Results 1 to 8 of 8

Thread: Please Help, I have adware in my comp!

  1. #1
    Junior Member
    Join Date
    Jun 2008
    Posts
    6

    Default Please Help, I have adware in my comp!

    Everytime I want to open a directory (Folders, My Computer, Hard Drive,etc.) that's not in the desktop, an error shows up.
    "System Error! Attention, System Administrator! Some dangerous trojan horses detected in your system. Microsoft Windows XP files corrupted.
    This may lead to the destruction of important files in C:/Windows.0. Download protection software now!

    Click OK to download antispyware. (Recommended)"

    That's a dialog box error, to be precise.
    Here's my HJT Log:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:16:14 PM, on 6/15/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS.0\System32\smss.exe
    C:\WINDOWS.0\system32\winlogon.exe
    C:\WINDOWS.0\system32\services.exe
    C:\WINDOWS.0\system32\lsass.exe
    C:\WINDOWS.0\system32\svchost.exe
    C:\WINDOWS.0\System32\svchost.exe
    C:\WINDOWS.0\system32\svchost.exe
    C:\WINDOWS.0\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Nakido\nakido.exe
    C:\WINDOWS.0\system32\HPZipm12.exe
    C:\WINDOWS.0\system32\svchost.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\PROGRA~1\AVG\AVG8\avgam.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\WINDOWS.0\Explorer.EXE
    C:\WINDOWS.0\system32\rundll32.exe
    C:\WINDOWS.0\VistaDrive\VistaDrive.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\WINDOWS.0\system32\hkcmd.exe
    C:\WINDOWS.0\system32\igfxpers.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS.0\system32\ctfmon.exe
    H:\Program Files\Veoh Networks\Veoh\VeohClient.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
    C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    H:\Program Files\BitComet\BitComet.exe
    H:\Program Files\Ashampoo\Ashampoo Movie Shrink & Burn 3\bin\ShrinkAndBurn3.exe
    H:\Program Files\Ashampoo\Ashampoo Movie Shrink & Burn 3\bin\amf_slv.exe
    h:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - H:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
    O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: BhoApp Class - {5F920865-38C9-40DA-8FCF-D9DC83F84EC5} - C:\WINDOWS.0\system32\tupdfo.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
    O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - H:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS.0\VistaDrive\VistaDrive.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS.0\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS.0\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS.0\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Hide IP Platinum] C:\Program Files\Hide IP Platinum\hideippla.exe
    O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
    O4 - HKCU\..\Run: [Veoh] "H:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
    O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
    O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://H:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: interceptor.dll,avgrsstx.dll,
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Nakido - Nakido - C:\Program Files\Nakido\nakido.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS.0\system32\HPZipm12.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

    --
    End of file - 9281 bytes

  2. #2
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,252

    Default

    Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
    "BEFORE you POST" (READ this Procedure before Requesting Assistance)
    http://forums.spybot.info/showthread.php?t=288
    All advice given is taken at your own risk.
    Please make sure you have read this information so we are on the same page.

    Read and follow all directions carefully:

    C:\WINDOWS.0\VistaDrive\VistaDrive.exe <<< do you know what this is?
    If not scan that file here:
    http://virusscan.jotti.org/ you will probably need to show hidden files and folders:
    http://www.xtra.co.nz/help/0,,4155-1916458,00.html


    http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.

    Search:
    Double-click SmitfraudFix.exe
    Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

    Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consultin...rocessutil.htm

    Post the C:\rapport.txt and the information about that file.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  3. #3
    Junior Member
    Join Date
    Jun 2008
    Posts
    6

    Default OK, here's the report

    Thanks for the speedy reply.
    Here's the SmitFraudFix report:
    SmitFraudFix v2.325

    Scan done at 10:26:44.95, Mon 06/16/2008
    Run from C:\PROGRA~1\MOZILL~1\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    Process

    C:\WINDOWS.0\System32\smss.exe
    C:\WINDOWS.0\system32\winlogon.exe
    C:\WINDOWS.0\system32\services.exe
    C:\WINDOWS.0\system32\lsass.exe
    C:\WINDOWS.0\system32\svchost.exe
    C:\WINDOWS.0\System32\svchost.exe
    C:\WINDOWS.0\system32\svchost.exe
    C:\WINDOWS.0\system32\spoolsv.exe
    C:\WINDOWS.0\system32\rundll32.exe
    C:\WINDOWS.0\VistaDrive\VistaDrive.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\WINDOWS.0\system32\hkcmd.exe
    C:\WINDOWS.0\system32\igfxpers.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS.0\system32\ctfmon.exe
    H:\Program Files\Veoh Networks\Veoh\VeohClient.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
    C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Nakido\nakido.exe
    C:\WINDOWS.0\system32\HPZipm12.exe
    C:\WINDOWS.0\system32\svchost.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\PROGRA~1\AVG\AVG8\avgam.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    H:\Program Files\BitComet\BitComet.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\Program Files\Windows Media Player\wmplayer.exe
    C:\WINDOWS.0\explorer.exe
    C:\PROGRA~1\MOZILL~1\SmitfraudFix\Policies.exe
    C:\WINDOWS.0\system32\cmd.exe

    hosts


    C:\


    C:\WINDOWS.0


    C:\WINDOWS.0\system


    C:\WINDOWS.0\Web


    C:\WINDOWS.0\system32


    C:\WINDOWS.0\system32\LogFiles


    C:\Documents and Settings\Afif Akif


    C:\Documents and Settings\Afif Akif\Application Data


    Start Menu


    C:\DOCUME~1\AFIFAK~1\FAVORI~1


    Desktop


    C:\Program Files


    Corrupted keys


    Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    IEDFix
    !!!Attention, following keys are not inevitably infected!!!

    IEDFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri



    VACFix
    !!!Attention, following keys are not inevitably infected!!!

    VACFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    404Fix
    !!!Attention, following keys are not inevitably infected!!!

    404Fix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"="interceptor.dll,avgrsstx.dll,"
    "LoadAppInit_DLLs"=dword:00000001


    Winlogon
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Userinit"="C:\\WINDOWS.0\\system32\\userinit.exe,"
    "System"=""


    Rustock



    DNS

    Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport
    DNS Server Search Order: 192.168.1.1

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{DBCA05B0-3970-4360-A846-4F8B62D6788F}: DhcpNameServer=192.168.1.1
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{DBCA05B0-3970-4360-A846-4F8B62D6788F}: DhcpNameServer=192.168.1.1
    HKLM\SYSTEM\CS2\Services\Tcpip\..\{DBCA05B0-3970-4360-A846-4F8B62D6788F}: DhcpNameServer=192.168.1.1
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
    HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1


    Scanning for wininet.dll infection


    End

    And about VistaDrive.exe:
    I asked my dad about that file, he said it's suppose to be a file which makes my OS works like Vista. But anyways, here's the report of VistaDrive.exe
    ArcaVir found Trojan.Downloader.Autoit.A
    And
    Ikarus Found Backdoor.Win32.Rbot
    Other than that, other scanner found nothing.
    Thanks again

  4. #4
    Junior Member
    Join Date
    Jun 2008
    Posts
    6

    Default

    Oh yeah, by the way, I got to go. School here starts by afternoon.
    Thanks in advance

  5. #5
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,252

    Default

    And about VistaDrive.exe:
    I asked my dad about that file, he said it's suppose to be a file which makes my OS works like Vista. But anyways, here's the report of VistaDrive.exe
    ArcaVir found Trojan.Downloader.Autoit.AAnd
    Ikarus Found Backdoor.Win32.Rbot
    Other than that, other scanner found nothing.
    You may want to ask your dad why they scans say it is a trojan?

    I don't think the tool worked because of the messed up way the operating System is install on this computer.
    C:\WINDOWS.0\System32\smss.exe <<< with th .0 in many files, I have no idea why it was installed like that. Perhaps you should be asking your dad to fix the problems?

    Download Malwarebytes' Anti-Malware to your desktop.
    http://www.besttechie.net/tools/mbam-setup.exe

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform FULL SCAN, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
    * Please post contents of that file & a new HJT log in your next reply.
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  6. #6
    Junior Member
    Join Date
    Jun 2008
    Posts
    6

    Default Here's both of the logs

    Windows.0 is a directory created when you install a new version (or current) of Windows on a comp which has Windows without formatting. Yeah, you could say it's messed up.. Well, anyway, here's the logs:
    Malwarebytes' Anti-Malware 1.17
    Database version: 856

    8:41:55 PM 6/17/2008
    mbam-log-6-17-2008 (20-41-54).txt

    Scan type: Full Scan (C:\|D:\|)
    Objects scanned: 124532
    Time elapsed: 37 minute(s), 45 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
    Notes: While the files been scanned, my AVG ran along with it and cleans all the threat. And so, all the trojans in my hard drives are gone but, better safe than sorry.


    Here's the HJT log:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 22:17:49, on 6/17/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16674)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS.0\System32\smss.exe
    C:\WINDOWS.0\system32\winlogon.exe
    C:\WINDOWS.0\system32\services.exe
    C:\WINDOWS.0\system32\lsass.exe
    C:\WINDOWS.0\system32\svchost.exe
    C:\WINDOWS.0\System32\svchost.exe
    C:\WINDOWS.0\system32\svchost.exe
    C:\WINDOWS.0\system32\spoolsv.exe
    C:\WINDOWS.0\Explorer.EXE
    C:\WINDOWS.0\system32\rundll32.exe
    C:\WINDOWS.0\VistaDrive\VistaDrive.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\WINDOWS.0\system32\hkcmd.exe
    C:\WINDOWS.0\system32\igfxpers.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\Unlocker\UnlockerAssistant.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS.0\system32\ctfmon.exe
    H:\Program Files\Veoh Networks\Veoh\VeohClient.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
    C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Nakido\nakido.exe
    C:\WINDOWS.0\system32\svchost.exe
    C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    C:\PROGRA~1\AVG\AVG8\avgam.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgnsx.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS.0\system32\HPZipm12.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
    C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
    H:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - H:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
    O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: BhoApp Class - {5F920865-38C9-40DA-8FCF-D9DC83F84EC5} - C:\WINDOWS.0\system32\tupdfo.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
    O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - H:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS.0\VistaDrive\VistaDrive.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS.0\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS.0\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS.0\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Hide IP Platinum] C:\Program Files\Hide IP Platinum\hideippla.exe
    O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
    O4 - HKCU\..\Run: [Veoh] "H:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
    O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
    O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://H:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - AppInit_DLLs: interceptor.dll,avgrsstx.dll,
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Nakido - Nakido - C:\Program Files\Nakido\nakido.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS.0\system32\HPZipm12.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

    --
    End of file - 9165 bytes

    Will do what you say,,

  7. #7
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,252

    Default

    Use HJT to remove this dead item:

    Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

    O2 - BHO: BhoApp Class - {5F920865-38C9-40DA-8FCF-D9DC83F84EC5} - C:\WINDOWS.0\system32\tupdfo.dll (file missing)

    Close all programs but HJT and all browser windows, then click on "Fix Checked"

    Run Clean Manager
    http://spyware-free.us/tutorials/cleanmgr/

    C:\Program Files\Java\jre1.6.0_05\ <<< update your Java program, see this:
    http://forums.spybot.info/showpost.p...80&postcount=2

    If MBAM and AVG 8 both say you are clean, chances are very good that you are. If you want to run additional scans, let me know and I will post them.

    I suggest this realtime free Spyware program for additional protection:
    http://www.microsoft.com/windows/pro...r/default.mspx

    Some good information for you:
    http://users.telenet.be/bluepatchy/m...wcomputer.html
    http://www.microsoft.com/windowsxp/u...s/mcgill1.mspx

    Here is some great information from experts in this field that will help you stay clean and safe online.
    http://users.telenet.be/bluepatchy/m...revention.html
    http://forums.spybot.info/showthread.php?t=279
    http://russelltexas.com/malware/allclear.htm
    http://forum.malwareremoval.com/viewtopic.php?t=14
    http://www.bleepingcomputer.com/forums/topict2520.html
    http://cybercoyote.org/security/not-admin.shtml

    http://www.malwarecomplaints.info/

    Thanks...pskelley
    Safer Networking Forums
    http://www.spybot.info/en/donate/index.html
    If you are reading this information...thank a teacher,
    If you are reading it in English...thank a soldier.
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  8. #8
    Junior Member
    Join Date
    Jun 2008
    Posts
    6

    Talking Thanks alot!

    Thanks a lot for your help cleaning all of this viruses and trojans. Will give you a virtual lemonade if possible. Thanks again

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •