dear members,i need your help plz,i have a serious problem,when i open my pc i find a message that says you are hacked,and when i close it..the pc restarts,and when i click on ok the pc opens,but what is this message and how i remove it..i scanned my pc with avg,and there were no viruses,and i installed spyware doctor and i removed all the spywares and adwares,but the messege wouldnt be affected by what i have done...help plz
Hi, Mr Mando. Welcome to LandzDown Forum. We will do our best to assist you.
Please download HijackThis© from one of the following sites:
- http://www.thespykiller.co.uk/files/HJTsetup.exe
- http://downloads.malwareremoval.com/HJTsetup.exe
- http://security-central.us/downloads/HJTsetup.exe
At the download prompt, choose "Save"
- Navigate to the saved file and double-click the installer, HJTsetup.exe
- By default, HijackThis will be installed on your computer at C:\Program Files\HijackThis, making an entry in the start menu and also providing a desktop shortcut
- When the installation is complete, double-click the HijackThis icon on your desktop
- Select "Scan"
- When the scan is completed, select "Save log"
- Select a name for this first log and a text file will be produced in Notepad.
- Please UNcheck Word Wrap in Notepad (Click Format > UNcheck Word Wrap)
- Copy the text file and paste it as a reply
- Do NOT fix anything with HijackThis yet. Most of what is found is harmless or even required
- Close HijackThis and Notepad
here it is,Corrine,it's in the attachments,it is saved in a file format so open it by notepad...
Mr Mando,
It doesn't quite work like that. Please open a new reply to this thread and copy and paste the HJT log into the reply.
Thanks,
Eric the Red
sorry about that,i dont know whats wrong with the attachments,but here it is
http://www.megaupload.com/?d=F6IMXBKQ
URL munged by Corrine
Mr Mando,
Please paste the log here. With the best will in the world we cannot afford to take the risk of malicious downloads that may be hosted on other sites. I don't mean to suggest that you would do such a thing but there are people out there who would love to infect our machines because of the damage that we have done to their spyware operations.
the speed is so slow,it wont be posted,i clicked on post after i pasted the log but the page wouldnt change its too slow,i dont know why,so plz download it from here http://rapidshare.com/files/43088011/mylog1.txt.html
and i guarantee for you that nothing will happen.
dont download it from megaupload...download it from rapidshare,its fast
URL Munged by Corrine
Sorry, Mr Mando. Our site, our rules. If you wish assistance, please copy/paste the log as a reply to this thread.
Thank you.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:31:29 PM, on 7/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson SpeedTouch\ST330\service\st330service.exe
plz i beg you all,i cant paste them,when i post the thread the page wouldnt change as if it ignores me,
Thank you, Mr Mando. We are investigating the problem in posting your logfile.
corrine this is not the whole log,plz read^^^
I'm working on figuring out the cause - please stand by.
thanks aaron but this is not the whole log,plz download it from here [Removed by Aaron Hulett - MSFT]
i beg u all plz download it,i cant even post the log in the reply, the browser is slow when i post huge objects
I'm working on why you can't post it. I've determined what in the log is causing it, but not why it causes the forums to not accept the post.
Remember, logs must be posted to the forums before we'll work on them. I'm going to post an edited version with cmd-dot-exe instead of cmd . exe so that it'll work.
Aaron
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:31:29 PM, on 7/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson SpeedTouch\ST330\service\st330service.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd-dot-exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\Slave.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Thomson SpeedTouch\ST330\diagnostics\diagnostics.exe
C:\Program Files\Ace Explorer\Aexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: XBTP01621 - {9EDB89EF-E4BC-4c70-B102-8F7A4365EE33} - C:\PROGRA~1\IMESHA~1\IMESHM~1\MediaBar.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)
O3 - Toolbar: iMesh MediaBar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - C:\Program Files\iMesh applications\iMesh MediaBar\MediaBar.dll
O3 - Toolbar: Webshots Toolbar - {C17590D2-ECB4-4b15-8820-F58798DCC118} - G:\Webshots\WSToolbar4IE.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd-dot-exe
O4 - HKLM\..\Run: [diagnostics] "C:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" /icon -l:en
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\system32\msconfig.exe /auto
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\Propel Accelerator\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [ThePrivacyGuard] "C:\PROGRA~1\THEPRI~1\THEPRI~1.EXE" /startup
O4 - HKCU\..\Run: [PcSync] G:\New Folder (6)\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd-dot-exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd-dot-exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd-dot-exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd-dot-exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Global Startup: WinManager.lnk = C:\Program Files\digiTOP\WinManager\WinManager.exe
O8 - Extra context menu item: &Webshots Photo Search - res://G:\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - G:\Ahmed%20Castle\Advanced%20Email%20Extractor%20Pro\AeeMSIE.dll (file missing)
O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - G:\Ahmed%20Castle\Advanced%20Email%20Extractor%20Pro\AeeMSIE.dll (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D636428-D8E7-46E9-A30A-8F646FFFEE25}: NameServer = 163.121.128.134 212.103.160.18
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: RA Server (Slave) - TWD Industries, LLC - C:\WINDOWS\Slave.exe
O23 - Service: SpeedTouch 330 Manager (st330service) - THOMSON Telecom Belgium - C:\Program Files/Thomson SpeedTouch/ST330/service/st330service.exe
O23 - Service: AutomatedSurfer (SurferService) - Unknown owner - C:\WINDOWS\system32\srvany.exe
--
End of file - 8054 bytes
is there something i can do or just wait Aaron ?
Please wait for someone to review your log and post instructions.
Hi, Mr Mando. While Aaron was working on that problem, we have been looking at your log. You do have some serious problems so let's see if we can get the cleanup started.
Download
Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe (http://ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe)
- Doubleclick the drweb-cureit.exe file and Allow to run the express scan
- This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
- Once the short scan has finished, Click Options > Change settings
- Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
- Back at the main window, mark the drives that you want to scan.
- Select all drives. A red dot shows which drives have been chosen.
- Click the green arrow at the right, and the scan will start.
- Click 'Yes to all' if it asks if you want to cure/move the file.
- When the scan has finished, look if you can click next icon next to the files found: (https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fusers.telenet.be%2Fbluepatchy%2Fmiekiemoes%2Fimages%2Fcheck.gif&hash=99074056ac99b1a8e2d904a4aa17920117fd09be)
- If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fusers.telenet.be%2Fbluepatchy%2Fmiekiemoes%2Fimages%2Fmove.gif&hash=b42bdfbf8617a811bebc47f7a57d5fe8a86851d2)
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
- After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
- Save the report to your desktop. The report will be called DrWeb.csv
- Close Dr.Web Cureit.
- Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
- After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
Please include a fresh HJT log with the log from Dr.Web (and hope that the software will allow you to post it.)
mediabar.dll;c:\program files\imesh applications\imesh mediabar;Adware.Softomate;Deleted.;
srvany.exe;c:\windows\system32;Program.SrvAny;Renamed.;
svchost.exe;c:\windows\system32\sysadded;BackDoor.Bifrost;Deleted.;
AUTOEXEC.BAT;C:\;Deltree.Generic;Deleted.;
srvany.exe;C:\WINDOWS\system32;Program.SrvAny;Deleted.;
kas.exe;C:\WINDOWS\system32;Trojan.PWS.LDPinch.1622;Deleted.;
sxmm.dll;C:\WINDOWS\system32;BackDoor.TerraBit;Deleted.;
SHNT288.exe;C:\Documents and Settings\XPPRESP3\Local Settings\Temp;Adware.NewDotNet;Deleted.;
MediaBar.dll;C:\Program Files\iMesh applications\iMesh MediaBar;Adware.Softomate;Deleted.;
A0000015.exe;C:\System Volume Information\_restore{163A3451-9F87-4EB0-A9BC-4C626768919C}\RP3;BackDoor.Bifrost;Deleted.;
A0000016.exe;C:\System Volume Information\_restore{163A3451-9F87-4EB0-A9BC-4C626768919C}\RP3;Trojan.PWS.LDPinch.1622;Deleted.;
A0000017.dll;C:\System Volume Information\_restore{163A3451-9F87-4EB0-A9BC-4C626768919C}\RP3;BackDoor.TerraBit;Deleted.;
MSN-Winks.exe;G:\;Adware.nCase;Renamed.;
Install-Emoticons.exe;G:\;Adware.nCase;Deleted.;
PrivacyGuardSetup.exe;G:\;Trojan.Ulone;Deleted.;
PrivacyGuardSetup.exe;G:\The Privacy Guard 1.5 + Crack;Trojan.Ulone;Deleted.;
Client.exe\data001;G:\Ahmedy\c\TVM\Client.exe;BackDoor.TerraBit;;
Client.exe;G:\Ahmedy\c\TVM;Archive contains infected objects;Moved.;
MSN-Winks.#xe;G:\;Adware.nCase;Deleted.;
scklpro.exe;G:\2007-\C\vbhacker\vbhacker;Trojan.SCKeyLog.33;Incurable.Moved.;
BrutusA2.exe;G:\2007-\C\brutus-aet2;Tool.BrutusPWS;Deleted.;
hehe.bat;G:\2007-\C\Ahmed Attacking Castle\V.I.P;Deltree.Generic;Deleted.;
mspass.exe;G:\2007-\C\Ahmed Attacking Castle\Desktop\mspass;Tool.MessenPass;Deleted.;
A0000018.exe;G:\System Volume Information\_restore{163A3451-9F87-4EB0-A9BC-4C626768919C}\RP3;Trojan.Ulone;Deleted.;
A0000019.exe;G:\System Volume Information\_restore{163A3451-9F87-4EB0-A9BC-4C626768919C}\RP3;Trojan.Ulone;Deleted.;
A0000020.exe\data001;G:\System Volume Information\_restore{163A3451-9F87-4EB0-A9BC-4C626768919C}\RP3\A0000020.exe;BackDoor.TerraBit;;
A0000020.exe;G:\System Volume Information\_restore{163A3451-9F87-4EB0-A9BC-4C626768919C}\RP3;Archive contains infected objects;Moved.;
A0000023.exe;G:\System Volume Information\_restore{163A3451-9F87-4EB0-A9BC-4C626768919C}\RP3;Adware.nCase;Deleted.;
A0000024.exe;G:\System Volume Information\_restore{163A3451-9F87-4EB0-A9BC-4C626768919C}\RP3;Adware.nCase;Deleted.;
A0000028.exe;G:\System Volume Information\_restore{163A3451-9F87-4EB0-A9BC-4C626768919C}\RP3;Trojan.SCKeyLog.33;Incurable.Moved.;
A0000029.bat;G:\System Volume Information\_restore{163A3451-9F87-4EB0-A9BC-4C626768919C}\RP3;Deltree.Generic;Deleted.;
A0000030.exe;G:\System Volume Information\_restore{163A3451-9F87-4EB0-A9BC-4C626768919C}\RP3;Tool.BrutusPWS;Deleted.;
A0000031.exe;G:\System Volume Information\_restore{163A3451-9F87-4EB0-A9BC-4C626768919C}\RP3;Tool.MessenPass;Deleted.;
IceCold_ReLoaded.exe;G:\Mando WWE & Other Wrestling\Ahmedy\c;Tool.Homac;Deleted.;
MSN Password Finder v2.0.exe;G:\Mando WWE & Other Wrestling\Ahmedy\c\MSN-Password-Finder-2[1].0;Tool.MsnCheck;Deleted.;
Quote from: Aaron Hulett - MSFT on July 15, 2007, 07:14:26 PM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:31:29 PM, on 7/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson SpeedTouch\ST330\service\st330service.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd-dot-exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\Slave.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Thomson SpeedTouch\ST330\diagnostics\diagnostics.exe
C:\Program Files\Ace Explorer\Aexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: XBTP01621 - {9EDB89EF-E4BC-4c70-B102-8F7A4365EE33} - C:\PROGRA~1\IMESHA~1\IMESHM~1\MediaBar.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)
O3 - Toolbar: iMesh MediaBar - {B7D3E479-CC68-42B5-A338-938ECE35F419} - C:\Program Files\iMesh applications\iMesh MediaBar\MediaBar.dll
O3 - Toolbar: Webshots Toolbar - {C17590D2-ECB4-4b15-8820-F58798DCC118} - G:\Webshots\WSToolbar4IE.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd-dot-exe
O4 - HKLM\..\Run: [diagnostics] "C:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" /icon -l:en
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\system32\msconfig.exe /auto
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\Propel Accelerator\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [ThePrivacyGuard] "C:\PROGRA~1\THEPRI~1\THEPRI~1.EXE" /startup
O4 - HKCU\..\Run: [PcSync] G:\New Folder (6)\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd-dot-exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd-dot-exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd-dot-exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd-dot-exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Global Startup: WinManager.lnk = C:\Program Files\digiTOP\WinManager\WinManager.exe
O8 - Extra context menu item: &Webshots Photo Search - res://G:\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - G:\Ahmed%20Castle\Advanced%20Email%20Extractor%20Pro\AeeMSIE.dll (file missing)
O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - G:\Ahmed%20Castle\Advanced%20Email%20Extractor%20Pro\AeeMSIE.dll (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D636428-D8E7-46E9-A30A-8F646FFFEE25}: NameServer = 163.121.128.134 212.103.160.18
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: RA Server (Slave) - TWD Industries, LLC - C:\WINDOWS\Slave.exe
O23 - Service: SpeedTouch 330 Manager (st330service) - THOMSON Telecom Belgium - C:\Program Files/Thomson SpeedTouch/ST330/service/st330service.exe
O23 - Service: AutomatedSurfer (SurferService) - Unknown owner - C:\WINDOWS\system32\srvany.exe
--
End of file - 8054 bytes
i posted the cureit log and the HJT log,but when i rebooted the pc,i still find the messege that says you are hacked,what can i do.
Hi, Mr Mando.
Two things, please. Could you post the complete Dr Web log please. We need to see all of it. Also, in order to see what is remaining, we
need to see a new HijackThis log now that you've run Dr Web. Hopefully, there won't be further problems posting a new log. If you receive the same error as before, try placing the log between the quote tags as shown in the code box below:
[quote]
paste log
[/quote]
Thanks.
here is the complete Dr Web Log
mediabar.dll;c:\program files\imesh applications\imesh mediabar;Adware.Softomate;Deleted.;
srvany.exe;c:\windows\system32;Program.SrvAny;Renamed.;
svchost.exe;c:\windows\system32\sysadded;BackDoor.Bifrost;Deleted.;
AUTOEXEC.BAT;C:\;Deltree.Generic;Deleted.;
srvany.exe;C:\WINDOWS\system32;Program.SrvAny;Deleted.;
kas.exe;C:\WINDOWS\system32;Trojan.PWS.LDPinch.1622;Deleted.;
sxmm.dll;C:\WINDOWS\system32;BackDoor.TerraBit;Deleted.;
SHNT288.exe;C:\Documents and Settings\XPPRESP3\Local Settings\Temp;Adware.NewDotNet;Deleted.;
MediaBar.dll;C:\Program Files\iMesh applications\iMesh MediaBar;Adware.Softomate;Deleted.;
A0000015.exe;C:\System Volume Information\_restore{163A3451-9F87-4EB0-A9BC-4C626768919C}\RP3;BackDoor.Bifrost;Deleted.;
A0000016.exe;C:\System Volume Information\_restore{163A3451-9F87-4EB0-A9BC-4C626768919C}\RP3;Trojan.PWS.LDPinch.1622;Deleted.;
A0000017.dll;C:\System Volume Information\_restore{163A3451-9F87-4EB0-A9BC-4C626768919C}\RP3;BackDoor.TerraBit;Deleted.;
MSN-Winks.exe;G:\;Adware.nCase;Renamed.;
Install-Emoticons.exe;G:\;Adware.nCase;Deleted.;
PrivacyGuardSetup.exe;G:\;Trojan.Ulone;Deleted.;
PrivacyGuardSetup.exe;G:\The Privacy Guard 1.5 + Crack;Trojan.Ulone;Deleted.;
Client.exe\data001;G:\Ahmedy\c\TVM\Client.exe;BackDoor.TerraBit;;
Client.exe;G:\Ahmedy\c\TVM;Archive contains infected objects;Moved.;
MSN-Winks.#xe;G:\;Adware.nCase;Deleted.;
scklpro.exe;G:\2007-\C\vbhacker\vbhacker;Trojan.SCKeyLog.33;Incurable.Moved.;
BrutusA2.exe;G:\2007-\C\brutus-aet2;Tool.BrutusPWS;Deleted.;
hehe.bat;G:\2007-\C\Ahmed Attacking Castle\V.I.P;Deltree.Generic;Deleted.;
mspass.exe;G:\2007-\C\Ahmed Attacking Castle\Desktop\mspass;Tool.MessenPass;Deleted.;
A0000018.exe;G:\System Volume Information\_restore{163A3451-9F87-4EB0-A9BC-4C626768919C}\RP3;Trojan.Ulone;Deleted.;
A0000019.exe;G:\System Volume Information\_restore{163A3451-9F87-4EB0-A9BC-4C626768919C}\RP3;Trojan.Ulone;Deleted.;
A0000020.exe\data001;G:\System Volume Information\_restore{163A3451-9F87-4EB0-A9BC-4C626768919C}\RP3\A0000020.exe;BackDoor.TerraBit;;
A0000020.exe;G:\System Volume Information\_restore{163A3451-9F87-4EB0-A9BC-4C626768919C}\RP3;Archive contains infected objects;Moved.;
A0000023.exe;G:\System Volume Information\_restore{163A3451-9F87-4EB0-A9BC-4C626768919C}\RP3;Adware.nCase;Deleted.;
A0000024.exe;G:\System Volume Information\_restore{163A3451-9F87-4EB0-A9BC-4C626768919C}\RP3;Adware.nCase;Deleted.;
A0000028.exe;G:\System Volume Information\_restore{163A3451-9F87-4EB0-A9BC-4C626768919C}\RP3;Trojan.SCKeyLog.33;Incurable.Moved.;
A0000029.bat;G:\System Volume Information\_restore{163A3451-9F87-4EB0-A9BC-4C626768919C}\RP3;Deltree.Generic;Deleted.;
A0000030.exe;G:\System Volume Information\_restore{163A3451-9F87-4EB0-A9BC-4C626768919C}\RP3;Tool.BrutusPWS;Deleted.;
A0000031.exe;G:\System Volume Information\_restore{163A3451-9F87-4EB0-A9BC-4C626768919C}\RP3;Tool.MessenPass;Deleted.;
IceCold_ReLoaded.exe;G:\Mando WWE & Other Wrestling\Ahmedy\c;Tool.Homac;Deleted.;
MSN Password Finder v2.0.exe;G:\Mando WWE & Other Wrestling\Ahmedy\c\MSN-Password-Finder-2[1].0;Tool.MsnCheck;Deleted.;
i cant paste the HJT new log like the same error before,so plz download it and post it by yourself
here is the link: http://rapidshare.com/files/43129778/mylog2.txt.html (http://rapidshare.com/files/43129778/mylog2.txt.html)
Hi, Mr Mando. A quick look at what has been removed by Dr Web and I must warn you. If the file below isn't something you intentionally installed on your computer and if you do any online banking or bill paying, that you change go to another computer and change the passwords as soon as possible and not use this computer for any personal or financial transactions until it is cleaned.
MSN Password Finder v2.0.exe;G:\Mando WWE & Other Wrestling\Ahmedy\c\MSN-Password-Finder-2[1].0;Tool.MsnCheck;Deleted.;
Ok, we'll try the log in parts:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:12:18 AM, on 7/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson SpeedTouch\ST330\service\st330service.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\Slave.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Thomson SpeedTouch\ST330\diagnostics\diagnostics.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Ace Explorer\Aexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)
O3 - Toolbar: Webshots Toolbar - {C17590D2-ECB4-4b15-8820-F58798DCC118} - G:\Webshots\WSToolbar4IE.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [diagnostics] "C:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" /icon -l:en
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\system32\msconfig.exe /auto
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\Propel Accelerator\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [ThePrivacyGuard] "C:\PROGRA~1\THEPRI~1\THEPRI~1.EXE" /startup
O4 - HKCU\..\Run: [PcSync] G:\New Folder (6)\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Global Startup: WinManager.lnk = C:\Program Files\digiTOP\WinManager\WinManager.exe
O8 - Extra context menu item: &Webshots Photo Search - res://G:\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - G:\Ahmed%20Castle\Advanced%20Email%20Extractor%20Pro\AeeMSIE.dll (file missing)
O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - G:\Ahmed%20Castle\Advanced%20Email%20Extractor%20Pro\AeeMSIE.dll (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D636428-D8E7-46E9-A30A-8F646FFFEE25}: NameServer = 163.121.128.134 212.103.160.18
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: RA Server (Slave) - TWD Industries, LLC - C:\WINDOWS\Slave.exe
O23 - Service: SpeedTouch 330 Manager (st330service) - THOMSON Telecom Belgium - C:\Program Files/Thomson SpeedTouch/ST330/service/st330service.exe
O23 - Service: AutomatedSurfer (SurferService) - Unknown owner - C:\WINDOWS\system32\srvany.exe (file missing)
It is going to take me some time to review your log so please be patient.
Thanks.
ok corrine,take your time
In addition to MSN Password Finder, I'm seeing things like this that were removed byDr Web:
PrivacyGuardSetup.exe;G:\The Privacy Guard 1.5 + Crack;Trojan.Ulone;Deleted.;
Tool.BrutusPWS;Deleted.;
This tells me that either you have been up to no good or your security has been severely compromised. If you wish to continue on with attempting to clean this machine, need to repeat my caution regarding online banking or bill paying. Go to another computer and change any passwords for such accounts and do not access them from this computer.
I strongly suggest a firewall and antivirus software. The following are free for personal use:
Firewalls:
Agnitum Outpost Firewall (http://www.agnitum.com/products/outpostfree/index.php)
Comodo Free Firewall (http://www.personalfirewall.comodo.com/)
Kerio Personal Firewall (http://www.kerio.com/kpf_download.html)
ZoneAlarm (http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp)
Antivirus:
avast! 4 Home Edition (http://www.avast.com/eng/download-avast-home.html)
AVG Free (http://free.grisoft.com/freeweb.php/doc/2/)
Avira AntiVir PersonalEdition Classic (http://www.free-av.com/)
Comodo AntiVirus 2.0 beta (http://www.antivirus.comodo.com/)
If you wish to proceed, we'll start with ComboFix. 1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) (Mirror location: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe )
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply with a fresh HijackThis log.
Note:
Do not mouseclick combofix's window while it is running as that may cause it to stall.
What sorts of cracked software have you been loading?
I've been loading AVGFree,
shall i post a new HJT Log or the second log or the first log ?
the combofix log,
"XPPRESP3" - 2007-07-16 13:57:53 - ComboFix 07-07-13.8 - Service Pack 2 FAT32
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\XPPRESP3\APPLIC~1.\addon.dat
C:\Program Files\video access activex object
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_NM
-------\nm
((((((((((((((((((((((((( Files Created from 2007-06-16 to 2007-07-16 )))))))))))))))))))))))))))))))
2007-07-16 13:56 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-15 23:11 <DIR> d-------- C:\DOCUME~1\XPPRESP3\DoctorWeb
2007-07-15 18:41 812,344 --a------ C:\HJTsetup.exe
2007-07-15 18:41 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-15 17:11 <DIR> d-------- C:\WINDOWS\system32\xircom
2007-07-15 17:11 <DIR> d-------- C:\WINDOWS\srchasst
2007-07-15 17:11 <DIR> d-------- C:\Program Files\msn gaming zone
2007-07-15 17:11 <DIR> d-------- C:\Program Files\movie maker
2007-07-15 17:11 <DIR> d-------- C:\Program Files\microsoft frontpage
2007-07-15 16:17 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2007-07-15 16:17 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2007-07-15 16:17 <DIR> d-------- C:\DOCUME~1\XPPRESP3\APPLIC~1\PC Tools
2007-07-15 15:34 36 -r-h----- C:\WINDOWS\sued.dat
2007-07-15 15:15 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-07-15 15:14 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-07-12 22:53 <DIR> d--h----- C:\Program Files\mcromedplug
2007-07-09 12:46 <DIR> d--h----- C:\WINDOWS\system32\sysadded
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-12 19:05:40 -------- d-----w C:\DOCUME~1\XPPRESP3\APPLIC~1\Nokia Multimedia Player
2007-06-12 19:05:20 -------- d-----w C:\DOCUME~1\XPPRESP3\APPLIC~1\Nokia
2007-06-12 19:05:18 -------- d-----w C:\DOCUME~1\XPPRESP3\APPLIC~1\Datalayer
2007-06-12 19:01:06 -------- d-----w C:\DOCUME~1\XPPRESP3\APPLIC~1\PC Suite
2007-06-12 18:59:34 -------- d-----w C:\Program Files\Common Files\PCSuite
2007-06-12 18:59:34 -------- d-----w C:\Program Files\Common Files\Nokia
2007-06-10 08:17:04 -------- d-----w C:\Program Files\01-mp3search
2007-06-08 11:57:02 352,256 ----a-w C:\WINDOWS\eSellerateEngine.dll
2007-06-02 17:16:24 365 ----a-w C:\WINDOWS\system32\vfw_32.reg
2007-06-02 17:13:06 -------- d-----w C:\Program Files\Xingtone
2007-05-28 20:51:04 -------- d-----w C:\DOCUME~1\XPPRESP3\APPLIC~1\Ulead Systems
2007-05-28 20:45:20 -------- d-----w C:\DOCUME~1\XPPRESP3\APPLIC~1\LemonWire
2007-05-21 21:51:08 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-05-07 09:57:52 77,824 ----a-w C:\WINDOWS\iRODUninstall.exe
2007-04-07 19:00:52 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-04-07 19:00:52 56 --sh--r C:\WINDOWS\system32\7D12E86E4F.sys
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A5366673-E8CA-11D3-9CD9-0090271D075B}]
2002-01-16 19:12 65536 --a------ C:\PROGRA~1\FLASHGET\jccatch.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-19 23:55 2403392 -ra------ c:\program files\google\googletoolbar1.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B56A7D7D-6927-48C8-A975-17DF180C71AC}]
2007-07-15 17:06 850104 --a------ C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-22 08:28]
"diagnostics"="C:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" [2006-11-04 06:45]
"Propel Accelerator"="C:\Program Files\Propel Accelerator\trayctl.exe" []
"DataLayer"="C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe" [2005-03-31 09:30]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"="C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" [2005-07-27 21:00]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 16:25]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-08-05 20:35]
"ThePrivacyGuard"="C:\PROGRA~1\THEPRI~1\THEPRI~1.exe" []
"PcSync"="G:\New Folder (6)\Nokia PC Suite 6\PcSync2.exe" [2005-04-20 09:57]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"nlsf"=cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"
"nlhr"=RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C
"tscuninstall"=%systemroot%\system32\tscupgrd.exe
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
"NoRemoteRecursiveEvents"=1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
"NoSMHelp"=1 (0x1)
"NoSaveSettings"=0 (0x0)
"NoRecentDocsMenu"=1 (0x1)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=1 (0x1)
"NoSMHelp"=1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Metacafe.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Metacafe.lnk
backup=C:\WINDOWS\pss\Metacafe.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^YouTubeSpider.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\YouTubeSpider.lnk
backup=C:\WINDOWS\pss\YouTubeSpider.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^XPPRESP3^Start Menu^Programs^Startup^Eyetide Launcher.lnk]
path=C:\Documents and Settings\XPPRESP3\Start Menu\Programs\Startup\Eyetide Launcher.lnk
backup=C:\WINDOWS\pss\Eyetide Launcher.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^XPPRESP3^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\XPPRESP3\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^XPPRESP3^Start Menu^Programs^Startup^Metacafe.lnk]
path=C:\Documents and Settings\XPPRESP3\Start Menu\Programs\Startup\Metacafe.lnk
backup=C:\WINDOWS\pss\Metacafe.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^XPPRESP3^Start Menu^Programs^Startup^Webshots.lnk]
path=C:\Documents and Settings\XPPRESP3\Start Menu\Programs\Startup\Webshots.lnk
backup=C:\WINDOWS\pss\Webshots.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearFlix]
"D:\Program Files\BearFlix\BearFlix.exe" /pause
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
D:\Documents and Settings\Free Download Manager\fdm.exe -autorun
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files\Google\Google Talk\googletalk.exe /autostart
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messaging]
C:\Program Files\Instant Messenger Names\IM-svr.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
G:\New Folder (6)\Nokia PC Suite 6\LaunchApplication.exe -onlytray
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\virus name]
C:\Program Files\photo kiss\photo.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService Alerter LmHosts upnphost SSDPSRV
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{791C116C-F3BB-6286-5682-9C22B0E1448F}
C:\Program Files\mcromedplug\svchost.exe s
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EC493706-4A95-581C-5931-3BFF77E369FE}
C:\WINDOWS\system32\sysadded\svchost.exe s
**************************************************************************
catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-16 14:02:23
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-16 14:03:42 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-16 14:03
--- E O F ---
sorry again about this,
http://rapidshare.com/files/43208004/mylog3.txt.html
here is the link download the HJT new fresh log and post it, :help:
Hi, Mr Mando. I'm about to start work and cannot access the uploaded file (access denied by the Corporate firewall). Unless someone else has an opportunity to post it during the day, I will do it this evening.
ok corrine,
i got for you the object that had done all of these things to me,you can know what is it and solve the problem faster,
here it is:DONT DOWNLOAD IT,JUST OBSERVE IT:
this was the file i downloaded and brang me the messege that says you are hacked
http://www.fileflyer.com/view/ANHpFCX (rendered unclickable by Corrine)
IT's something like setup for a program,but after i installed it a messege came that says (Kiss virus has been installed)
and every time i opens my pc i find a messege that says hello,you are hacked
Observe all of this plz, :help:
Thanks. Since I cannot do anything else until this evening, why don't you do an online scan and then post/upload a new HijackThis log.
TrendMicro™ HouseCall Java Scan
- Please go HERE (http://www.trendmicro.com/hc_intro/default.asp) to run the Trend Micro™ HouseCall Scan.
- Click Scan now. It's free!
- Read and put a Check next to Yes I accept the terms of use.
- Click the Launching HouseCall>> button.
- If confirmed that HouseCall can run on your system, under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
- You may receive a Security Warning about the TrendMicro Java applet, click YES.
- Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
- Please be patient while it installs, updates, and scans your system.
- Once the scan is complete, it will take you to the summary page.
- Under Cleanup options, choose clean all detected infections automatically.
- Click the Clean now>> button.
- If anything was found you may be prompted to run the scan again, you can just close the browser window.
Here is the log Corrine
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:07, on 7/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson SpeedTouch\ST330\service\st330service.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\Slave.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Thomson SpeedTouch\ST330\diagnostics\diagnostics.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Ace Explorer\Aexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)
O3 - Toolbar: Webshots Toolbar - {C17590D2-ECB4-4b15-8820-F58798DCC118} - G:\Webshots\WSToolbar4IE.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [diagnostics] "C:\Program Files/Thomson SpeedTouch/ST330/diagnostics/diagnostics.exe" /icon -l:en
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\Propel Accelerator\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [ThePrivacyGuard] "C:\PROGRA~1\THEPRI~1\THEPRI~1.EXE" /startup
O4 - HKCU\..\Run: [PcSync] G:\New Folder (6)\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O4 - Global Startup: WinManager.lnk = C:\Program Files\digiTOP\WinManager\WinManager.exe
O8 - Extra context menu item: &Webshots Photo Search - res://G:\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - G:\Ahmed%20Castle\Advanced%20Email%20Extractor%20Pro\AeeMSIE.dll (file missing)
O9 - Extra 'Tools' menuitem: Advanced Email Extractor - {AFA7DB99-3E4D-4396-94F8-B0B135BCB472} - G:\Ahmed%20Castle\Advanced%20Email%20Extractor%20Pro\AeeMSIE.dll (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D636428-D8E7-46E9-A30A-8F646FFFEE25}: NameServer = 163.121.128.134 212.103.160.18
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: RA Server (Slave) - TWD Industries, LLC - C:\WINDOWS\Slave.exe
O23 - Service: SpeedTouch 330 Manager (st330service) - THOMSON Telecom Belgium - C:\Program Files/Thomson SpeedTouch/ST330/service/st330service.exe
O23 - Service: AutomatedSurfer (SurferService) - Unknown owner - C:\WINDOWS\system32\srvany.exe (file missing)
--
End of file - 7355 bytes
Quote from: Corrine on July 16, 2007, 12:33:40 PM
Thanks. Since I cannot do anything else until this evening, why don't you do an online scan and then post/upload a new HijackThis log.
TrendMicro™ HouseCall Java Scan
- Please go HERE (http://www.trendmicro.com/hc_intro/default.asp) to run the Trend Micro™ HouseCall Scan.
- Click Scan now. It's free!
- Read and put a Check next to Yes I accept the terms of use.
- Click the Launching HouseCall>> button.
- If confirmed that HouseCall can run on your system, under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
- You may receive a Security Warning about the TrendMicro Java applet, click YES.
- Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
- Please be patient while it installs, updates, and scans your system.
- Once the scan is complete, it will take you to the summary page.
- Under Cleanup options, choose clean all detected infections automatically.
- Click the Clean now>> button.
- If anything was found you may be prompted to run the scan again, you can just close the browser window.
this site is so slow and it wont scan,
check the file of the virus i sent,observe it plz
i have a good idea for faster solution,
here is the file i downloaded,
http://rapidshare.com/files/43245496/photo_kiss.rar.html[/url]
download and extract it but dont open the file named photo,
(i opened photo and all of these problems occured,so plz download it and check what is these files)
i scanned them and i was amazed there were no viruses,observe them plz i want to wake from this nightmare pals,
Hi, Mr Mando.
I'm on my lunch break now so only have a couple minutes. However, please note that your idea for a "faster solution" will not work. I do NOT do file analysis and do not download files from unknown sources. That is why none of my home or business computers have ever been infected. What we do on the help forums is to review logs and research unknown items, seeking a solution for the user.
Now, I have rendered the link unclickable so no one inadvertently clicks on it. You can go to: http://virusscan.jotti.org/ and upload the file to be scanned and place a copy of the results here as a reply.
In addition, since you said Trend Micro is too slow, please do an online scan at ESET. Not all companies have the same files in detection so the results can vary from vendor to vendor. However, ESET is among the very best antivirus software companies. Go to http://www.eset.com/threat-center/cac.php . Accept the terms of use, click Start and follow the instructions.
Quote from: winchester73 on July 16, 2007, 12:13:37 AM
What sorts of cracked software have you been loading?
I may have missed your answer to this earlier question. It's pretty clear you have been downloading cracks/warez/etc and got yourself infected.
yes its true,
Quote from: Mr Mando on July 16, 2007, 06:53:35 PM
yes its true,
No kidding ... 8)
Perhaps you might give us a few hints about what you downloaded, if for no other reason than to be able to properly assist you.
i downloaded a program that opens the webcam for anyone you talk with,but it was a virus.
Ok, Mr Mando. Let's give this a shot.
During this process, please change your settings to show hidden files. You can change the setting back when the cleanup is completed.
- Click Start.
- Open My Computer.
- Select the Tools menu and click Folder Options.
- Select the View Tab.
- Under the Hidden files and folders heading select Show hidden files and folders.
- Uncheck the Hide protected operating system files (recommended) option.
- Click Yes to confirm.
- Click OK.
Download the Killbox (http://www.downloads.subratam.org/KillBox.zip) © Option^Explicit.
Unzip it to the desktop
Please uninstall PrivacyGuard since the Dr Web log indicates you installed a crack copy.
Let's take care of the service first.
- Go to Start > Run and type in Services.msc then click OK
- Click the Extended tab.
- Scroll down until you find the service SurferService
- Click once on the service to highlight it.
- Click Stop
- Right-Click on the service.
- Click on 'Properties'
- Select the 'General' tab
- Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
- From the drop-down menu, click on 'Disabled'
- Click the 'Apply' tab, then click 'OK'
Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)
O3 - Toolbar: Webshots Toolbar - {C17590D2-ECB4-4b15-8820-F58798DCC118} - G:\Webshots\WSToolbar4IE.dll (file missing)
O4 - HKCU\..\Run: [ThePrivacyGuard] "C:\PROGRA~1\THEPRI~1\THEPRI~1.EXE" /startup
O23 - Service: RA Server (Slave) - TWD Industries, LLC - C:\WINDOWS\Slave.exeClick on Fix Checked when finished and exit HijackThis.
Select "
Delete on Reboot".
Place the following line (complete path) in
bold in the "Full Path of File to Delete" box in Killbox:
C:\WINDOWS\Slave.exePut a mark next to "Delete on Reboot"
Click the red-and-white "
Delete File" button. Click "
Yes" at the Delete on Reboot prompt. Click "
No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.
When you reply, not only do I want to see a fresh HijackThis log, I also want to see a firewall and antivirus software. Links to free software were posted above.
I don't see any signs in the HJT log of Windows Genuine Advantage ...
Do you have a cracked copy of XP running?
Also, it is rare to see a HJT log without any O16 items. Did you remove all of them prior to posting the log?
Seems like your big gun silenced him winchester73 :D
Indeed ... :)
Perhaps Mr Mando is on holiday or something.