Content Top
DAL Computer Help » Internet Security Help » Spyware, Adware, Viruses and HijackThis Logs » More trojans

Recommended Fix

Click here to fix Windows Errors and Optimize Windows Performance

Need Computer Help?
Register Now for FREE

More trojans

Reply
Thread Tools
Spyware, Adware, Viruses and HijackThis Logs
  #1 (permalink)  
Old 06-12-2006, 10:50 PM
Newbie
D-A-L Newbie
  
Join Date: Aug 2006
Posts: 8
Richard Walker Is a beginner here at D-A-L
More trojans
Hi, hope you can help

I've been infected by some trojan virus's, trojan H Generic2.EUQ and Generic2.IOB
AVG has removed most but can't get rid of the last one.
I also keep getting a pop up saying the computor is infected and I need to run some spyware. I initially clicked it and it ran BraveSentry where 74 infected items were detected, to get rid of the infected items I am prompted to buy a licence and subscribe.

Could you please advise, please see below my hijackthis log

Many thanks

Richard


Logfile of HijackThis v1.99.1
Scan saved at 20:36:26, on 06/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Windows\xpupdate.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\WINDOWS\system32\dlh9jkd1q6.exe
C:\WINDOWS\system32\dlh9jkd1q7.exe
C:\Program Files\BraveSentry\BraveSentry.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\Go ogleToolbarNotifier.exe
C:\Program Files\Grisoft\AVG Free\avgwb.dat
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\Richard\LOCALS~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.d ll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.d ll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\kernels88.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\Go ogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [BraveSentry] C:\Program Files\BraveSentry\BraveSentry.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?f9dda6f4d0f14056b8dc6bdbedd87eee
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?f9dda6f4d0f14056b8dc6bdbedd87eee
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Homepage - {629FE824-6D1D-48DD-9845-6365AAC94464} - http://www.btopenworld.com/default (file missing) (HKCU)
O9 - Extra button: BT - {F7F2DEEF-76E1-4438-BB5D-AE9FE3720BF6} - http://www.bt.com (file missing) (HKCU)
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #2 (permalink)  
Old 07-12-2006, 07:01 PM
VopThis's Avatar
Senior Member (Canada)
  
Join Date: Nov 2005
Posts: 3,439
VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!
Re: More trojans
You are not running HijackThis (HJT) from a desired location. You really need to setup a dedicated folder for HJT items – to avoid horrible clutter and/or potential lost backup issues.

It's best that the HijackThis tool NOT be located in its current location (particularly on your Desktop or in a TEMP folder). This way you can more easily undo any changes if something goes wrong.
  • Create a new folder in your C: Drive.
  • Name the FOLDER HijackThis (or HJT) such as C:\Program Files\HijackThis or C:\HJT and move the HijackThis.exe file into it.
  • Run HJT from there (and revise your shortcut accordingly).



Try uninstalling 'Bravesentry' in Add/Remove Programs. Otherwise, remove the relevant FOLDER, in question.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log.
__________________
Vincent P

MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis LOG __V2.0.2 _|

__
ASAP: promoting a high standard and quality of security support no matter where you seek help.

Quote:
SAFER SURFING TOOLS (IE/FF **FREE** browser addons):
Linkscanner + WOT (Web of Trust) + SiteAdvisor (suggest at least two but not necessarily all)
Quote:
Tell me and I forget; show me and I remember; involve me and I understand.
There are no foolish questions, the only thing foolish is not asking if you're unsure of something.
Never ASSUME any detail because it can make an ASS out of U and ME... (ASS/U/ME ).
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #3 (permalink)  
Old 13-12-2006, 02:18 PM
Newbie
D-A-L Newbie
  
Join Date: Aug 2006
Posts: 8
Richard Walker Is a beginner here at D-A-L
Re: More trojans
Many thanks for your help here, sorry for the late reply, I've been away for a few days.

After I contacted you I updated my spybot software and ran the program and this seem to fix quite a lot. Since then I now see that I have the smitfraud-c virus that spybot can't move.

I followed your instructions and the new SDfix and hijackthis log is below.

I'm sorry but I don't know how to move the hijack file, all my files appear under the desktop?

SDFix: Version 1.46
****************

13/12/2006 - 13:00:06.39

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Stage One - Safe Mode

Checking For Trojan Services...

Service Name:


File Path:



Starting Registry Repairs...
Killing PID 152 'smss.exe'
Killing PID 228 'winlogon.exe'

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two - Normal Mode

Checking For Malware:
--------------------

C:\DOCUME~1\Richard\LOCALS~1\Temp\setup_wm.exe
C:\WINDOWS\system32\dlh9jkd1q8.exe
C:\WINDOWS\system32\rpcc.dll
C:\WINDOWS\system32\TFTP2132

Backing Up and Removing any Files Found...

Final Check:

Services:
---------


Authorized Applications Key Export:

Files:
------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking for files with Hidden Attributes:

C:\System Volume Information\_restore{7442D121-FAA6-4474-870B-07BBD1BE6505}\RP503\A0060990.dll
C:\WINDOWS\system32\win_16e.exe
C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\IO.SYS
C:\MSDOS.SYS
C:\hiberfil.sys
C:\pagefile.sys
C:\Documents and Settings\Richard\My Documents\a RW\~WRL2057.tmp
C:\Documents and Settings\Richard\My Documents\a RW\Tesco\~WRL0988.tmp
C:\Documents and Settings\Richard\My Documents\a RW\Tesco\~WRL2393.tmp
C:\Documents and Settings\Richard\My Documents\a RW\Tesco\~WRL4070.tmp
C:\Documents and Settings\Richard\My Documents\a RW\Spain\~WRL4009.tmp
C:\Documents and Settings\Richard\My Documents\a RW\Sales Meetings\~WRL1859.tmp
C:\Documents and Settings\Richard\My Documents\a RW\Mark & Advert\~WRL3520.tmp
C:\Documents and Settings\Richard\My Documents\a RW\Mark & Advert\~WRL3746.tmp
C:\Documents and Settings\Richard\My Documents\a RW\Export\~WRL2760.tmp
C:\Documents and Settings\Richard\My Documents\a RW\Export\Sweden\~WRL2554.tmp
C:\Documents and Settings\Richard\My Documents\My Documents\a RW\~WRL2057.tmp
C:\Documents and Settings\Richard\My Documents\My Documents\a RW\Tesco\~WRL0988.tmp
C:\Documents and Settings\Richard\My Documents\My Documents\a RW\Tesco\~WRL2393.tmp
C:\Documents and Settings\Richard\My Documents\My Documents\a RW\Tesco\~WRL4070.tmp
C:\Documents and Settings\Richard\My Documents\My Documents\a RW\Spain\~WRL4009.tmp
C:\Documents and Settings\Richard\My Documents\My Documents\a RW\Sales Meetings\~WRL1859.tmp
C:\Documents and Settings\Richard\My Documents\My Documents\a RW\Mark & Advert\~WRL3520.tmp
C:\Documents and Settings\Richard\My Documents\My Documents\a RW\Mark & Advert\~WRL3746.tmp
C:\Documents and Settings\Richard\My Documents\My Documents\a RW\Export\~WRL2760.tmp
C:\Documents and Settings\Richard\My Documents\My Documents\a RW\Export\Sweden\~WRL2554.tmp
C:\Backup Folder\My Documents(pc)\a RW\~WRL2057.tmp
C:\Backup Folder\My Documents(pc)\a RW\Sales Meetings\~WRL1859.tmp
C:\Backup Folder\My Documents(pc)\a RW\Spain\~WRL4009.tmp
C:\Backup Folder\My Documents(pc)\a RW\Mark & Advert\~WRL3746.tmp
C:\Backup Folder\My Documents(pc)\a RW\Mark & Advert\~WRL3520.tmp
C:\Backup Folder\My Documents(pc)\a RW\Export\~WRL2760.tmp
C:\Backup Folder\My Documents(pc)\a RW\Export\Sweden\~WRL2554.tmp
C:\Backup Folder\My Documents(pc)\a RW\Tesco\~WRL0988.tmp
C:\Backup Folder\My Documents(pc)\a RW\Tesco\~WRL4070.tmp
C:\Backup Folder\My Documents(pc)\a RW\Tesco\~WRL2393.tmp
C:\Backup Folder\My Documents\My Documents\a RW\~WRL2057.tmp
C:\Backup Folder\My Documents\My Documents\a RW\Spain\~WRL4009.tmp
C:\Backup Folder\My Documents\My Documents\a RW\Sales Meetings\~WRL1859.tmp
C:\Backup Folder\My Documents\My Documents\a RW\Mark & Advert\~WRL3520.tmp
C:\Backup Folder\My Documents\My Documents\a RW\Mark & Advert\~WRL3746.tmp
C:\Backup Folder\My Documents\My Documents\a RW\Export\~WRL2760.tmp
C:\Backup Folder\My Documents\My Documents\a RW\Export\Sweden\~WRL2554.tmp
C:\Backup Folder\My Documents\a RW\~WRL2057.tmp
C:\Backup Folder\My Documents\a RW\Tesco\~WRL0988.tmp
C:\Backup Folder\My Documents\a RW\Tesco\~WRL2393.tmp
C:\Backup Folder\My Documents\a RW\Tesco\~WRL4070.tmp
C:\Backup Folder\My Documents\a RW\Spain\~WRL4009.tmp
C:\Backup Folder\My Documents\a RW\Sales Meetings\~WRL1859.tmp
C:\Backup Folder\My Documents\a RW\Mark & Advert\~WRL3520.tmp
C:\Backup Folder\My Documents\a RW\Mark & Advert\~WRL3746.tmp
C:\Backup Folder\My Documents\a RW\Export\~WRL2760.tmp
C:\Backup Folder\My Documents\a RW\Export\Sweden\~WRL2554.tmp
C:\Andy\My Documents\a RW\~WRL2057.tmp
C:\Andy\My Documents\a RW\Export\~WRL2760.tmp
C:\Andy\My Documents\a RW\Export\Sweden\~WRL2554.tmp
C:\Andy\My Documents\a RW\Mark & Advert\~WRL3520.tmp
C:\Andy\My Documents\a RW\Mark & Advert\~WRL3746.tmp
C:\Andy\My Documents\a RW\Sales Meetings\~WRL1859.tmp
C:\Andy\My Documents\a RW\Spain\~WRL4009.tmp
C:\Andy\My Documents\a RW\Tesco\~WRL0988.tmp
C:\Andy\My Documents\a RW\Tesco\~WRL2393.tmp
C:\Andy\My Documents\a RW\Tesco\~WRL4070.tmp
C:\Andy\My Documents\My Documents\a RW\~WRL2057.tmp
C:\Andy\My Documents\My Documents\a RW\Export\~WRL2760.tmp
C:\Andy\My Documents\My Documents\a RW\Export\Sweden\~WRL2554.tmp
C:\Andy\My Documents\My Documents\a RW\Mark & Advert\~WRL3520.tmp
C:\Andy\My Documents\My Documents\a RW\Mark & Advert\~WRL3746.tmp
C:\Andy\My Documents\My Documents\a RW\Sales Meetings\~WRL1859.tmp
C:\Andy\My Documents\My Documents\a RW\Spain\~WRL4009.tmp
C:\Andy\suspect a RW folder\~WRL2057.tmp
C:\Andy\suspect a RW folder\Tesco\~WRL0988.tmp
C:\Andy\suspect a RW folder\Tesco\~WRL4070.tmp
C:\Andy\suspect a RW folder\Tesco\~WRL2393.tmp
C:\Andy\suspect a RW folder\Export\~WRL2760.tmp
C:\Andy\suspect a RW folder\Export\Sweden\~WRL2554.tmp
C:\Andy\suspect a RW folder\Mark & Advert\~WRL3746.tmp
C:\Andy\suspect a RW folder\Mark & Advert\~WRL3520.tmp
C:\Andy\suspect a RW folder\Spain\~WRL4009.tmp
C:\Andy\suspect a RW folder\Sales Meetings\~WRL1859.tmp

FINISHED!
hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 13:07:28, on 13/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\Richard\LOCALS~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.d ll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.d ll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\Go ogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/229?f9dda6f4d0f14056b8dc6bdbedd87eee
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-gb\msntabres.dll.mui/230?f9dda6f4d0f14056b8dc6bdbedd87eee
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Homepage - {629FE824-6D1D-48DD-9845-6365AAC94464} - http://www.btopenworld.com/default (file missing) (HKCU)
O9 - Extra button: BT - {F7F2DEEF-76E1-4438-BB5D-AE9FE3720BF6} - http://www.bt.com (file missing) (HKCU)
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...26/mcgdmgr.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\tmp_00.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)

Finally since the SDfix work was done, when I switched the computor back on there is a Windows security icon warning me that the firewalls are switched off?

Many thanks

Richard
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #4 (permalink)  
Old 15-12-2006, 04:01 AM
VopThis's Avatar
Senior Member (Canada)
  
Join Date: Nov 2005
Posts: 3,439
VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!VopThis is a D-A-L Rockstar!
Re: More trojans
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
DO NOT RUN ANY OTHER OPTIONS UNTIL REQUESTED TO.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm




HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here

SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).



Do a search for all FILES with the following pattern and DELETE - enter exact search text:

*.TMP



Delete your current HijackThis file and recreate a new version in the correct default location as per the following instructions (last section):

Read This First - IMPORTANT Instructions



POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.
__________________
Vincent P

MALWARE: READ FIRST Procedures:
|_ SpyBot V1.5 _|_ HijackThis LOG __V2.0.2 _|

__
ASAP: promoting a high standard and quality of security support no matter where you seek help.

Quote:
SAFER SURFING TOOLS (IE/FF **FREE** browser addons):
Linkscanner + WOT (Web of Trust) + SiteAdvisor (suggest at least two but not necessarily all)
Quote:
Tell me and I forget; show me and I remember; involve me and I understand.
There are no foolish questions, the only thing foolish is not asking if you're unsure of something.
Never ASSUME any detail because it can make an ASS out of U and ME... (ASS/U/ME ).
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Trojans! Need Help. Gourmandhast Spyware, Adware, Viruses and HijackThis Logs 1 09-02-2009 06:03 AM
need some help BAD trojans giggityjeep Spyware, Adware, Viruses and HijackThis Logs 1 18-05-2007 05:13 AM
Trojans Kevin Smith Windows XP Help 1 08-03-2006 11:47 PM
Hijack This Log Trojans Trojans Trojans jjambro Spyware, Adware, Viruses and HijackThis Logs 4 13-01-2005 10:30 PM
yay for trojans that don't go away (my log...help?) pseud Spyware, Adware, Viruses and HijackThis Logs 5 21-11-2004 08:44 PM


All times are GMT +1. The time now is 08:48 PM.
Member Login
Remember me ?
Forgot password?
Ads

Want to Advertise? Click Here
Help Categories
Desktop / Server Apps
Drivers
Firewalls and Networks
Games
General Internet Issues
Hardware
Linux
MAC OS
Modding / Overclocking
Search Engines
Spyware and Security
Web Development
Windows 2000
Windows 7
Windows 98
Windows ME
Windows Vista
Windows XP

Computer Repair Companies
Bottom Corner Bottom Nav