Author Topic: Help me please,i need your help  (Read 18343 times)

0 Members and 1 Guest are viewing this topic.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Help me please,i need your help
« Reply #30 on: July 15, 2007, 09:29:52 PM »
It is going to take me some time to review your log so please be patient. 

Thanks.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Mr Mando

  • Full Member
  • ***
  • Posts: 26
    • View Profile
Re: Help me please,i need your help
« Reply #31 on: July 15, 2007, 09:33:21 PM »
ok corrine,take your time

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Help me please,i need your help
« Reply #32 on: July 15, 2007, 11:00:20 PM »
In addition to MSN Password Finder, I'm seeing things like this that were removed byDr Web: 

PrivacyGuardSetup.exe;G:\The Privacy Guard 1.5 + Crack;Trojan.Ulone;Deleted.;
Tool.BrutusPWS;Deleted.;

This tells me that either you have been up to no good or your security has been severely compromised.  If you wish to continue on with attempting to clean this machine, need to repeat my caution regarding online banking or bill paying.  Go to another computer and change any passwords for such accounts and do not access them from this computer. 

I strongly suggest a firewall and antivirus software.  The following are free for personal use:

Firewalls:

Agnitum Outpost Firewall
Comodo Free Firewall
Kerio Personal Firewall
ZoneAlarm

Antivirus:

avast! 4 Home Edition
AVG Free
Avira AntiVir PersonalEdition Classic
Comodo AntiVirus 2.0 beta

If you wish to proceed, we'll start with ComboFix.  1. Download this file - combofix.exe (Mirror location:  http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe )
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply with a fresh HijackThis log.

Note:
Do not mouseclick combofix's window while it is running as that may cause it to stall.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline winchester73

  • Half a bubble off plumb
  • Administrator
  • Hero Member
  • *****
  • Posts: 7332
  • Liverpool FC - YNWA
    • View Profile
Re: Help me please,i need your help
« Reply #33 on: July 15, 2007, 11:13:37 PM »
What sorts of cracked software have you been loading?
Speak softly, but carry a big Winchester ... Winchester Arms Collectors Association member

Offline Mr Mando

  • Full Member
  • ***
  • Posts: 26
    • View Profile
Re: Help me please,i need your help
« Reply #34 on: July 16, 2007, 09:50:42 AM »
I've been loading AVGFree,

Offline Mr Mando

  • Full Member
  • ***
  • Posts: 26
    • View Profile
Re: Help me please,i need your help
« Reply #35 on: July 16, 2007, 10:02:24 AM »
shall i post a new HJT Log or the second log or the first log ?

Offline Mr Mando

  • Full Member
  • ***
  • Posts: 26
    • View Profile
Re: Help me please,i need your help
« Reply #36 on: July 16, 2007, 10:07:52 AM »
the combofix log,

"XPPRESP3" - 2007-07-16 13:57:53 - ComboFix 07-07-13.8 - Service Pack 2  FAT32


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\XPPRESP3\APPLIC~1.\addon.dat
C:\Program Files\video access activex object


(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NM
-------\nm


(((((((((((((((((((((((((   Files Created from 2007-06-16 to 2007-07-16  )))))))))))))))))))))))))))))))


2007-07-16 13:56   51,200   --a------   C:\WINDOWS\nircmd.exe
2007-07-15 23:11   <DIR>   d--------   C:\DOCUME~1\XPPRESP3\DoctorWeb
2007-07-15 18:41   812,344   --a------   C:\HJTsetup.exe
2007-07-15 18:41   <DIR>   d--------   C:\Program Files\Trend Micro
2007-07-15 17:11   <DIR>   d--------   C:\WINDOWS\system32\xircom
2007-07-15 17:11   <DIR>   d--------   C:\WINDOWS\srchasst
2007-07-15 17:11   <DIR>   d--------   C:\Program Files\msn gaming zone
2007-07-15 17:11   <DIR>   d--------   C:\Program Files\movie maker
2007-07-15 17:11   <DIR>   d--------   C:\Program Files\microsoft frontpage
2007-07-15 16:17   51,072   --a------   C:\WINDOWS\system32\drivers\ikhlayer.sys
2007-07-15 16:17   30,592   --a------   C:\WINDOWS\system32\drivers\ikhfile.sys
2007-07-15 16:17   <DIR>   d--------   C:\DOCUME~1\XPPRESP3\APPLIC~1\PC Tools
2007-07-15 15:34   36   -r-h-----   C:\WINDOWS\sued.dat
2007-07-15 15:15   <DIR>   d--------   C:\Program Files\Spyware Doctor
2007-07-15 15:14   626,688   --a------   C:\WINDOWS\system32\msvcr80.dll
2007-07-12 22:53   <DIR>   d--h-----   C:\Program Files\mcromedplug
2007-07-09 12:46   <DIR>   d--h-----   C:\WINDOWS\system32\sysadded


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-12 19:05:40   --------   d-----w   C:\DOCUME~1\XPPRESP3\APPLIC~1\Nokia Multimedia Player
2007-06-12 19:05:20   --------   d-----w   C:\DOCUME~1\XPPRESP3\APPLIC~1\Nokia
2007-06-12 19:05:18   --------   d-----w   C:\DOCUME~1\XPPRESP3\APPLIC~1\Datalayer
2007-06-12 19:01:06   --------   d-----w   C:\DOCUME~1\XPPRESP3\APPLIC~1\PC Suite
2007-06-12 18:59:34   --------   d-----w   C:\Program Files\Common Files\PCSuite
2007-06-12 18:59:34   --------   d-----w   C:\Program Files\Common Files\Nokia
2007-06-10 08:17:04   --------   d-----w   C:\Program Files\01-mp3search
2007-06-08 11:57:02   352,256   ----a-w   C:\WINDOWS\eSellerateEngine.dll
2007-06-02 17:16:24   365   ----a-w   C:\WINDOWS\system32\vfw_32.reg
2007-06-02 17:13:06   --------   d-----w   C:\Program Files\Xingtone
2007-05-28 20:51:04   --------   d-----w   C:\DOCUME~1\XPPRESP3\APPLIC~1\Ulead Systems
2007-05-28 20:45:20   --------   d-----w   C:\DOCUME~1\XPPRESP3\APPLIC~1\LemonWire
2007-05-21 21:51:08   737,280   ----a-w   C:\WINDOWS\iun6002.exe
2007-05-07 09:57:52   77,824   ----a-w   C:\WINDOWS\iRODUninstall.exe
2007-04-07 19:00:52   1,682   --sha-w   C:\WINDOWS\system32\KGyGaAvL.sys
2007-04-07 19:00:52   56   --sh--r   C:\WINDOWS\system32\7D12E86E4F.sys


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A5366673-E8CA-11D3-9CD9-0090271D075B}]
2002-01-16 19:12   65536   --a------   C:\PROGRA~1\FLASHGET\jccatch.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-19 23:55   2403392   -ra------   c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B56A7D7D-6927-48C8-A975-17DF180C71AC}]
2007-07-15 17:06   850104   --a------   C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-22 08:28]
"diagnostics"="C:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" [2006-11-04 06:45]
"Propel Accelerator"="C:\Program Files\Propel Accelerator\trayctl.exe" []
"DataLayer"="C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe" [2005-03-31 09:30]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"="C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" [2005-07-27 21:00]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 16:25]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-08-05 20:35]
"ThePrivacyGuard"="C:\PROGRA~1\THEPRI~1\THEPRI~1.exe" []
"PcSync"="G:\New Folder (6)\Nokia PC Suite 6\PcSync2.exe" [2005-04-20 09:57]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nlsf"=cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"
"nlhr"=RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
"NoRemoteRecursiveEvents"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
"NoSMHelp"=1 (0x1)
"NoSaveSettings"=0 (0x0)
"NoRecentDocsMenu"=1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
"NoSMHelp"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Metacafe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Metacafe.lnk
backup=C:\WINDOWS\pss\Metacafe.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^YouTubeSpider.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\YouTubeSpider.lnk
backup=C:\WINDOWS\pss\YouTubeSpider.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^XPPRESP3^Start Menu^Programs^Startup^Eyetide Launcher.lnk]
path=C:\Documents and Settings\XPPRESP3\Start Menu\Programs\Startup\Eyetide Launcher.lnk
backup=C:\WINDOWS\pss\Eyetide Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^XPPRESP3^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\XPPRESP3\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^XPPRESP3^Start Menu^Programs^Startup^Metacafe.lnk]
path=C:\Documents and Settings\XPPRESP3\Start Menu\Programs\Startup\Metacafe.lnk
backup=C:\WINDOWS\pss\Metacafe.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^XPPRESP3^Start Menu^Programs^Startup^Webshots.lnk]
path=C:\Documents and Settings\XPPRESP3\Start Menu\Programs\Startup\Webshots.lnk
backup=C:\WINDOWS\pss\Webshots.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearFlix]
"D:\Program Files\BearFlix\BearFlix.exe" /pause

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
D:\Documents and Settings\Free Download Manager\fdm.exe -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files\Google\Google Talk\googletalk.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messaging]
C:\Program Files\Instant Messenger Names\IM-svr.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
G:\New Folder (6)\Nokia PC Suite 6\LaunchApplication.exe -onlytray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\virus name]
C:\Program Files\photo kiss\photo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService   Alerter LmHosts upnphost SSDPSRV


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{791C116C-F3BB-6286-5682-9C22B0E1448F}
C:\Program Files\mcromedplug\svchost.exe s

HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EC493706-4A95-581C-5931-3BFF77E369FE}
C:\WINDOWS\system32\sysadded\svchost.exe s

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-16 14:02:23
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-16 14:03:42 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-16 14:03

   --- E O F ---

Offline Mr Mando

  • Full Member
  • ***
  • Posts: 26
    • View Profile
Re: Help me please,i need your help
« Reply #37 on: July 16, 2007, 10:13:49 AM »
sorry again about this,

http://rapidshare.com/files/43208004/mylog3.txt.html

here is the link download the HJT new fresh log and post it, :help:

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Help me please,i need your help
« Reply #38 on: July 16, 2007, 10:20:39 AM »
Hi, Mr Mando.  I'm about to start work and cannot access the uploaded file (access denied by the Corporate firewall).  Unless someone else has an opportunity to post it during the day, I will do it this evening.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Mr Mando

  • Full Member
  • ***
  • Posts: 26
    • View Profile
Re: Help me please,i need your help
« Reply #39 on: July 16, 2007, 10:34:41 AM »
ok corrine,

i got for you the object that had done all of these things to me,you can know what is it and solve the problem faster,


here it is:DONT DOWNLOAD IT,JUST OBSERVE IT:

this was the file i downloaded and brang me the messege that says you are hacked

http://www.fileflyer.com/view/ANHpFCX  (rendered unclickable by Corrine)

IT's something like setup for a program,but after i installed it a messege came that says (Kiss virus has been installed)

and every time i opens my pc i find a messege that says hello,you are hacked

Observe all of this plz, :help:

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Help me please,i need your help
« Reply #40 on: July 16, 2007, 11:33:40 AM »
Thanks.  Since I cannot do anything else until this evening, why don't you do an online scan and then post/upload a new HijackThis log.

TrendMicro™ HouseCall Java Scan
  • Please go HERE to run the Trend Micro™ HouseCall Scan.
  • Click Scan now. It's free!
  • Read and put a Check next to Yes I accept the terms of use.
  • Click the Launching HouseCall>> button.
  • If confirmed that HouseCall can run on your system, under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
  • You may receive a Security Warning about the TrendMicro Java applet, click YES.
  • Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
  • Please be patient while it installs, updates, and scans your system.
  • Once the scan is complete, it will take you to the summary page.
  • Under Cleanup options, choose clean all detected infections automatically.
  • Click the Clean now>> button.
  • If anything was found you may be prompted to run the scan again, you can just close the browser window.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline MikeW

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 563
    • View Profile
Re: Help me please,i need your help
« Reply #41 on: July 16, 2007, 01:40:21 PM »
Here is the log Corrine

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:07, on 7/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson SpeedTouch\ST330\service\st330service.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\Slave.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Thomson SpeedTouch\ST330\diagnostics\diagnostics.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Ace Explorer\Aexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)
O3 - Toolbar: Webshots Toolbar - {C17590D2-ECB4-4b15-8820-F58798DCC118} - G:\Webshots\WSToolbar4IE.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [diagnostics] "C:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" /icon -l:en
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\Propel Accelerator\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [ThePrivacyGuard] "C:\PROGRA~1\THEPRI~1\THEPRI~1.EXE" /startup
O4 - HKCU\..\Run: [PcSync] G:\New Folder (6)\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Global Startup: WinManager.lnk = C:\Program Files\digiTOP\WinManager\WinManager.exe
O8 - Extra context menu item: &Webshots Photo Search - res://G:\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - G:\Ahmed%20Castle\Advanced%20Email%20Extractor%20Pro\AeeMSIE.dll (file missing)
O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - G:\Ahmed%20Castle\Advanced%20Email%20Extractor%20Pro\AeeMSIE.dll (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D636428-D8E7-46E9-A30A-8F646FFFEE25}: NameServer = 163.121.128.134 212.103.160.18
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: RA Server (Slave) - TWD Industries, LLC - C:\WINDOWS\Slave.exe
O23 - Service: SpeedTouch 330 Manager (st330service) - THOMSON Telecom Belgium - C:\Program Files/Thomson SpeedTouch/ST330/service/st330service.exe
O23 - Service: AutomatedSurfer (SurferService) - Unknown owner - C:\WINDOWS\system32\srvany.exe (file missing)

--
End of file - 7355 bytes
Win 7 Home Premium  IE11 MSE  Mbam Pro

Offline Mr Mando

  • Full Member
  • ***
  • Posts: 26
    • View Profile
Re: Help me please,i need your help
« Reply #42 on: July 16, 2007, 02:06:09 PM »
Thanks.  Since I cannot do anything else until this evening, why don't you do an online scan and then post/upload a new HijackThis log.

TrendMicro™ HouseCall Java Scan
  • Please go HERE to run the Trend Micro™ HouseCall Scan.
  • Click Scan now. It's free!
  • Read and put a Check next to Yes I accept the terms of use.
  • Click the Launching HouseCall>> button.
  • If confirmed that HouseCall can run on your system, under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
  • You may receive a Security Warning about the TrendMicro Java applet, click YES.
  • Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
  • Please be patient while it installs, updates, and scans your system.
  • Once the scan is complete, it will take you to the summary page.
  • Under Cleanup options, choose clean all detected infections automatically.
  • Click the Clean now>> button.
  • If anything was found you may be prompted to run the scan again, you can just close the browser window.

this site is so slow and it wont scan,

check the file of the virus i sent,observe it plz

Offline Mr Mando

  • Full Member
  • ***
  • Posts: 26
    • View Profile
Re: Help me please,i need your help
« Reply #43 on: July 16, 2007, 02:19:27 PM »
i have a good idea for faster solution,

here is the file i downloaded,

http://rapidshare.com/files/43245496/photo_kiss.rar.html[/url]

download and extract it but dont open the file named photo,

(i opened photo and all of these problems occured,so plz download it and check what is these files)

i scanned them and i was amazed there were no viruses,observe them plz i want to wake from this nightmare pals,

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Help me please,i need your help
« Reply #44 on: July 16, 2007, 03:03:19 PM »
Hi, Mr Mando. 

I'm on my lunch break now so only have a couple minutes.  However, please note that your idea for a "faster solution" will not work.  I do NOT do file analysis and do not download files from unknown sources.  That is why none of my home or business computers have ever been infected.  What we do on the help forums is to review logs and research unknown items, seeking a solution for the user. 

Now, I have rendered the link unclickable so no one inadvertently clicks on it.  You can go to: http://virusscan.jotti.org/ and upload the file to be scanned and place a copy of the results here as a reply.

In addition, since you said Trend Micro is too slow, please do an online scan at ESET.  Not all companies have the same files in detection so the results can vary from vendor to vendor.  However, ESET is among the very best antivirus software companies.  Go to http://www.eset.com/threat-center/cac.php .  Accept the terms of use, click Start and follow the instructions.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.