsoft Windows XP [Version 5.1.2600]
The current date is: 14/04/2006
The current time is: 16:47:28.89
Running from
C:\Documents and Settings\Geddes\Desktop\smitRem
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run SharedTask Export
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}"="USB Ware"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
checking for WinHound.com key
WinHound.com key not present!
spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 708 'explorer.exe'
Starting registry repairs
Registry repairs complete
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SharedTask Export after registry fix
(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright(C) 2006 BleepingComputer.com
Registry Pseudo-Format Mode (Not a valid reg file):
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{E2CA7CD1-1AD9-F1C4-3D2A-DC1A33E7AF9D}"="USB Ware"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Deleting files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remaining Post-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~ Wininet.dll ~~~
CLEAN! :)
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, April 14, 2006 5:36:54 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 14/04/2006
Kaspersky Anti-Virus database records: 188132
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
Scan Statistics:
Total number of scanned objects: 32932
Number of viruses found: 12
Number of infected objects: 27
Number of suspicious objects: 2
Duration of the scan process: 00:26:09
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Geddes\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Deleted Items/04 Feb 2005 20:51 from Halifax:Halifax Internet banking: securit.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\Documents and Settings\Geddes\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Deleted Items/21 Feb 2005 22:59 from Washington Mutual:Washington Mutual - sec.html Infected: Trojan-Spy.HTML.Wamufraud.bo skipped
C:\Documents and Settings\Geddes\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Deleted Items/01 Mar 2005 04:01 from Halifax bank:Urgent Security Notice.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\Documents and Settings\Geddes\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Deleted Items/22 Mar 2005 03:31 from Halifax bank:Halifax Internet banking: UR.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
C:\Documents and Settings\Geddes\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Deleted Items/01 Nov 2005 21:20 from Yahoo! Groups:Unable to deliver your mess/01 Nov 2005 21:20 from Geddeschalmers/Health_and_knowledge.zip/t_535475.exe Infected: Email-Worm.Win32.Bagle.ef skipped
C:\Documents and Settings\Geddes\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Deleted Items/01 Nov 2005 21:20 from Yahoo! Groups:Unable to deliver your mess/01 Nov 2005 21:20 from Geddeschalmers/Health_and_knowledge.zip Infected: Email-Worm.Win32.Bagle.ef skipped
C:\Documents and Settings\Geddes\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Mail MS Mail: infected - 6 skipped
C:\Documents and Settings\Geddes\My Documents\downloads\ccleaner\ccsetup128.exe/stream/data0006 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Documents and Settings\Geddes\My Documents\downloads\ccleaner\ccsetup128.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Documents and Settings\Geddes\My Documents\downloads\ccleaner\ccsetup128.exe NSIS: infected - 2 skipped
C:\Helen\Helen Docs on 'PC1 (Helen)' (Z)\Outlook Backups\Email Backups\Helen Outlook 25 Jul 05.pst/Personal Folders/Deleted Items/05 Feb 2005 23:15 from Smith Barney:Smith Barney Fraud Verificat.html Infected: Trojan-Spy.HTML.Smitfraud.c skipped
C:\Helen\Helen Docs on 'PC1 (Helen)' (Z)\Outlook Backups\Email Backups\Helen Outlook 25 Jul 05.pst/Personal Folders/Deleted Items/29 Mar 2005 15:41 from Regions & Union Planters:Regions Bank ale.html Infected: Trojan-Spy.HTML.Bankfraud.ci skipped
C:\Helen\Helen Docs on 'PC1 (Helen)' (Z)\Outlook Backups\Email Backups\Helen Outlook 25 Jul 05.pst/Personal Folders/Deleted Items/05 Apr 2005 20:44 from aw-confirm@ebay.com:TKO Notice: ***Urgent.html Infected: Trojan-Spy.HTML.Bayfraud.co skipped
C:\Helen\Helen Docs on 'PC1 (Helen)' (Z)\Outlook Backups\Email Backups\Helen Outlook 25 Jul 05.pst/Personal Folders/Gliding/10 Jul 2005 21:56 from Martin Knight:/ipnetinfo.zip/ipnetinfo.exe Infected: not-a-virus:NetTool.Win32.IpNetInfo.120 skipped
C:\Helen\Helen Docs on 'PC1 (Helen)' (Z)\Outlook Backups\Email Backups\Helen Outlook 25 Jul 05.pst/Personal Folders/Gliding/10 Jul 2005 21:56 from Martin Knight:/ipnetinfo.zip Infected: not-a-virus:NetTool.Win32.IpNetInfo.120 skipped
C:\Helen\Helen Docs on 'PC1 (Helen)' (Z)\Outlook Backups\Email Backups\Helen Outlook 25 Jul 05.pst Mail MS Mail: infected - 5 skipped
C:\Program Files\HijackThis\backups\backup-20060413-173915-759.dll Infected: Trojan-Downloader.Win32.Zlob.lh skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\20060114143547.zip/iinstall.exe Suspicious: Password-protected-EXE skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\20060114143547.zip ZIP: suspicious - 1 skipped
C:\System Volume Information\_restore{C1FF9127-F94F-4399-81EE-AA9542E2A66E}\RP129\A0107387.exe Infected: not-a-virus:AdWare.Win32.WinAD.bv skipped
C:\System Volume Information\_restore{C1FF9127-F94F-4399-81EE-AA9542E2A66E}\RP200\A0110125.tlb Infected: Trojan-Downloader.Win32.Zlob.lh skipped
C:\System Volume Information\_restore{C1FF9127-F94F-4399-81EE-AA9542E2A66E}\RP201\A0110148.tlb Infected: Trojan-Downloader.Win32.Zlob.lh skipped
C:\System Volume Information\_restore{C1FF9127-F94F-4399-81EE-AA9542E2A66E}\RP201\A0110156.tlb Infected: Trojan-Downloader.Win32.Zlob.lh skipped
C:\System Volume Information\_restore{C1FF9127-F94F-4399-81EE-AA9542E2A66E}\RP201\A0110168.tlb Infected: Trojan-Downloader.Win32.Zlob.lh skipped
C:\System Volume Information\_restore{C1FF9127-F94F-4399-81EE-AA9542E2A66E}\RP202\A0110173.tlb Infected: Trojan-Downloader.Win32.Zlob.lh skipped
C:\System Volume Information\_restore{C1FF9127-F94F-4399-81EE-AA9542E2A66E}\RP202\A0110192.exe Infected: Trojan-Downloader.Win32.Zlob.lh skipped
C:\System Volume Information\_restore{C1FF9127-F94F-4399-81EE-AA9542E2A66E}\RP204\A0110561.exe Infected: Trojan-Downloader.Win32.Zlob.lc skipped
C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll Infected: not-a-virus:AdWare.Win32.WinAD.bv skipped
C:\WINDOWS\system32\interf.tlb Infected: Trojan-Downloader.Win32.Zlob.lh skipped
Scan process completed.
pskelley
2006-04-15, 21:41
OK Helen, thanks and I do appreciate that. Nasty mess here!
Since this is likely evidence of a bagle worm infection that may still be active, I would start by running this removal tool by Symantec: http://www.symantec.com/avcenter/venc/data/w32.beagle.a@mm.html
Then I would update your antivirus progam and run a complete system scan. The tool and the scans may or may not remove the junk Kaspersky is showing, so I will suggest how to make sure it is gone manually.
This a strange Kaspersky report, let's try to make some sense out of it.
You will probably need to delete these infected items in safe mode, you can try first, but here are the instructions if you need them:
http://www.bleepingcomputer.com/tutorials/tutorial61.html
(You need to work with me on this, I do not want to copy all of that information again, so just look at the Kaspersky scan. This is just a guess as I have not seen a Kaspersky scan on the bagle worm before, but it looks like email got deleted that was infected?)
(here I believe cleaning the "Deleted itemsd folder will get rid of the infected items)
C:\Documents and Settings\Geddes\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Deleted Items/04 Feb 2005 20:51 from Halifax:Halifax Internet banking: securit.html Infected: Trojan-Spy.HTML.Bankfraud.hs skipped
It looks like any of these infected files are in the "Deleted Items" folder. <<< I would navigate there and clean out that folder.
C:\Documents and Settings\Geddes\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Mail MS Mail: infected - 6 skipped <<< this looks like infected email.
(Looks like Kasperskky is seeing CCleaner setup files as a risk, you can skip these)
C:\Documents and Settings\Geddes\My Documents\downloads\ccleaner\ccsetup128.exe/stream/data0006 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Documents and Settings\Geddes\My Documents\downloads\ccleaner\ccsetup128.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Documents and Settings\Geddes\My Documents\downloads\ccleaner\ccsetup128.exe NSIS: infected - 2 skipped
(looks like infected backups...I would delete these backups)
C:\Helen\Helen Docs on 'PC1 (Helen)' (Z)\Outlook Backups\Email Backups\Helen Outlook 25 Jul 05.pst/Personal Folders/Deleted Items/05 Feb 2005 23:15 from Smith Barney:Smith Barney Fraud Verificat.html Infected: Trojan-Spy.HTML.Smitfraud.c skipped
C:\Helen\Helen Docs on 'PC1 (Helen)' (Z)\Outlook Backups\Email Backups\Helen Outlook 25 Jul 05.pst/Personal Folders/Deleted Items/29 Mar 2005 15:41 from Regions & Union Planters:Regions Bank ale.html Infected: Trojan-Spy.HTML.Bankfraud.ci skipped
C:\Helen\Helen Docs on 'PC1 (Helen)' (Z)\Outlook Backups\Email Backups\Helen Outlook 25 Jul 05.pst/Personal Folders/Deleted Items/05 Apr 2005 20:44 from aw-confirm@ebay.com:TKO Notice: ***Urgent.html Infected: Trojan-Spy.HTML.Bayfraud.co skipped
C:\Helen\Helen Docs on 'PC1 (Helen)' (Z)\Outlook Backups\Email Backups\Helen Outlook 25 Jul 05.pst/Personal Folders/Gliding/10 Jul 2005 21:56 from Martin Knight:/ipnetinfo.zip/ipnetinfo.exe Infected: not-a-virus:NetTool.Win32.IpNetInfo.120 skipped
C:\Helen\Helen Docs on 'PC1 (Helen)' (Z)\Outlook Backups\Email Backups\Helen Outlook 25 Jul 05.pst/Personal Folders/Gliding/10 Jul 2005 21:56 from Martin Knight:/ipnetinfo.zip Infected: not-a-virus:NetTool.Win32.IpNetInfo.120 skipped
C:\Helen\Helen Docs on 'PC1 (Helen)' (Z)\Outlook Backups\Email Backups\Helen Outlook 25 Jul 05.pst Mail MS Mail: infected - 5 skipped
(this is in HJT backups, you can delete it if you wish, it can get back on the computer unless you manually restore it)
C:\Program Files\HijackThis\backups\backup-20060413-173915-759.dll Infected: Trojan-Downloader.Win32.Zlob.lh skipped
(clean out the Yahoo quarantine folder)
C:\Program Files\Yahoo!\YPSR\Quarantine\20060114143547.zip/iinstall.exe Suspicious: Password-protected-EXE skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\20060114143547.zip ZIP: suspicious - 1 skipped
The balance are infected System Restore files, let's clean them out like this:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
Oops...two more:
C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll Infected: not-a-virus:AdWare.Win32.WinAD.bv skipped
C:\WINDOWS\system32\interf.tlb Infected: Trojan-Downloader.Win32.Zlob.lh skipped
(Delete both files highlited in red and you will probably need to do it in safe mode)
Recap: Once you have used the Symantec tool, scanned with an updated AVG and follow the balance of the instructions to make sure nothing is left manually, scan again with Kaspersky and it should be clean. Post the scan results and a last HJT log for a final look.
Thanks...Phil
I ran the beagle worm removal tool twice and both times it said W32.Beagle, Trojan Toosa not found on PC.
I deleted the files you selected. It took some detective work to find some of them but I finally got them in DOS and deleted them in safe mode. All except interf.tlb, but as that is not coming up on the scans I hope you'll say it's been dealt with.
AVG isn't reporting any viruses, System Restore has been cleared out and SpyBot is clear as well.
Here are the latest reports:
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, April 16, 2006 4:06:14 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 16/04/2006
Kaspersky Anti-Virus database records: 188338
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
Scan Statistics:
Total number of scanned objects: 28758
Number of viruses found: 1
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 00:22:03
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Geddes\My Documents\downloads\ccleaner\ccsetup128.exe/stream/data0006 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Documents and Settings\Geddes\My Documents\downloads\ccleaner\ccsetup128.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Documents and Settings\Geddes\My Documents\downloads\ccleaner\ccsetup128.exe NSIS: infected - 2 skipped
Scan process completed.
Logfile of HijackThis v1.99.1
Scan saved at 16:32:39, on 16/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com/?.home=ytie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/?.home=ytie
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\neoteris\secure application manager\gapsp.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://www.myweatherford.com/dana-cached/setup/NeoterisSetup.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093935040761
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
Thanks, Helen
pskelley
2006-04-16, 21:12
Hi Helen, I knew that was going to be tough:( I could not think of any way to make it easier, without purchasing tools?
Let's see what things look like now. This: interf.tlb may be gone or just a dead entry. I would not worry about it unless it causes you issues.
Logfile of HijackThis v1.99.1 Scan saved at 16:32:39, on 16/04/2006
Your HJT log looks good, here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
KASPERSKY ON-LINE SCANNER REPORT Sunday, April 16, 2006 4:06:14 PM
Still the CCleaner items, why don't you delete them to be sure.
C:\Documents and Settings\Geddes\My Documents\downloads\ccleaner\ccsetup128.exe/stream/data0006 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Documents and Settings\Geddes\My Documents\downloads\ccleaner\ccsetup128.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped
C:\Documents and Settings\Geddes\My Documents\downloads\ccleaner\ccsetup128.exe NSIS: infected - 2 skipped
Here is a fun tool for you::D
Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop.
Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
(you choose what you want to clean, you would not want to clean our Prefetch everytime)
Select the items you wish to clean,
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
If you are running well, then there is no need to post again. tashi we be around to close you in a few days.
Safe surfing:bigthumb:
Thanks...Phil
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
As the problem appears to be resolved this topic will be archived.
If you need it re-opened please send me a pm and provide a link to the thread. Cheers.