GeekPolice
Welcome to GeekPolice.net!

From "wow" to "whoa" - we're teaching practical technology and helping others with tech support. Join our family here!

You are viewing the forum as a "Guest" which doesn't give you member privileges to ask questions or post comments.

Take 30 seconds to register or log in below and unlock the limitations of this website to discover new computer knowledge!

spyware and virus problem

View previous topic View next topic Go down

Solved spyware and virus problem

Post by amibra on Sat Oct 04, 2008 11:27 pm

I have a virus/spyware problem with my laptop, when I run malwarebytes it detected over 100 spyware files. When I remove them, malware asks me to startup the system. When I startup my destkop is missing and I can't open any file. I think a file in windows is infected and malwarebytes delets it. I use system restore to recover my destkop, but my laptop then is still infected with spyware. Here is the hijackthislog and the malwarebytes log Thank You!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:30:27, on 5-10-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\pipo\LOCALS~1\Temp\Rar$EX00.485\EAV.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: (no name) - {38D44FB1-58EF-49DD-9658-C114B3BC6F34} - C:\WINDOWS\system32\mlljj.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\awtqomj.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: {1f24a201-b0f3-9649-a614-ecfcebb6f238} - {832f6bbe-cfce-416a-9469-3f0b102a42f1} - C:\WINDOWS\system32\qktwbr.dll
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [BM27ddab42] Rundll32.exe "C:\WINDOWS\system32\kihgahfe.dll",s
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: awtqomj - C:\WINDOWS\SYSTEM32\awtqomj.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5848 bytes

amibra
Intermediate
Intermediate

Status :
Online
Offline

Posts : 76
Joined : 2008-09-23
Points : 30581
# Likes : 0

View user profile

Back to top Go down

Solved Re: spyware and virus problem

Post by amibra on Sat Oct 04, 2008 11:27 pm

the malwarebyteslog:

Malwarebytes' Anti-Malware 1.28
Database versie: 1229
Windows 5.1.2600 Service Pack 2

5-10-2008 3:54:33
mbam-log-2008-10-05 (03-54-25).txt

Scan type: Volledige Scan (C:\|)
Objecten gescand: 190726
Verstreken tijd: 1 hour(s), 40 minute(s), 57 second(s)

Geheugenprocessen ge´nfecteerd: 0
Geheugenmodulen ge´nfecteerd: 0
Registersleutels ge´nfecteerd: 20
Registerwaarden ge´nfecteerd: 4
Registerdata bestanden ge´nfecteerd: 5
Mappen ge´nfecteerd: 1
Bestanden ge´nfecteerd: 70

Geheugenprocessen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Registersleutels ge´nfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{38d44fb1-58ef-49dd-9658-c114b3bc6f34} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{38d44fb1-58ef-49dd-9658-c114b3bc6f34} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtqomj (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{832f6bbe-cfce-416a-9469-3f0b102a42f1} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{832f6bbe-cfce-416a-9469-3f0b102a42f1} (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> No action taken.

Registerwaarden ge´nfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm27ddab42 (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userinit (Backdoor.Bot) -> No action taken.

Registerdata bestanden ge´nfecteerd:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Security Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\mlljj.dll -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\mlljj.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\ntos.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: system32\ntos.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,) Good: (userinit.exe) -> No action taken.

Mappen ge´nfecteerd:
C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> No action taken.

Bestanden ge´nfecteerd:
C:\WINDOWS\system32\mlljj.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\jjllm.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\awtqomj.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\qktwbr.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\apdwrrxm.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\mxrrwdpa.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\elgtmjhw.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\whjmtgle.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\favvssec.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\cessvvaf.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\hasitocc.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ccotisah.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ikpvbrtt.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ttrbvpki.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\najrnqbt.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\tbqnrjan.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\oesragoe.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\eogarseo.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\pjmxwoes.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\seowxmjp.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\rrjyjqiw.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\wiqjyjrr.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\sjtulauy.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\yualutjs.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\sqswrowc.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\cworwsqs.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\tqdqurjf.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\fjruqdqt.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\uhiwxntl.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ltnxwihu.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\vubkokjq.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\qjkokbuv.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\xlmglive.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\evilgmlx.ini (Trojan.Vundo.H) -> No action taken.
C:\Documents and Settings\pipo\Local Settings\Temporary Internet Files\Content.IE5\OU2SHVUL\kb671231[1] (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\pipo\Local Settings\Temporary Internet Files\Content.IE5\OU2SHVUL\kb767887[1] (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\pipo\Local Settings\Temporary Internet Files\Content.IE5\PAQ101D7\kb713501[1] (Trojan.LowZones) -> No action taken.
C:\Documents and Settings\pipo\Local Settings\Temporary Internet Files\Content.IE5\GCVKLU31\zrt20080408[1] (Trojan.AVKiller) -> No action taken.
C:\Documents and Settings\pipo\Local Settings\Temporary Internet Files\Content.IE5\GCVKLU31\calc[1] (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\pipo\Local Settings\Temporary Internet Files\Content.IE5\GCVKLU31\iddqd[1] (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\pipo\Local Settings\Temporary Internet Files\Content.IE5\HCE13I78\kb767887[1] (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\pipo\Local Settings\Temporary Internet Files\Content.IE5\IYFEZVH3\kb456456[2] (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\pipo\Local Settings\Temporary Internet Files\Content.IE5\KKGBZOAP\moorate[1] (Trojan.AVKiller) -> No action taken.
C:\Documents and Settings\pipo\Local Settings\Temporary Internet Files\Content.IE5\TEUU1HL9\kb456456[1] (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\pipo\Local Settings\Temporary Internet Files\Content.IE5\TEUU1HL9\kb671231[2] (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\pipo\Local Settings\Temporary Internet Files\Content.IE5\TEUU1HL9\kb767887[1] (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\pipo\Local Settings\Temporary Internet Files\Content.IE5\TO7ZMPFD\idkfa[1] (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\pipo\Local Settings\Temporary Internet Files\Content.IE5\U2HZ0B3D\kb713501[1] (Trojan.LowZones) -> No action taken.
C:\Documents and Settings\pipo\Local Settings\Temporary Internet Files\Content.IE5\U38U2P4V\hctp[1] (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{63590B0B-50DE-4EDB-855E-41B3DC14DB68}\RP166\A0083924.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{63590B0B-50DE-4EDB-855E-41B3DC14DB68}\RP166\A0083925.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{63590B0B-50DE-4EDB-855E-41B3DC14DB68}\RP166\A0083926.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{63590B0B-50DE-4EDB-855E-41B3DC14DB68}\RP166\A0083932.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{63590B0B-50DE-4EDB-855E-41B3DC14DB68}\RP168\A0084880.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{63590B0B-50DE-4EDB-855E-41B3DC14DB68}\RP168\A0084881.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{63590B0B-50DE-4EDB-855E-41B3DC14DB68}\RP168\A0084883.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{63590B0B-50DE-4EDB-855E-41B3DC14DB68}\RP168\A0084884.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{63590B0B-50DE-4EDB-855E-41B3DC14DB68}\RP168\A0084885.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{63590B0B-50DE-4EDB-855E-41B3DC14DB68}\RP168\A0084886.dll (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{63590B0B-50DE-4EDB-855E-41B3DC14DB68}\RP168\A0085000.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\wsnpoem\audio.dll.cla (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> No action taken.
C:\WINDOWS\cookies.ini (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\kihgahfe.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\BM27ddab42.xml (Trojan.Vundo) -> No action taken.
C:\WINDOWS\BM27ddab42.txt (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ntos.exe (Backdoor.Bot) -> No action taken

amibra
Intermediate
Intermediate

Status :
Online
Offline

Posts : 76
Joined : 2008-09-23
Points : 30581
# Likes : 0

View user profile

Back to top Go down

Solved Re: spyware and virus problem

Post by Belahzur on Sun Oct 05, 2008 9:10 am

Before we can even attempt to get you clean, I have to inform you that your log shows one or more backdoor bots.
This allows hackers to remotely steal personal information. If you do any online banking (Ebay, Paypal, etc), you need to get to clean machine and change any passwords.

First, MBAM found alot of junk, so lets use that to get rid of it.


  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (see note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log with a fresh copy of HijackThis log.
=====
Then download Combofix from here.
Code:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Do not run it just yet.

Then download the Microsoft Recovery Console from here:
Code:
http://www.microsoft.com/downloads/details.aspx?FamilyId=15491F07-99F7-4A2D-983D-81C2137FF464&displaylang=en
and save it as it's originally named, next to ComboFix.exe.



Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, it will ask you whether or not to continue with the malware scan. Select Yes, and post the resultant log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: spyware and virus problem

Post by amibra on Sun Oct 05, 2008 9:45 am

The problem is when malwarebytes asks me to restart my computer after the cleaning my destkop is removed, and I can't open any files even with the taskmanager. I think some file in windows is infected and malwarebytes removes it

amibra
Intermediate
Intermediate

Status :
Online
Offline

Posts : 76
Joined : 2008-09-23
Points : 30581
# Likes : 0

View user profile

Back to top Go down

Solved Re: spyware and virus problem

Post by Belahzur on Sun Oct 05, 2008 11:28 am

Sounds like explorer.exe is being killed.
Can you try rebooting again after MBAM wanted reboot, explorer.exe might restart itself.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: spyware and virus problem

Post by amibra on Sun Oct 05, 2008 3:17 pm

I scanned malwarebytes in the safe mode and it didn't kill the explorer.exe, here is the log off malwarebytes:

Malwarebytes' Anti-Malware 1.28
Database versie: 1229
Windows 5.1.2600 Service Pack 2

5-10-2008 20:49:44
mbam-log-2008-10-05 (20-49-32).txt

Scan type: Snelle Scan
Objecten gescand: 100462
Verstreken tijd: 41 minute(s), 26 second(s)

Geheugenprocessen ge´nfecteerd: 0
Geheugenmodulen ge´nfecteerd: 0
Registersleutels ge´nfecteerd: 20
Registerwaarden ge´nfecteerd: 4
Registerdata bestanden ge´nfecteerd: 5
Mappen ge´nfecteerd: 1
Bestanden ge´nfecteerd: 45

Geheugenprocessen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Registersleutels ge´nfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{38d44fb1-58ef-49dd-9658-c114b3bc6f34} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{38d44fb1-58ef-49dd-9658-c114b3bc6f34} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtqomj (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{832f6bbe-cfce-416a-9469-3f0b102a42f1} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{832f6bbe-cfce-416a-9469-3f0b102a42f1} (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> No action taken.

Registerwaarden ge´nfecteerd:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm27ddab42 (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\userinit (Backdoor.Bot) -> No action taken.

Registerdata bestanden ge´nfecteerd:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Security Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\mlljj.dll -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\mlljj.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\ntos.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: system32\ntos.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,) Good: (userinit.exe) -> No action taken.

Mappen ge´nfecteerd:
C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> No action taken.

Bestanden ge´nfecteerd:
C:\WINDOWS\system32\mlljj.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\jjllm.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\awtqomj.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\qktwbr.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\apdwrrxm.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\mxrrwdpa.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\elgtmjhw.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\whjmtgle.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\favvssec.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\cessvvaf.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\hasitocc.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ccotisah.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ikpvbrtt.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ttrbvpki.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\najrnqbt.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\tbqnrjan.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\oesragoe.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\eogarseo.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\pjmxwoes.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\seowxmjp.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\rrjyjqiw.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\wiqjyjrr.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\sjtulauy.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\yualutjs.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\sqswrowc.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\cworwsqs.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\tqdqurjf.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\fjruqdqt.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\uhiwxntl.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ltnxwihu.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\vubkokjq.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\qjkokbuv.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\xlmglive.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\evilgmlx.ini (Trojan.Vundo.H) -> No action taken.
C:\Documents and Settings\pipo\Local Settings\Temporary Internet Files\Content.IE5\U38U2P4V\hctp[1] (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\wsnpoem\audio.dll.cla (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> No action taken.
C:\WINDOWS\cookies.ini (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\kihgahfe.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\BM27ddab42.xml (Trojan.Vundo) -> No action taken.
C:\WINDOWS\BM27ddab42.txt (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ntos.exe (Backdoor.Bot) -> No action taken.



Hijackthislog (after malwarebytes and combofix scan)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:06:58, on 5-10-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CF13782.exe
C:\WINDOWS\system32\CF13782.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Verzenden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Verz&enden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5978 bytes

amibra
Intermediate
Intermediate

Status :
Online
Offline

Posts : 76
Joined : 2008-09-23
Points : 30581
# Likes : 0

View user profile

Back to top Go down

Solved Re: spyware and virus problem

Post by amibra on Sun Oct 05, 2008 3:26 pm

The combofix is just too long to put in these posts so I uploaded it srry

[You must be registered and logged in to see this link.]


Last edited by amibra on Sun Oct 05, 2008 3:46 pm; edited 2 times in total

amibra
Intermediate
Intermediate

Status :
Online
Offline

Posts : 76
Joined : 2008-09-23
Points : 30581
# Likes : 0

View user profile

Back to top Go down

Solved Re: spyware and virus problem

Post by amibra on Sun Oct 05, 2008 3:26 pm

remove


Last edited by amibra on Sun Oct 05, 2008 3:32 pm; edited 1 time in total

amibra
Intermediate
Intermediate

Status :
Online
Offline

Posts : 76
Joined : 2008-09-23
Points : 30581
# Likes : 0

View user profile

Back to top Go down

Solved Re: spyware and virus problem

Post by amibra on Sun Oct 05, 2008 3:27 pm

remove


Last edited by amibra on Sun Oct 05, 2008 3:34 pm; edited 1 time in total

amibra
Intermediate
Intermediate

Status :
Online
Offline

Posts : 76
Joined : 2008-09-23
Points : 30581
# Likes : 0

View user profile

Back to top Go down

Solved Re: spyware and virus problem

Post by amibra on Sun Oct 05, 2008 3:28 pm

remove

amibra
Intermediate
Intermediate

Status :
Online
Offline

Posts : 76
Joined : 2008-09-23
Points : 30581
# Likes : 0

View user profile

Back to top Go down

Solved Re: spyware and virus problem

Post by Belahzur on Sun Oct 05, 2008 4:00 pm

Hello.
Combofix didn't run properly for some reason, but forget combofix for now.

You didn't set MBAM to remove everything it found.


  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (see note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: spyware and virus problem

Post by amibra on Sun Oct 05, 2008 4:38 pm

I updated MBAM and scanned my system, it didn't find any spyware. Here is the log:

Malwarebytes' Anti-Malware 1.28
Database versie: 1230
Windows 5.1.2600 Service Pack 2

5-10-2008 22:34:28
mbam-log-2008-10-05 (22-34-28).txt

Scan type: Snelle Scan
Objecten gescand: 63620
Verstreken tijd: 6 minute(s), 16 second(s)

Geheugenprocessen ge´nfecteerd: 0
Geheugenmodulen ge´nfecteerd: 0
Registersleutels ge´nfecteerd: 0
Registerwaarden ge´nfecteerd: 0
Registerdata bestanden ge´nfecteerd: 0
Mappen ge´nfecteerd: 0
Bestanden ge´nfecteerd: 0

Geheugenprocessen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Registersleutels ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Registerwaarden ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Registerdata bestanden ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Mappen ge´nfecteerd:
(Geen kwaadaardige items gevonden)

Bestanden ge´nfecteerd:
(Geen kwaadaardige items gevonden)

amibra
Intermediate
Intermediate

Status :
Online
Offline

Posts : 76
Joined : 2008-09-23
Points : 30581
# Likes : 0

View user profile

Back to top Go down

Solved Re: spyware and virus problem

Post by Belahzur on Sun Oct 05, 2008 4:39 pm

Ah.
So the last scan, you had it remove the stuff after you posted the log?

Well MBAM is showing clean, how is the systems performance?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: spyware and virus problem

Post by amibra on Sun Oct 05, 2008 4:42 pm

My laptop is a bit slow, do I still have to post a combofix log thanks for the help

amibra
Intermediate
Intermediate

Status :
Online
Offline

Posts : 76
Joined : 2008-09-23
Points : 30581
# Likes : 0

View user profile

Back to top Go down

Solved Re: spyware and virus problem

Post by Belahzur on Sun Oct 05, 2008 4:53 pm

Did you re-run combofix?
The last run didn't work properly, but no worries, it showed me what I wanted.

We still have some cleaning up to do, I will post it after this post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: spyware and virus problem

Post by amibra on Sun Oct 05, 2008 4:59 pm

Ok thanks

amibra
Intermediate
Intermediate

Status :
Online
Offline

Posts : 76
Joined : 2008-09-23
Points : 30581
# Likes : 0

View user profile

Back to top Go down

Solved Re: spyware and virus problem

Post by Belahzur on Sun Oct 05, 2008 5:01 pm

Okay, big post. Take your time and don't rush.
====

Please download OTMoveIt3 from [You must be registered and logged in to see this link.]


  • Open OTMoveIt3.exe.
  • In the Paste instructions for items to be moved section, copy and paste this in.

    :Reg
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "Authentication Packages"=hex(7):"msv1_0"

    :Files
    C:\sqmdata09.sqm
    C:\sqmnoopt09.sqm
    C:\sqmdata08.sqm
    C:\sqmnoopt08.sqm
    C:\sqmdata07.sqm
    C:\sqmnoopt07.sqm
    C:\sqmdata06.sqm
    C:\sqmnoopt06.sqm
    C:\sqmdata05.sqm
    C:\sqmnoopt05.sqm

    :Commands
    [Purity]
    [EmptyTemp]

  • Then press the red MoveIt! button.
  • It will make a log in the results section, copy and paste that back here.

====

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform and language, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add or Remove Programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    - Java 2 Runtime Environment, SE v1.4.2
    - J2SE Runtime Environment 5.0
    - J2SE Runtime Environment 5.0 Update 2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe that you downloaded to install the newest version.

====

Please download JavaRa from [You must be registered and logged in to see this link.]


  • First, unzip it.
  • Then run JavaRa.
  • Press Remove older versions
  • Press yes to the prompt.
  • It will make a log file of what it's removed.
  • Copy and paste the log back here.

===


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: spyware and virus problem

Post by amibra on Sun Oct 05, 2008 5:08 pm

OTMoveIt3 log:

========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\"Authentication Packages"|hex(7):"msv1_0" /E : value set successfully!
========== FILES ==========
C:\sqmdata09.sqm moved successfully.
C:\sqmnoopt09.sqm moved successfully.
C:\sqmdata08.sqm moved successfully.
C:\sqmnoopt08.sqm moved successfully.
C:\sqmdata07.sqm moved successfully.
C:\sqmnoopt07.sqm moved successfully.
C:\sqmdata06.sqm moved successfully.
C:\sqmnoopt06.sqm moved successfully.
C:\sqmdata05.sqm moved successfully.
C:\sqmnoopt05.sqm moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.4.1 log created on 10052008_230418

javaralog:

JavaRa 1.11 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Sun Oct 05 23:07:41 2008

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

------------------------------------

Finished reporting.



Here ya go

amibra
Intermediate
Intermediate

Status :
Online
Offline

Posts : 76
Joined : 2008-09-23
Points : 30581
# Likes : 0

View user profile

Back to top Go down

Solved Re: spyware and virus problem

Post by Belahzur on Sun Oct 05, 2008 5:13 pm

Thank you.
Can you post a new Hijack This log please?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: spyware and virus problem

Post by amibra on Sun Oct 05, 2008 5:14 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:14:40, on 5-10-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Documents and Settings\pipo\Bureaublad\JavaRa.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Verzenden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Verz&enden naar OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - [You must be registered and logged in to see this link.]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 6526 bytes

amibra
Intermediate
Intermediate

Status :
Online
Offline

Posts : 76
Joined : 2008-09-23
Points : 30581
# Likes : 0

View user profile

Back to top Go down

Solved Re: spyware and virus problem

Post by Belahzur on Sun Oct 05, 2008 5:17 pm

Everything looks great --- your HijackThis log appears to be clean. Smile
Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: spyware and virus problem

Post by amibra on Sun Oct 05, 2008 5:20 pm

Is windows firewall and eset Nod32 antivirus good? If I scan my computer once a week with MBAM will this prevent me from a malware infection? Is my computer still open for hackers?

amibra
Intermediate
Intermediate

Status :
Online
Offline

Posts : 76
Joined : 2008-09-23
Points : 30581
# Likes : 0

View user profile

Back to top Go down

Solved Re: spyware and virus problem

Post by Belahzur on Sun Oct 05, 2008 5:23 pm

It's okay, but I do recommend a good firewall.
Scanning once a week should be okay, as long as surf safely, you'll be okay.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre
Points : 245039
# Likes : 1

View user profile

Back to top Go down

Solved Re: spyware and virus problem

Post by amibra on Sun Oct 05, 2008 5:29 pm

Ok thanks a lot for you're help

amibra
Intermediate
Intermediate

Status :
Online
Offline

Posts : 76
Joined : 2008-09-23
Points : 30581
# Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum