PDA

View Full Version : Win32.TrojanSpy.Goldun and something else



Rock Princess
2006-12-23, 21:48
I have a problem!

This is ad-aware log file so you can see waht is all about ;)


[B]Ad-Aware SE Build 1.05
Logfile Created on:23. prosinac 2006 17:35:28
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R140 18.12.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):38 total references
Win32.TrojanClicker(TAC index:10):1 total references
Win32.TrojanSpy.Goldun(TAC index:10):9 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


23.12.2006 17:35:28 - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\x\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : S-1-5-21-1417001333-1647877149-839522115-1003\software\adobe\acrobat reader\6.0\avgeneral\crecentfiles
Description : list of recently used files in adobe reader


MRU List Object Recognized!
Location: : S-1-5-21-1417001333-1647877149-839522115-1003\software\ahead\nero - burning rom\recent file list
Description : list of recently used files in nero burning rom


MRU List Object Recognized!
Location: : S-1-5-21-1417001333-1647877149-839522115-1003\software\ahead\nero wave editor\recent file list
Description : list of recently used files in nero wave editor


MRU List Object Recognized!
Location: : S-1-5-21-1417001333-1647877149-839522115-1003\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : S-1-5-21-1417001333-1647877149-839522115-1003\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-1417001333-1647877149-839522115-1003\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-1417001333-1647877149-839522115-1003\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-1417001333-1647877149-839522115-1003\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1417001333-1647877149-839522115-1003\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1417001333-1647877149-839522115-1003\software\microsoft\mediaplayer\medialibraryui
Description : last selected node in the microsoft windows media player media library


MRU List Object Recognized!
Location: : S-1-5-21-1417001333-1647877149-839522115-1003\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-1417001333-1647877149-839522115-1003\software\microsoft\mediaplayer\player\settings
Description : last open directory used in jasc paint shop pro


MRU List Object Recognized!
Location: : S-1-5-21-1417001333-1647877149-839522115-1003\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-20\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-1417001333-1647877149-839522115-1003\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-1417001333-1647877149-839522115-1003\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console


MRU List Object Recognized!
Location: : S-1-5-21-1417001333-1647877149-839522115-1003\software\microsoft\office\10.0\common\general
Description : list of recently used symbols in microsoft office


MRU List Object Recognized!
Location: : S-1-5-21-1417001333-1647877149-839522115-1003\software\microsoft\office\10.0\common\open find\microsoft powerpoint\settings\save as\file name mru
Description : list of recent documents saved by microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-1417001333-1647877149-839522115-1003\software\microsoft\office\10.0\excel\recent files
Description : list of recent files used by microsoft excel


MRU List Object Recognized!
Location: : S-1-5-21-1417001333-1647877149-839522115-1003\software\microsoft\office\10.0\powerpoint\recent file list
Description : list of recent files used by microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-1417001333-1647877149-839522115-1003\software\microsoft\office\10.0\powerpoint\recent templates
Description : list of recent templates used by microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-1417001333-1647877149-839522115-1003\software\microsoft\office\10.0\powerpoint\recent typeface list
Description : list of recently used typefaces in microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-1417001333-1647877149-839522115-1003\software\microsoft\office\10.0\powerpoint\recentfolderlist
Description : list of recent folders used by microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-1417001333-1647877149-839522115-1003\software\microsoft\office\10.0\powerpoint\recenttemplatelist
Description : list of recent templates used by microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-1417001333-1647877149-839522115-1003\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant


MRU List Object Recognized!
Location: : S-1-5-21-1417001333-1647877149-839522115-1003\software\microsoft\windows\currentversion\applets\paint\recent file list
Description : list of files recently opened using microsoft paint


MRU List Object Recognized!
Location: : S-1-5-21-1417001333-1647877149-839522115-1003\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor


MRU List Object Recognized!
Location: : S-1-5-21-1417001333-1647877149-839522115-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-1417001333-1647877149-839522115-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-1417001333-1647877149-839522115-1003\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-1417001333-1647877149-839522115-1003\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : S-1-5-21-1417001333-1647877149-839522115-1003\software\nico mak computing\winzip\filemenu
Description : winzip recently used archives


MRU List Object Recognized!
Location: : S-1-5-21-1417001333-1647877149-839522115-1003\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-21-1417001333-1647877149-839522115-1003\software\winrar\dialogedithistory\extrpath
Description : winrar "extract-to" history


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 588
ThreadCreationTime : 23.12.2006 11:36:57
BasePriority : Normal


#:2 [services.exe]
FilePath : C:\windows\system32\
ProcessID : 708
ThreadCreationTime : 23.12.2006 11:37:01
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:3 [lsass.exe]
FilePath : C:\windows\system32\
ProcessID : 720
ThreadCreationTime : 23.12.2006 11:37:01
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:4 [svchost.exe]
FilePath : C:\windows\system32\
ProcessID : 892
ThreadCreationTime : 23.12.2006 11:37:02
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:5 [svchost.exe]
FilePath : C:\windows\System32\
ProcessID : 972
ThreadCreationTime : 23.12.2006 11:37:02
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:6 [spoolsv.exe]
FilePath : C:\windows\system32\
ProcessID : 1316
ThreadCreationTime : 23.12.2006 11:37:04
BasePriority : Normal
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

Win32.TrojanSpy.Goldun Object Recognized!
Type : Process
Data : xcttgs.dll
Category : C:\Program Files\Lavasoft\Ad-Aware SE Personal\lang\
Comment : xdudtt.dll.dmp
Object : C:\windows\system32\

Warning! Win32.TrojanSpy.Goldun Object found in memory(C:\windows\system32\xcttgs.dll)
#:7 [nvsvc32.exe]
FilePath : C:\windows\System32\
ProcessID : 1456
ThreadCreationTime : 23.12.2006 11:37:04
BasePriority : Normal
FileVersion : 6.14.10.5303
ProductVersion : 6.14.10.5303
ProductName : NVIDIA Driver Helper Service, Version 53.03
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 53.03
InternalName : NVSVC
LegalCopyright : (C) NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

Rock Princess
2006-12-23, 21:48
Win32.TrojanSpy.Goldun Object Recognized! Type : Process
Data : xcttgs.dll
Category : C:\Program Files\Lavasoft\Ad-Aware SE Personal\lang\
Comment : xdudtt.dll.dmp
Object : C:\windows\System32\


Warning! Win32.TrojanSpy.Goldun Object found in memory(C:\windows\System32\xcttgs.dll)

Warning! "C:\windows\System32\nvsvc32.exe"Process could not be terminated!

#:8 [svchost.exe]
FilePath : C:\windows\System32\
ProcessID : 1576
ThreadCreationTime : 23.12.2006 11:37:04
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [vsmon.exe]
FilePath : C:\WINDOWS\system32\ZoneLabs\
ProcessID : 176
ThreadCreationTime : 23.12.2006 11:37:05
BasePriority : Normal
FileVersion : 6.1.744.001
ProductVersion : 6.1.744.001
ProductName : TrueVector Service
CompanyName : Zone Labs, LLC
FileDescription : TrueVector Service
InternalName : vsmon
LegalCopyright : Copyright © 1998-2005, Zone Labs, LLC
OriginalFilename : vsmon.exe

Win32.TrojanSpy.Goldun Object Recognized!
Type : Process
Data : xcttgs.dll
Category : C:\Program Files\Lavasoft\Ad-Aware SE Personal\lang\
Comment : xdudtt.dll.dmp
Object : C:\windows\system32\


Warning! Win32.TrojanSpy.Goldun Object found in memory(C:\windows\system32\xcttgs.dll)


#:10 [magickey.exe]
FilePath : C:\PROGRA~1\MEDIAK~1\
ProcessID : 2628
ThreadCreationTime : 23.12.2006 11:40:43
BasePriority : Normal


Win32.TrojanSpy.Goldun Object Recognized!
Type : Process
Data : xcttgs.dll
Category : C:\Program Files\Lavasoft\Ad-Aware SE Personal\lang\
Comment : xdudtt.dll.dmp
Object : C:\windows\System32\


Warning! Win32.TrojanSpy.Goldun Object found in memory(C:\windows\System32\xcttgs.dll)


#:11 [zlclient.exe]
FilePath : C:\Program Files\Zone Labs\ZoneAlarm\
ProcessID : 2684
ThreadCreationTime : 23.12.2006 11:40:44
BasePriority : Normal
FileVersion : 6.1.744.001
ProductVersion : 6.1.744.001
ProductName : Zone Labs Client
CompanyName : Zone Labs, LLC
FileDescription : Zone Labs Client
InternalName : zlclient
LegalCopyright : Copyright © 1998-2005, Zone Labs, LLC
OriginalFilename : zlclient.exe

Win32.TrojanSpy.Goldun Object Recognized!
Type : Process
Data : xcttgs.dll
Category : C:\Program Files\Lavasoft\Ad-Aware SE Personal\lang\
Comment : xdudtt.dll.dmp
Object : C:\windows\System32\


Warning! Win32.TrojanSpy.Goldun Object found in memory(C:\windows\System32\xcttgs.dll)


#:12 [cleanmgr.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1788
ThreadCreationTime : 23.12.2006 13:29:44
BasePriority : Normal
FileVersion : 6.00.2600.0000 (xpclient.010817-1148)
ProductVersion : 6.00.2600.0000
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Disk Space Cleanup Manager for Windows
InternalName : CLEANMGR
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CLEANMGR.DLL

Win32.TrojanSpy.Goldun Object Recognized!
Type : Process
Data : xcttgs.dll
Category : C:\Program Files\Lavasoft\Ad-Aware SE Personal\lang\
Comment : xdudtt.dll.dmp
Object : C:\WINDOWS\system32\


Warning! Win32.TrojanSpy.Goldun Object found in memory(C:\WINDOWS\system32\xcttgs.dll)


#:13 [msnmsgr.exe]
FilePath : C:\Program Files\MSN Messenger\
ProcessID : 4004
ThreadCreationTime : 23.12.2006 14:05:02
BasePriority : Normal
FileVersion : 8.0.0812.00
ProductVersion : 8.0.0812
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Messenger
InternalName : msnmsgr.exe
LegalCopyright : Copyright (c) Microsoft Corporation. All rights reserved.
OriginalFilename : msnmsgr.exe

Win32.TrojanSpy.Goldun Object Recognized!
Type : Process
Data : xcttgs.dll
Category : C:\Program Files\Lavasoft\Ad-Aware SE Personal\lang\
Comment : xdudtt.dll.dmp
Object : C:\windows\System32\


Warning! Win32.TrojanSpy.Goldun Object found in memory(C:\windows\System32\xcttgs.dll)


#:14 [svchost.exe]
FilePath : C:\windows\System32\
ProcessID : 3616
ThreadCreationTime : 23.12.2006 14:05:48
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:15 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 2072
ThreadCreationTime : 23.12.2006 14:43:05
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Win32.TrojanSpy.Goldun Object Recognized!
Type : Process
Data : xcttgs.dll
Category : C:\Program Files\Lavasoft\Ad-Aware SE Personal\lang\
Comment : xdudtt.dll.dmp
Object : C:\windows\System32\


Warning! Win32.TrojanSpy.Goldun Object found in memory(C:\windows\System32\xcttgs.dll)


#:16 [spybotsd.exe]
FilePath : C:\Program Files\Spybot - Search & Destroy\
ProcessID : 2812
ThreadCreationTime : 23.12.2006 15:19:19
BasePriority : Normal
FileVersion : 1.4.0.3
ProductVersion : 1, 4, 0, 3
ProductName : SpyBot-S&D
CompanyName : Safer Networking Limited
FileDescription : Spybot - Search & Destroy
InternalName : SpybotSD
LegalCopyright : © 2000-2005 Patrick M. Kolla / Safer Networking Limited. Alle Rechte vorbehalten.
LegalTrademarks : "Spybot" und "Spybot - Search & Destroy" sind registrierte Warenzeichen.
OriginalFilename : SpyBotSD.exe
Comments : Software zum Entfernen von Spyware und ähnlichen Bedrohungen.

Win32.TrojanSpy.Goldun Object Recognized!
Type : Process
Data : xcttgs.dll
Category : C:\Program Files\Lavasoft\Ad-Aware SE Personal\lang\
Comment : xdudtt.dll.dmp
Object : C:\windows\System32\


Warning! Win32.TrojanSpy.Goldun Object found in memory(C:\windows\System32\xcttgs.dll)


Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 47


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 47


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 47


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 47


Win32.TrojanClicker Object Recognized!
Type : File
Data : A0187491.exe
Category : Malware
Comment :
Object : C:\System Volume Information\_restore{4F016A87-6A13-4AB6-8790-F38609AB6136}\RP508\



Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 48


Scanning Hosts file......
Hosts file location:"C:\windows\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
31 entries scanned.
New critical objects:0
Objects found so far: 48




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 48

18:44:17 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:01:08:48.359
Objects scanned:169936
Objects identified:1
Objects ignored:0
New critical objects:1[/B]

I made the important things red :D...

I scanned the system with Ad-Aware and Spybot-S&D (I fixed all the spybots in Spybot-S&D), but I can´t delete this malware...it is virus and a trojan horse, according to ad-aware...

Please, help me to clean my computer ;)

Tnx!:)

Mr_JAk3
2006-12-24, 19:07
Hi Rock Princess :D:

One or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this (http://www.dslreports.com/faq/10451) article too.

Please post a HijackThis log to here: Click here (http://downloads.malwareremoval.com/HijackThis.exe) to download HijackThis.exe
Save HijackThis.exe to your desktop.
Create a new folder named HijackThis to your desktop. Move Hijackthis.exe into that folder.
Run HijackThis.exe
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Rock Princess
2006-12-25, 21:03
Ok!I´ll do that and then I´ll contact you and send Hijack This log file!
Thank you a lot! :D

Rock Princess
2006-12-25, 21:09
Logfile of HijackThis v1.99.1
Scan saved at 20:06:22, on 25.12.2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\windows\System32\nvsvc32.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\MEDIAK~1\MagicKey.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\MEDIAK~1\OSD.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\x\Desktop\Skype 7.0.4\Anti-malware tools\HIJACKTHIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MagicKey] C:\PROGRA~1\MEDIAK~1\MagicKey.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: InterVideo WinCinema Manager.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: I&zvoz u Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Whistle - {220E39C3-B081-4719-AB1A-9A884DCBD05C} - C:\Program Files\WhistleSoftware\WselServices\webband.dll (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/common/cab/DjVuControlLite_EN.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://missmusicmostar.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: xcttgs - xcttgs.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



This is the Hijack log file!I hope you´ll be able to help me!:D
I have done an Avast scan and I deleted some of the viruses but I´m not sure have I done it properly...

Tnx one more time!:D:

Mr_JAk3
2006-12-26, 12:14
Hi again :)

Before we can start the cleaning I need you to do something important.

Please download and install Windows XP Service Pack 1A -> Windows XP SP1a (http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx)
NOTE! Do NOT install Service Pack 2 yet. We'll have to get you cleaned first

Post a fresh HijackThis log when you're ready :bigthumb:

Rock Princess
2006-12-26, 14:29
Tnx!

I have been doing some cleaning with Avast! and Ad-Aware and I haven´t found any problems after that.I haven´t installed SP1a yet because I couldn´t find the link for download.The page you gave me took me somewhere else.This is the HijackThis log file:

Logfile of HijackThis v1.99.1
Scan saved at 13:25:38, on 26.12.2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\windows\System32\nvsvc32.exe
C:\windows\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\windows\Explorer.EXE
C:\PROGRA~1\MEDIAK~1\MagicKey.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\MEDIAK~1\OSD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\windows\System32\wuauclt.exe
C:\Documents and Settings\x\Desktop\Skype 7.0.4\Anti-malware tools\HIJACKTHIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MagicKey] C:\PROGRA~1\MEDIAK~1\MagicKey.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\windows\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\nbj.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk.disabled
O4 - Global Startup: InterVideo WinCinema Manager.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: I&zvoz u Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Whistle - {220E39C3-B081-4719-AB1A-9A884DCBD05C} - C:\Program Files\WhistleSoftware\WselServices\webband.dll (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/content/common/cab/DjVuControlLite_EN.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://missmusicmostar.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1167135327156
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: xcttgs - xcttgs.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


I hope you´ll be able to see are there any viruses left there :D.

Maybe I should do the automatic update of my computer?
I´ll wait for your advice!;) :)

Tnx!

Mr_JAk3
2006-12-26, 20:44
Hi :)

Hmm this should be the direct link to the SP1a download >Here< (http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx)

You can also download & install it via Windows Update (http://windowsupdate.microsoft.com)

Just don't install SP2 yet.

Please post a fresh Hijackhis log when you've done this :bigthumb:

Rock Princess
2006-12-26, 20:52
Hi :)

Hmm this should be the direct link to the SP1a download >Here< (http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx)

You can also download & install it via Windows Update (http://windowsupdate.microsoft.com)

Just don't install SP2 yet.

Please post a fresh Hijackhis log when you've done this :bigthumb:


I´ really sorry for bothering you, but when I click on the direct link whaich you gave me I go to page http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx.
Should I click on Express Instalation?

Mr_JAk3
2006-12-26, 21:17
Yes, click on the Express Installation :)

(it wasn't so direct after all :P)

Rock Princess
2006-12-27, 15:28
No problem...I´ve clicked od Express Installation but it doesn´t takes me directly to the download link...can you give some direct link on RapidShare or something?:DI´m an amater, sorry!

I haven´t found any viruses during my Avast and Ad-Aware scans...have I maybe cleaned them all?

Mr_JAk3
2006-12-27, 18:13
Okay, please try this link here (http://www.download.com/Windows-XP-Service-Pack-1a-SP1a-/3000-2098_4-10147920.html)
Click on " Download Now " and save the file to your desktop.

Doubleclick the file on you desktop and follow the prompts.

Post a fresh HijackThis log when you're ready.

It is possible that you have removed some infections but we need to get you protected first :)

tashi
2007-01-04, 20:15
How is it going Rock Princess? :)

tashi
2007-01-09, 02:37
:scratch:

This topic is closed due to lack of a response.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original topic starter.