View Full Version : Security warning your computer may be infected with harmful or unwanted software!
victorypath
2006-12-02, 15:44
Hello!
I have this icon on my taskbar that keeps popping up whenever I log on. The icon is a red circle with an exclamation point. A message pops up from that icon at the startup. The message is the following: Security warning: your computer may be infected with harmful or unwanted software!
I have scanned my computer with spybot, ad-aware se and spyware doctor. All the programs did not detect nor fixed the problem. Please help me.
This is my Hijack This log:
Logfile of HijackThis v1.99.1
Scan saved at 14:44:01, on 2006-12-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program\AVG Anti-Spyware 7.5\guard.exe
C:\Program\Java\jre1.5.0_09\bin\jusched.exe
C:\Program\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program\F-Secure\Anti-Virus\fsgk32st.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program\F-Secure\Anti-Virus\fssm32.exe
C:\Program\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
C:\Program\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program\Delade filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program\Delade filer\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\Delade filer\PCSuite\DataLayer\DataLayer.exe
C:\Program\Mediafour\MacDrive\MDDiskProtect.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program\Spyware Doctor\sdhelp.exe
C:\Program\Delade filer\Mediafour\MACVNTFY.EXE
C:\Program\F-Secure\Common\FSM32.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program\DELADE~1\PCSuite\Services\SERVIC~1.EXE
C:\Program\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\F-Secure\Common\FSMA32.EXE
C:\Program\Spyware Doctor\swdoctor.exe
C:\Program\F-Secure\Common\FSMB32.EXE
C:\Program\F-Secure\Common\FCH32.EXE
C:\Program\F-Secure\Common\FAMEH32.EXE
C:\Program\SpywareGuard\sgmain.exe
C:\Program\SpywareGuard\sgbhp.exe
C:\Program\F-Secure\Common\FNRB32.EXE
C:\Program\F-Secure\Anti-Virus\fsav32.exe
C:\Program\F-Secure\Common\FIH32.EXE
C:\Program\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\PROGRAM\MOZILL~2\FIREFOX.EXE
C:\Documents and Settings\Mackan\Skrivbord\Hijack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1A6EAA13-A26C-4F26-8D37-043CC64896C1} - C:\WINDOWS\system32\vturs.dll (file missing)
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\mcyqdqyr.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\Program\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {67270207-b9ee-4d26-9270-860fdb060ca1} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\Program\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\Program\DELADE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program\Delade filer\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program\Delade filer\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [MediafourGettingStartedWithMacDrive6] "C:\Program\Mediafour\MacDrive\MacDrive.exe" /runonce
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program\Delade filer\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvlax.dll,startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: SpywareGuard.lnk = C:\Program\SpywareGuard\sgmain.exe
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program\ColorVision\Utility\ColorVisionStartup.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\Program\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.film2home.com
O15 - Trusted Zone: http://www.film2home.no
O15 - Trusted Zone: http://www.film2home.se
O15 - Trusted Zone: http://clients.playout.se
O15 - Trusted Zone: http://psswe.playout.se
O15 - Trusted Zone: *.sf-anytime.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C473C06-997F-4AEC-B9FC-4E8477263877}: NameServer = 195.58.103.124,195.58.103.18
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: MacDrive-iTunes compatibility - C:\Program\Delade filer\Mediafour\MacDriveiTunesPatch.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wvusttq - wvusttq.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Automatisk LiveUpdate-schemaläggare - Unknown owner - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\Program\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Program\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program\F-Secure\Common\FSMA32.EXE
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
pskelley
2006-12-02, 21:42
Welcome to the forum, follow the directions in this link: http://forums.spybot.info/showthread.php?t=4015 When you finish the instructions, post the three logs in this same topic using the "Post Reply" button. Follow the instructions exactly.
I see you already have AVG Anti-Spyware installed, so please use these instructions when you run it, make sure you delete or at least quarantine what is located.
http://forums.security-central.us/showthread.php?t=3165
Spybot-S&D: Be sure to follow the directions to save the scan report but do not post it here unless requested by a helper.
Thanks...pskelley
Safer Networking Forums
victorypath
2006-12-03, 02:25
Hi again, thnx for your help! Here are the three logs..
SmitFraudFix v2.126
Scan done at 22:41:33,12, 2006-12-02
Run from C:\Documents and Settings\Mackan\Skrivbord\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\drvlax.dll FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Mackan
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Mackan\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Mackan\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 00:56:28 2006-12-03
+ Scan result:
C:\System Volume Information\_restore{A2AF58B2-83EB-46DB-8FC8-B6CEAAE16AC0}\RP412\A0051755.exe -> Adware.Maxifiles : Ignored.
C:\Program\Delade filer\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Ignored.
C:\System Volume Information\_restore{A2AF58B2-83EB-46DB-8FC8-B6CEAAE16AC0}\RP420\A0053071.dll -> Adware.Softomate : Ignored.
C:\System Volume Information\_restore{A2AF58B2-83EB-46DB-8FC8-B6CEAAE16AC0}\RP420\A0053072.exe -> Adware.Softomate : Ignored.
C:\System Volume Information\_restore{A2AF58B2-83EB-46DB-8FC8-B6CEAAE16AC0}\RP411\A0051738.exe -> Downloader.PurityScan.dc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A2AF58B2-83EB-46DB-8FC8-B6CEAAE16AC0}\RP411\A0051737.exe -> Downloader.PurityScan.dt : Cleaned with backup (quarantined).
C:\Mackans Mapp\Media\Apps\cuteftppro2+Crk\Patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Ignored.
D:\Documents and Settings\victorypath\Mina dokument\Mina mottagna filer\cuteftppro2+Crk.zip/cuteftppro2+Crk/Patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Ignored.
D:\Program\CuteFTP Pro\Patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Ignored.
:mozilla.69:C:\Documents and Settings\Mackan\Application Data\Mozilla\Firefox\Profiles\f4eo5e67.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.583:C:\Documents and Settings\Mackan\Application Data\Mozilla\Firefox\Profiles\f4eo5e67.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.91:C:\Documents and Settings\Mackan\Application Data\Mozilla\Firefox\Profiles\f4eo5e67.default\cookies.txt -> TrackingCookie.Admarketplace : Cleaned.
:mozilla.27:C:\Documents and Settings\Mackan\Application Data\Mozilla\Firefox\Profiles\f4eo5e67.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.28:C:\Documents and Settings\Mackan\Application Data\Mozilla\Firefox\Profiles\f4eo5e67.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.29:C:\Documents and Settings\Mackan\Application Data\Mozilla\Firefox\Profiles\f4eo5e67.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.30:C:\Documents and Settings\Mackan\Application Data\Mozilla\Firefox\Profiles\f4eo5e67.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.19:C:\Documents and Settings\Mackan\Application Data\Mozilla\Firefox\Profiles\f4eo5e67.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.539:C:\Documents and Settings\Mackan\Application Data\Mozilla\Firefox\Profiles\f4eo5e67.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned.
:mozilla.20:C:\Documents and Settings\Mackan\Application Data\Mozilla\Firefox\Profiles\f4eo5e67.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.12:C:\Documents and Settings\Mackan\Application Data\Mozilla\Firefox\Profiles\f4eo5e67.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.229:C:\Documents and Settings\Mackan\Application Data\Mozilla\Firefox\Profiles\f4eo5e67.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.242:C:\Documents and Settings\Mackan\Application Data\Mozilla\Firefox\Profiles\f4eo5e67.default\cookies.txt -> TrackingCookie.Findwhat : Cleaned.
:mozilla.250:C:\Documents and Settings\Mackan\Application Data\Mozilla\Firefox\Profiles\f4eo5e67.default\cookies.txt -> TrackingCookie.Gamershell : Cleaned.
:mozilla.545:C:\Documents and Settings\Mackan\Application Data\Mozilla\Firefox\Profiles\f4eo5e67.default\cookies.txt -> TrackingCookie.Gamershell : Cleaned.
:mozilla.671:C:\Documents and Settings\Mackan\Application Data\Mozilla\Firefox\Profiles\f4eo5e67.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.576:C:\Documents and Settings\Mackan\Application Data\Mozilla\Firefox\Profiles\f4eo5e67.default\cookies.txt -> TrackingCookie.Masterstats : Cleaned.
:mozilla.477:C:\Documents and Settings\Mackan\Application Data\Mozilla\Firefox\Profiles\f4eo5e67.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.10:C:\Documents and Settings\Mackan\Application Data\Mozilla\Firefox\Profiles\f4eo5e67.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.11:C:\Documents and Settings\Mackan\Application Data\Mozilla\Firefox\Profiles\f4eo5e67.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\System Volume Information\_restore{A2AF58B2-83EB-46DB-8FC8-B6CEAAE16AC0}\RP413\A0051858.exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A2AF58B2-83EB-46DB-8FC8-B6CEAAE16AC0}\RP413\A0051887.exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A2AF58B2-83EB-46DB-8FC8-B6CEAAE16AC0}\RP419\A0051990.exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cool.exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A2AF58B2-83EB-46DB-8FC8-B6CEAAE16AC0}\RP420\A0052977.dll -> Trojan.Mezzia : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A2AF58B2-83EB-46DB-8FC8-B6CEAAE16AC0}\RP412\A0051758.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A2AF58B2-83EB-46DB-8FC8-B6CEAAE16AC0}\RP420\A0052162.exe -> Trojan.Small : Cleaned with backup (quarantined).
::Report end
Logfile of HijackThis v1.99.1
Scan saved at 01:14:37, on 2006-12-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Java\jre1.5.0_09\bin\jusched.exe
C:\Program\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program\Delade filer\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program\Delade filer\PCSuite\DataLayer\DataLayer.exe
C:\Program\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program\F-Secure\Anti-Virus\fssm32.exe
C:\Program\Mediafour\MacDrive\MDDiskProtect.exe
C:\Program\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program\Delade filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program\Delade filer\Mediafour\MACVNTFY.EXE
C:\Program\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
C:\Program\F-Secure\Common\FSM32.EXE
C:\Program\DELADE~1\PCSuite\Services\SERVIC~1.EXE
C:\Program\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program\Spyware Doctor\sdhelp.exe
C:\Program\Spyware Doctor\swdoctor.exe
C:\Program\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program\F-Secure\Common\FSMA32.EXE
C:\Program\F-Secure\Common\FSMB32.EXE
C:\Program\F-Secure\Common\FCH32.EXE
C:\Program\F-Secure\Common\FAMEH32.EXE
C:\Program\SpywareGuard\sgbhp.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\F-Secure\Common\FNRB32.EXE
C:\WINDOWS\System32\alg.exe
C:\Program\F-Secure\Common\FIH32.EXE
C:\Program\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1A6EAA13-A26C-4F26-8D37-043CC64896C1} - C:\WINDOWS\system32\vturs.dll (file missing)
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\mcyqdqyr.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\Program\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {67270207-b9ee-4d26-9270-860fdb060ca1} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\Program\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\Program\DELADE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program\Delade filer\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program\Delade filer\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [MediafourGettingStartedWithMacDrive6] "C:\Program\Mediafour\MacDrive\MacDrive.exe" /runonce
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program\Delade filer\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: SpywareGuard.lnk = C:\Program\SpywareGuard\sgmain.exe
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program\ColorVision\Utility\ColorVisionStartup.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\Program\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.film2home.com
O15 - Trusted Zone: http://www.film2home.no
O15 - Trusted Zone: http://www.film2home.se
O15 - Trusted Zone: http://clients.playout.se
O15 - Trusted Zone: http://psswe.playout.se
O15 - Trusted Zone: *.sf-anytime.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C473C06-997F-4AEC-B9FC-4E8477263877}: NameServer = 195.58.103.124,195.58.103.18
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: MacDrive-iTunes compatibility - C:\Program\Delade filer\Mediafour\MacDriveiTunesPatch.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wvusttq - wvusttq.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Automatisk LiveUpdate-schemaläggare - Unknown owner - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\Program\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Program\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program\F-Secure\Common\FSMA32.EXE
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
How can i be sure that my computer is completely clean?
pskelley
2006-12-03, 03:04
How can i be sure that my computer is completely clean?
If I could answer that question, and be right, I would be a very rich man. Most of these infections can be removed or negated so they can not run, and the tools we scan with will generally show no infections. There are rootkit and backdoor types that we can never be sure about and we generally tell the member they can never be assured of computer safety and generally suggest reformatting. In your case, I feel we can remove the junk, and no signs of the infections and a well running computer is about all I can promise.
1) http://siri.geekstogo.com/SmitfraudFix.php <<< tutorial if you need it.
Start like this:
Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click smitfraudfix.cmd
Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
2) AVG Anti-Spyware - Scan Report Created at: 00:56:28 2006-12-03
It is ok that you ignored the System Restore stuff, the program can not clean it anyway and we will clean those files before we are done, but you ignored some that need to go:
Unless you are positive these items are safe, run the program again and delete or at least quarantine them. Use this tutorial if needed:
http://forums.security-central.us/showthread.php?t=3165
C:\Program\Delade filer\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Ignored.
C:\Mackans Mapp\Media\Apps\cuteftppro2+Crk\Patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Ignored.
D:\Documents and Settings\victorypath\Mina dokument\Mina mottagna filer\cuteftppro2+Crk.zip/cuteftppro2+Crk/Patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Ignored.
D:\Program\CuteFTP Pro\Patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Ignored.
3) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
4) AVG Anti-Spyware 7.5\guard.exe <<< turn this off, it will block changes we must make:
Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.
5) Spyware Doctor <<< turn off this for the same reason:
From within Spyware Doctor, click the "OnGuard" button on the left side.
Uncheck "Activate OnGuard".
6) SpywareGuard <<< right click it in the System Tray and choose exit.
7) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
(If you are positive the 015 Trusted Zone items are safe, you may leave them)
O2 - BHO: (no name) - {1A6EAA13-A26C-4F26-8D37-043CC64896C1} - C:\WINDOWS\system32\vturs.dll (file missing)
O2 - BHO: (no name) - {35F7813A-AF74-4474-B1DC-7EE6FB6C43C6} - C:\WINDOWS\system32\mcyqdqyr.dll
O2 - BHO: (no name) - {67270207-b9ee-4d26-9270-860fdb060ca1} - C:\WINDOWS\system32\ixt0.dll (file missing)
O15 - Trusted Zone: http://www.film2home.com
O15 - Trusted Zone: http://www.film2home.no
O15 - Trusted Zone: http://www.film2home.se
O15 - Trusted Zone: http://clients.playout.se
O15 - Trusted Zone: http://psswe.playout.se
O15 - Trusted Zone: *.sf-anytime.com
O20 - Winlogon Notify: wvusttq - wvusttq.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
8) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post the report from Smitfraudfix, a new HJT log, and the scan results from AVG Anti-Spyware. Let me know how the computer is running.
C:\Program\Java\jre1.5.0_09\ <<< Java just updated to 10, you need an update. Make sure you remove the old version.
victorypath
2006-12-03, 19:44
Hi again!
Here are the the logs:
SmitFraudFix v2.126
Scan done at 15:25:14,40, 2006-12-03
Run from C:\Documents and Settings\Mackan\Skrivbord\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Logfile of HijackThis v1.99.1
Scan saved at 18:17:45, on 2006-12-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program\AVG Anti-Spyware 7.5\guard.exe
C:\Program\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program\F-Secure\Anti-Virus\fsgk32st.exe
C:\Program\F-Secure\Anti-Virus\FSGK32.EXE
C:\Program\F-Secure\Anti-Virus\fssm32.exe
C:\Program\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program\Delade filer\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
C:\Program\Java\jre1.5.0_09\bin\jusched.exe
C:\Program\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\Program\Delade filer\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program\Delade filer\PCSuite\DataLayer\DataLayer.exe
C:\Program\Mediafour\MacDrive\MDDiskProtect.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program\Delade filer\Mediafour\MACVNTFY.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program\F-Secure\Common\FSM32.EXE
C:\Program\iTunes\iTunesHelper.exe
C:\Program\F-Secure\Common\FSMA32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program\DELADE~1\PCSuite\Services\SERVIC~1.EXE
C:\Program\F-Secure\Common\FSMB32.EXE
C:\Program\Spyware Doctor\swdoctor.exe
C:\Program\F-Secure\Common\FCH32.EXE
C:\Program\F-Secure\Common\FAMEH32.EXE
C:\Program\SpywareGuard\sgmain.exe
C:\Program\SpywareGuard\sgbhp.exe
C:\Program\iPod\bin\iPodService.exe
C:\Program\F-Secure\Common\FNRB32.EXE
C:\Program\F-Secure\Common\FIH32.EXE
C:\Program\F-Secure\Anti-Virus\fsav32.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\Program\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\Program\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\Program\DELADE~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program\Delade filer\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program\Delade filer\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [MDDiskProtect.exe] C:\Program\Mediafour\MacDrive\MDDiskProtect.exe
O4 - HKLM\..\Run: [MediafourGettingStartedWithMacDrive6] "C:\Program\Mediafour\MacDrive\MacDrive.exe" /runonce
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program\Delade filer\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: SpywareGuard.lnk = C:\Program\SpywareGuard\sgmain.exe
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program\ColorVision\Utility\ColorVisionStartup.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\Program\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3C473C06-997F-4AEC-B9FC-4E8477263877}: NameServer = 195.58.103.124,195.58.103.18
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: MacDrive-iTunes compatibility - C:\Program\Delade filer\Mediafour\MacDriveiTunesPatch.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Automatisk LiveUpdate-schemaläggare - Unknown owner - C:\Program\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure BackWeb (BackWeb Client - 7681197) - Unknown owner - C:\Program\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: F-Secure BackWeb LAN Access - Unknown owner - C:\Program\F-Secure\BackWeb\7681197\Program\fsbwlan.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - C:\Program\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\Program\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - C:\Program\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program\F-Secure\Common\FSMA32.EXE
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\CCPD-LC\symlcsvc.exe
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 17:04:22 2006-12-03
+ Scan result:
C:\System Volume Information\_restore{A2AF58B2-83EB-46DB-8FC8-B6CEAAE16AC0}\RP412\A0051755.exe -> Adware.Maxifiles : Cleaned.
C:\Program\Delade filer\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned.
C:\System Volume Information\_restore{A2AF58B2-83EB-46DB-8FC8-B6CEAAE16AC0}\RP420\A0053071.dll -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{A2AF58B2-83EB-46DB-8FC8-B6CEAAE16AC0}\RP420\A0053072.exe -> Adware.Softomate : Cleaned.
C:\Mackans Mapp\Media\Apps\cuteftppro2+Crk\Patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned.
D:\Documents and Settings\victorypath\Mina dokument\Mina mottagna filer\cuteftppro2+Crk.zip/cuteftppro2+Crk/Patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned.
D:\Program\CuteFTP Pro\Patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned.
C:\System Volume Information\_restore{A2AF58B2-83EB-46DB-8FC8-B6CEAAE16AC0}\RP420\A0053090.exe -> Trojan.Dialer.qs : Cleaned.
::Report end
AVG found the Trojan.Dialer.qs again if you look in the AVG report: "C:\System Volume Information\_restore{A2AF58B2-83EB-46DB-8FC8-B6CEAAE16AC0}\RP420\A0053090.exe -> Trojan.Dialer.qs : Cleaned." Does that mean that it reinstalled itself again?
Now the icon on my taskbar has disappeared and my computer seems to run normally, maybe a little bit slow at startup but i have installed a few anti-spyware programs which i think makes the startup a bit slower.
Which programs do you recommend me to use for spyware/adware?
Do i need many of them or can i stick with just a couple?
Now i have the following:
-Spybot Search & Destroy
-Ad-Aware SE personal
-Spywaredoctor
-AVG Anti-Spyware
-SpywareGuard
-Spywareblaster (not installed)
-Windows Defender (not installed)
Do you recommend IE or Firefox(default)? Should i install the new IE7?
Thanx a lot for all your help! Im very grateful!
pskelley
2006-12-03, 20:43
AVG found the Trojan.Dialer.qs again
No, understand those are your System Restore files. SR makes backups and it does not know the good from the bad. IF YOU WERE to use System Restore it would put the bad stuff back on your computer as well as the good "Restore". We will clean out those files soon so then can not happen.
Which programs do you recommend me to use for spyware/adware?
Do i need many of them or can i stick with just a couple?
I will give you links to expert opinions, if after you read them, you still have questions, post them. A good rule to remember is one active antivirus program, one active firewall and one active spyware program.
You can have programs like Spybot and Ad-aware installed because they are not running or active, you use them for scans and close them. I personally run McAfee for AV, Free Zone Alarm for a firewall and a combination of SpywareBlaster/SpywareGuard for my active spyware programs. I also install IE-Spyad which you will read about.
Do you recommend IE or Firefox(default)? Should i install the new IE7?
I run both and love IE-7. Used to be IE got hacked a lot, but anymore the hackers do not care what browser you use. If you don't protect yourself, you will get infected. As important, or more so, as running good programs is keeping them updated and online surfing habits. If you go where the junk is and do not protect yourself, you will get infected. You must practice "safe surf", ask Google:
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=safe+surf
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=surfing+safe
My suggestion would be to get yourself updated on what ever browser you run. Internet Explorer is 7.0, and Firefox is 2.0.
As far as I can see, your HJT log looks clean of malware. Java did just update so find the coffee cup in the control panel (Java console) and update it. Next do this:
MANUAL INSTRUCTIONS FOR SYSTEM RESTORE1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
You mentioned slow boot times, keep in mind we cleaned Prefetch, it will boot slow a few times while Windows repopulates Prefetch.
Here are some ideas that may help speed you up:
http://www.microsoft.com/windows/IE/community/columns/IEtopten.mspx
http://vlaurie.com/computers2/Articles/runbetter.htm
http://www.linkgrinder.com/tutorials/10_Easy_Steps_to_Speed_Up_Your_Comp_24946_Computers_article.html
http://www.techbuilder.org/recipes/59201471
Safe surfing...tashi:) will close the topic in a few days.
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
victorypath
2006-12-04, 14:27
Just in curiosity i did a Panda Online Scan yesterday. It found the following threats:
Incident Status Location
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Mackan\Application Data\Mozilla\Firefox\Profiles\f4eo5e67.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Mackan\Application Data\Mozilla\Firefox\Profiles\f4eo5e67.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Mackan\Application Data\Mozilla\Firefox\Profiles\f4eo5e67.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Mackan\Application Data\Mozilla\Firefox\Profiles\f4eo5e67.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Mackan\Application Data\Mozilla\Firefox\Profiles\f4eo5e67.default\cookies.txt[.clickbank.net/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Mackan\Application Data\Mozilla\Firefox\Profiles\f4eo5e67.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Mackan\Application Data\Mozilla\Firefox\Profiles\f4eo5e67.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Research-int Not disinfected C:\Documents and Settings\Mackan\Cookies\mackan@research-int[2].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Madde\Application Data\Mozilla\Firefox\Profiles\umdam62n.default\cookies.txt[.bravenet.com/]
Virus:Trj/LdPinch.UX Disinfected C:\Mackans Mapp\Apps\Adobe Acrobat Writer 6.0 Professional\Adobe Acrobat Writer 6.0 Professional + serial.zip[Adobe Acrobat 6.0 Professional/setup.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Mackans Mapp\Apps\Spyware & Adware-Program\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Adware:Adware/WebSearch Not disinfected C:\Program\Hijackthis\backups\backup-20061203-171144-424.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\llngfpxs.dll
Adware:Adware/WebSearch Not disinfected C:\WINDOWS\system32\mcyqdqyr.dll
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\ofopifgu.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\WINDOWS\system32\yokohbah.exe
Spyware:Cookie/Research-int Not disinfected D:\Documents and Settings\Madde\Application Data\Mozilla\Firefox\Profiles\icrknrkk.default\cookies.txt[.research-int.se/]
Spyware:Cookie/Research-int Not disinfected D:\Documents and Settings\Madde\Cookies\madde@research-int[2].txt
Spyware:Cookie/Tucows Not disinfected D:\Documents and Settings\victorypath\Application Data\Mozilla\Firefox\Profiles\1c9ykb74.default\cookies.txt[.tucows.com/]
Virus:W32/Mydoom.N.worm Disinfected D:\Documents and Settings\victorypath\Application Data\Thunderbird\Profiles\g3mpkz93.default\Mail\Local Folders\Borttaget[frida@mediaplex.com.zip][frida@mediaplex.com]
Virus:W32/Mydoom.N.worm Disinfected D:\Documents and Settings\victorypath\Application Data\Thunderbird\Profiles\g3mpkz93.default\Mail\Local Folders\Borttaget[attachment.scr.safe]
Spyware:Cookie/Atwola Not disinfected D:\Documents and Settings\victorypath\Cookies\victorypath@atwola[1].txt
Spyware:Cookie/Research-int Not disinfected D:\Documents and Settings\victorypath\Cookies\victorypath@research-int[1].txt
Spyware:Cookie/SpywareStormer Not disinfected D:\Documents and Settings\victorypath\Cookies\victorypath@spywarestormer[1].txt
Virus:W32/Netsky.D.worm Disinfected Personliga mappar\Borttaget\Re: Thanks!\message_part2.pif.safe
Virus:W32/Netsky.D.worm Disinfected Personliga mappar\Borttaget\Re: Re: Re: Your document\document_4351.pif.safe
Virus:W32/Netsky.D.worm Disinfected Personliga mappar\Borttaget\Re: Your text\your_text.pif.safe
Virus:W32/Netsky.D.worm Disinfected Personliga mappar\Borttaget\Re: Your bill\your_bill.pif.safe
Virus:W32/Netsky.D.worm Disinfected Personliga mappar\Borttaget\Re: Re: Thanks!\document.pif.safe
Virus:W32/Netsky.D.worm Disinfected Personliga mappar\Borttaget\Re: Hi\your_file.pif.safe
Virus:W32/Netsky.D.worm Disinfected Personliga mappar\Borttaget\Re: Your details\your_details.pif.safe
Virus:W32/Netsky.D.worm Disinfected Personliga mappar\Borttaget\Re: Document\your_document.pif.safe
Virus:W32/Netsky.D.worm Disinfected Personliga mappar\Borttaget\Re: Re: Message\message_details.pif.safe
Virus:W32/Netsky.D.worm Disinfected Personliga mappar\Borttaget\Re: Hi\your_file.pif.safe
Virus:W32/Netsky.D.worm Disinfected Personliga mappar\Inkorgen\Re: Word file\document_word.pif.safe
Virus:W32/Netsky.D.worm Disinfected Personliga mappar\Inkorgen\Re: Your archive\your_archive.pif.safe
Virus:W32/Netsky.D.worm Disinfected Personliga mappar\Inkorgen\Re: Details\my_details.pif.safe
Virus:W32/Netsky.D.worm Disinfected Personliga mappar\Inkorgen\Re: Thanks!\message_part2.pif.safe
Virus:W32/Netsky.D.worm Disinfected Personliga mappar\Inkorgen\Re: Hi\your_file.pif.safe
Virus:W32/Netsky.D.worm Disinfected Personliga mappar\Skickat\kinnas mail\Re: Hi\your_file.pif.safe
Virus:W32/Netsky.D.worm Disinfected Personliga mappar\Skickat\kinnas mail\Re: Thanks!\message_part2.pif.safe
Virus:W32/Netsky.D.worm Disinfected Personliga mappar\Skickat\kinnas mail\Re: Details\my_details.pif.safe
Virus:W32/Netsky.D.worm Disinfected Personliga mappar\Skickat\kinnas mail\Re: Your archive\your_archive.pif.safe
Virus:W32/Netsky.D.worm Disinfected Personliga mappar\Skickat\kinnas mail\Re: Word file\document_word.pif.safe
Spyware:Cookie/Tucows Not disinfected D:\RECYCLER\NPROTECT\00000019.MOZ[.tucows.com/]
Spyware:Cookie/Tucows Not disinfected D:\RECYCLER\NPROTECT\00000024.MOZ[.tucows.com/]
Possible Virus. Not disinfected D:\WINDOWS\system32\Webupdate2.dll
Virus:W32/Mydoom.N.worm Disinfected E:\Backup\Mackans Backup\Thunderbird mail\Profiles\g3mpkz93.default\Mail\Local Folders\Borttaget[frida@mediaplex.com.zip][frida@mediaplex.com]
Virus:W32/Mydoom.N.worm Disinfected E:\Backup\Mackans Backup\Thunderbird mail\Profiles\g3mpkz93.default\Mail\Local Folders\Borttaget[attachment.scr.safe]
What do you think of the threats which are still there? Do i need to do take action or are they harmless?
pskelley
2006-12-04, 15:13
Let's look at this list and see what is there:
Many are cookies, you will pick up cookies as you surf, you can control then with this information:
Internet Explorer:
http://privacy.getnetwise.org/browsing/tools/firefox1/ffdisablecookies
http://www.mozilla.org/projects/security/pki/psm/help_21/using_priv_help.html
Firefox:
http://vlaurie.com/computers2/Articles/runbetter.htm
http://www.linkgrinder.com/tutorials/10_Easy_Steps_to_Speed_Up_Your_Comp_24946_Computers_article.html
Make sure you delete all cookies:
http://www.pchell.com/support/privacy.shtml
I personally do not suggest a third party cleaner, control and delete them yourself. If you control them allowing only what you need for passwords, banking, etc. You will have none.
Potentially unwanted tool:Application/Processor Not disinfected C:\Mackans Mapp\Apps\Spyware & Adware-Program\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Delete those Smitfaudfix files.
Adware:Adware/WebSearch Not disinfected C:\Program\Hijackthis\backups\backup-20061203-171144-424.dll
Delete the backups in HJT: http://www.bleepingcomputer.com/tutorials/tutorial42.html#HTRestore
DO NOT RESTORE...DELETE ALL
D:\Documents and Settings\victorypath\Application Data\Thunderbird\Profiles\g3mpkz93.default\Mail\Local Folders\Borttaget[attachment.scr.safe]
You are storing stuff that has been disinfected. Navigate to there and clean out that folder.
D:\RECYCLER\NPROTECT\ <<< this is an old Norton bin, see this:
http://service1.symantec.com/support/nsw.nsf/ba62122e5d142a6588256d87006b22be/831aa5c6ef0d750685256c370048ad89?OpenDocument&src=bar_sch_nam
I would uninstall or delete all Norton junk since you use F-Secure
Delete these files, if you have a problem, use this tool:
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
C:\WINDOWS\system32\llngfpxs.dll
C:\WINDOWS\system32\mcyqdqyr.dll
C:\WINDOWS\system32\yokohbah.exe
Once you have a clean Panda scan, run a scan with F-Secure and post it for me.
Thanks
pskelley
2006-12-09, 14:45
Once you have a clean Panda scan, run a scan with F-Secure and post it for me.:sad:
As the problem appears to be resolved this topic has been closed.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.