|
Another "Hijack" log that needs checking THANKS
|
|
AfterDawn Addict
|
6. January 2007 @ 18:22 |
Link to this message
|
|
That is not a problem, heres the log..looks the same to me though
HAXFIX logfile - by Marckie
version 4.34
Sun 01/07/2007 14:20:18.07
--- Checking for Haxdoor ---
checking for a3d files
a3d files found
ps.a3d
redir2.a3d
checking for matching notify keys
no matching notify keys found
checking for matching services
no matching services found
checking for matching safeboot services
no matching safeboot services found
checking for other Haxdoor-files
no other Haxdoor-files found
--- Checking for Goldun ---
checking for SSODL keys
no ssodl keys found
checking for notify keys
no notify keys found
checking for services
no services found
checking for other Goldun-files
no other Goldun-files found
Finished!
|
|
Advertisement
|
|
|
|
Senior Member
|
6. January 2007 @ 19:45 |
Link to this message
|
Looks better. :-) The main files are gone, just the gathered info files remain.
Go here and download KillBox. We'll use it later.
Copy the following bold text into Notepad.
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44cf-8957-5838F569A31D}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8FCDF9D9-A28B-480F-8C3D-581F119A8AB8}]
Make sure there are no blank lines before REGEDIT4.
Name the file Fix.reg
Change the "Save as Type" to All Files and save it on the desktop.
Open the Fix.reg file and click Yes when prompted to merge.
Open Killbox.exe
Check "Standard file kill".
Copy/Paste this into the area:
C:\WINDOWS\System32\klo5.sys
Click the red button with a white X.
Check "Delete file on reboot".
Copy/Paste this into the area:
C:\WINDOWS\System32\ps.a3d
Click the red button with a white X.
Click No when prompted to restart.
Copy/paste this into the area:
C:\WINDOWS\System32\redir2.a3d
Click the red button with a white X.
Click Yes when prompted to restart.
If your computer does not restart on its own, restart.
Since ActiveScan will not show us what registry entry belongs to New.Net, we'll just try running the uninstaller.
Go here and follow the removal instructions in Procedure 4 at the bottom of the page.
Restart after.
Then finally, download F-Secure Blacklight (blbeta.exe) to the desktop from here.
Open it and click Accept Agreement.
Click "Scan".
After the scan is complete, click "Next", then "Exit".
It will create a log on the desktop named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan)
Post that log in your next reply along with a new HijackThis log. Hopefully, that will be the last two logs. :-)
|
AfterDawn Addict
|
6. January 2007 @ 20:07 |
Link to this message
|
I think I managed to get all that done, heres the logs, hopefully you'll give me A clean bill of Health
Logfile of HijackThis v1.99.1
Scan saved at 4:52:43 PM, on 1/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\WinFast\WFDTV\WFWIZ.exe
C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\internet explorer\iexplore.exe
C:\Documents and Settings\nton\Desktop\all my copying programs\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.69:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFDTV\WFWIZ.exe
O4 - HKLM\..\Run: [WinFastDTV] C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Mes...nt.cab30149.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} - http://www.miniclip.com/bestfriends/miniclipGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Share...bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Share...n/bin/cabsa.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://mvt.mcafee.com/mvt/bin/3,0,0,0/mvt.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Mes...nt.cab30149.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-lo...784/mcfscan.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Sol...wn.cab31267.cab
O18 - Protocol: bw+0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: offline-8876480 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
01/07/07 16:35:09 [Info]: BlackLight Engine 1.0.55 initialized
01/07/07 16:35:09 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/07/07 16:35:09 [Note]: 7019 4
01/07/07 16:35:09 [Note]: 7005 0
01/07/07 16:35:23 [Note]: 7006 0
01/07/07 16:35:23 [Note]: 7011 392
01/07/07 16:35:23 [Note]: 7026 0
01/07/07 16:35:23 [Note]: 7026 0
01/07/07 16:35:36 [Note]: FSRAW library version 1.7.1021
01/07/07 16:51:50 [Note]: 2000 1012
01/07/07 16:51:50 [Note]: 2000 1012
01/07/07 16:52:09 [Note]: 7007 0
Bugger..out of curiosity I did an activescan of my first 400 files
Heres the log
Incident Status Location
Virus:bck/haxdoor.gen Disinfected Operating system
Virus:bck/haxdoor.a Not disinfected Operating system
Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44cf-8957-5838F569A31D}
Potentially unwanted tool:application/zango Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8FCDF9D9-A28B-480F-8C3D-581F119A8AB8}
Spyware:spyware/new.net Not disinfected Windows Registry
This message has been edited since posting. Last time this message was edited on 7. January 2007 @ 00:11
|
AfterDawn Addict
|
8. January 2007 @ 01:01 |
Link to this message
|
My comp is still showing signs of a virus, so I did some more scans, heres the logs generated.
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\WINDOWS\vsnpstd2.exe
C:\Program Files\WinFast\WFDTV\WFWIZ.exe
C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\nton\Desktop\all my copying programs\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.69:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-au\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFDTV\WFWIZ.exe
O4 - HKLM\..\Run: [WinFastDTV] C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab30149.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Mes...nt.cab30149.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} - http://www.miniclip.com/bestfriends/miniclipGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Share...bin/AvSniff.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared...01/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Share...n/bin/cabsa.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://mvt.mcafee.com/mvt/bin/3,0,0,0/mvt.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Mes...nt.cab30149.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-lo...784/mcfscan.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Sol...wn.cab31267.cab
O18 - Protocol: bw+0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: offline-8876480 - {6C26BC7B-1D63-4DEA-A8D6-64507DD1A831} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
ncident Status Location
Virus:bck/haxdoor.a Not disinfected Operating system
Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44cf-8957-5838F569A31D}
Potentially unwanted tool:application/zango Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8FCDF9D9-A28B-480F-8C3D-581F119A8AB8}
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\nton\Application Data\Mozilla\Firefox\Profiles\z3g3p4u9.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\nton\Application Data\Mozilla\Firefox\Profiles\z3g3p4u9.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\nton\Application Data\Mozilla\Firefox\Profiles\z3g3p4u9.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\nton\Application Data\Mozilla\Firefox\Profiles\z3g3p4u9.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\nton\Application Data\Mozilla\Firefox\Profiles\z3g3p4u9.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\nton\Application Data\Mozilla\Firefox\Profiles\z3g3p4u9.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\nton\Application Data\Mozilla\Firefox\Profiles\z3g3p4u9.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\nton\Cookies\nton@bs.serving-sys[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\nton\Cookies\nton@casalemedia[2].txt
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\nton\Cookies\nton@cdfreaks[2].txt
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\nton\Cookies\nton@club.cdfreaks[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\nton\Cookies\nton@serving-sys[1].txt
Spyware:Spyware/New.net Not disinfected C:\Documents and Settings\nton\Desktop\crap\AresGalaxyClassic.exe[NNWARZ3_88.exe]
Spyware:Spyware/New.net Not disinfected C:\Documents and Settings\nton\Desktop\crap\CEDP-Stealer-Setup.exe[SHNT288.exe]
Adware:Adware/nCase Not disinfected C:\Documents and Settings\nton\Desktop\crap\CEDP-Stealer-Setup.exe[saap.exe]
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\nton\Desktop\crap\CEDP-Stealer-Setup.exe[wh.exe]
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\nton\Desktop\crap\CEDP-Stealer-Setup.exe[wh.exe][whAgent.inf]
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\nton\Desktop\crap\CEDP-Stealer-Setup.exe[wh.exe][whAgent.exe]
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\nton\Desktop\crap\CEDP-Stealer-Setup.exe[wh.exe][whInstaller.exe]
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\nton\Desktop\crap\CEDP-Stealer-Setup.exe[wh.exe][whSurvey.exe]
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\nton\Desktop\crap\CEDP-Stealer-Setup.exe[wh.exe][webhdll.dll]
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\nton\Desktop\crap\CEDP-Stealer-Setup.exe[wh.exe][whiehlpr.dll]
Spyware:Cookie/Mysearch Not disinfected C:\Documents and Settings\LocalService\Cookies\system@mysearch[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\system32\xmltok.dll
|
Senior Member
|
8. January 2007 @ 05:30 |
Link to this message
|
|
This is amazing, haha. Never has Haxdoor been so stubborn.
Run Option 1 with Haxfix again to see what is found. Also, run Rootkit Revealer and please post both logs.
|
AfterDawn Addict
|
8. January 2007 @ 10:20 |
Link to this message
|
HAXFIX logfile - by Marckie
version 4.34
Tue 01/09/2007 5:47:15.84
--- Checking for Haxdoor ---
checking for a3d files
a3d files found
ps.a3d
redir2.a3d
checking for matching notify keys
no matching notify keys found
checking for matching services
no matching services found
checking for matching safeboot services
no matching safeboot services found
checking for other Haxdoor-files
no other Haxdoor-files found
--- Checking for Goldun ---
checking for SSODL keys
no ssodl keys found
checking for notify keys
no notify keys found
checking for services
no services found
checking for other Goldun-files
no other Goldun-files found
Finished!
This message has been edited since posting. Last time this message was edited on 8. January 2007 @ 10:26
|
|
bkf
Suspended due to non-functional email address
|
8. January 2007 @ 10:27 |
Link to this message
|
|
Remember Gwen and Niobis: Computers are fun :-)
|
AfterDawn Addict
|
8. January 2007 @ 10:39 |
Link to this message
|
@bkf
Quote:
Remember Gwen and Niobis: Computers are fun :-)
Yep, they cab be but Not at the MOMENT
|
|
bkf
Suspended due to non-functional email address
|
8. January 2007 @ 10:45 |
Link to this message
|
Quote:
@bkf
[quote]Remember Gwen and Niobis: Computers are fun :-)
Yep, they cab be but Not at the MOMENT[/quote]
LOL trust me been there done that :-)
Gwen some day you going to teach me how to post a picture as a picture can be worth a 1000 words.
Have to keep your chin up!
This message has been edited since posting. Last time this message was edited on 8. January 2007 @ 10:49
|
Senior Member
|
8. January 2007 @ 11:36 |
Link to this message
|
Let's go out on a limb and run Option 2 with Haxfix 'in safe mode'. As usual, please post the log.
If that doesn't work, I guess we'll have to delete the registry keys manually. Although, as of yet, I'm not sure how we'll be able to delete redir2.a3d because it is hidden with a rootkit. But, we'll worry about that later, if safe mode doesn't help.
Quote:
Remember Gwen and Niobis: Computers are fun :-)
Haha, yeah. This one sure isn't being fun. :-)
|
AfterDawn Addict
|
8. January 2007 @ 16:53 |
Link to this message
|
|
Restarted comp in Safe Mode and ran haxfix , heres the scan results.
HAXFIX logfile - by Marckie
version 4.32
Tue 01/09/2007 12:44:53.71
--- Checking for Haxdoor ---
checking for a3d files
a3d files found
ps.a3d
redir2.a3d
checking for matching notify keys
no matching notify keys found
checking for matching services
no matching services found
checking for matching safeboot services
no matching safeboot services found
checking for other Haxdoor-files
no other Haxdoor-files found
--- Checking for Goldun ---
checking for SSODL keys
no ssodl keys found
checking for notify keys
no notify keys found
checking for services
no services found
checking for other Goldun-files
no other Goldun-files found
Finished!
This message has been edited since posting. Last time this message was edited on 8. January 2007 @ 16:55
|
Senior Member
|
8. January 2007 @ 17:15 |
Link to this message
|
|
I just do not understand why Haxfix will not remove those two files. Kind of a stupid question, but are you running Option 2?
|
AfterDawn Addict
|
8. January 2007 @ 17:30 |
Link to this message
|
|
I certainly am running option 2, very +strange though.
Just noticed I was using version.32 not .34, will that be the reason
It's 1.40 pm here and I have to go out for 1 hour, will get back to you if you're still active, CHeers.
OK heres the latest, went to safe mode and ran haxfix 4.34(option 2) again, heres the log, I dont know if it's changed
HAXFIX logfile - by Marckie
version 4.34
Tue 01/09/2007 15:22:51.26
--- Checking for Haxdoor ---
checking for a3d files
a3d files found
ps.a3d
redir2.a3d
checking for matching notify keys
no matching notify keys found
checking for matching services
no matching services found
checking for matching safeboot services
no matching safeboot services found
checking for other Haxdoor-files
no other Haxdoor-files found
--- Checking for Goldun ---
checking for SSODL keys
no ssodl keys found
checking for notify keys
no notify keys found
checking for services
no services found
checking for other Goldun-files
no other Goldun-files found
Finished!
This message has been edited since posting. Last time this message was edited on 8. January 2007 @ 19:30
|
Senior Member
|
9. January 2007 @ 15:21 |
Link to this message
|
Click here to get The Avenger.
Extract avenger.exe to your desktop.
Copy all the following red text to the clipboard.
Files to delete:
C:\WINDOWS\System32\ps.a3d
C:\WINDOWS\System32\redir2.a3d
Note: The above script was created for this user only!
Start The Avenger.
Under "Script file to execute" choose "Input Script Manually".
Click on the Magnifying Glass icon which will open a "View/edit script"
Paste the text copied to clipboard into this window.
Click Done.
Click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger?s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Post the contents of C:\avenger.txt into your next reply.
|
AfterDawn Addict
|
9. January 2007 @ 16:02 |
Link to this message
|
|
After clicking yes (after green light this came up,
Error: Selected file does not appear to be a valid script.OK
I clicked OK then this Press OK to log error and continue or abort, Erroe Code : 0 then OK and nothing happens. Am I missing something.
I did a reboot of comp and located txt file, heres the contents
Avenger Pre-Processor log
//////////////////////////////////////////
Error: selected file does not appear to be a valid script.
Error code: 0
This message has been edited since posting. Last time this message was edited on 9. January 2007 @ 16:51
|
Senior Member
|
10. January 2007 @ 04:16 |
Link to this message
|
|
The script worked for me, so yes, I think you're missing something. Make sure you include "Files to delete:" and make sure there are no blank lines before "Files..."
|
AfterDawn Addict
|
10. January 2007 @ 04:42 |
Link to this message
|
|
Yea, silly me, I left out (Files to delete), heres the Text log
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ipiqctry
*******************
Script file located at: \??\C:\Program Files\ucwbxwoq.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\System32\ps.a3d deleted successfully.
File C:\WINDOWS\System32\redir2.a3d deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
And there is a Zip file at location advised
This message has been edited since posting. Last time this message was edited on 10. January 2007 @ 04:44
|
Senior Member
|
10. January 2007 @ 04:56 |
Link to this message
|
|
Oh my God, finally, I think we're actually getting somewhere! w00t, w00t! :-D
Run ActiveScan one last time to see what remains.
This message has been edited since posting. Last time this message was edited on 10. January 2007 @ 04:57
|
AfterDawn Addict
|
10. January 2007 @ 06:31 |
Link to this message
|
|
OK it's now 2.30am here, am commencing scan, will report back, is yippie to soon?
|
Senior Member
|
10. January 2007 @ 08:20 |
Link to this message
|
|
Let's not count our chickens before they hatch, but I think a 'yippie' is in order. :-)
|
AfterDawn Addict
|
10. January 2007 @ 08:33 |
Link to this message
|
|
Hooray, it's gone
Still 3 hacking and heaps of spyware.
Thank you so very much
What do you recommend from here.
Incident Status Location
Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44cf-8957-5838F569A31D}
Potentially unwanted tool:application/zango Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8FCDF9D9-A28B-480F-8C3D-581F119A8AB8}
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\nton\Application Data\Mozilla\Firefox\Profiles\z3g3p4u9.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\nton\Application Data\Mozilla\Firefox\Profiles\z3g3p4u9.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\nton\Application Data\Mozilla\Firefox\Profiles\z3g3p4u9.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\nton\Application Data\Mozilla\Firefox\Profiles\z3g3p4u9.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settingsynton\Application Data\Mozilla\Firefox\Profiles\z3g3p4u9.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\nton\Application Data\Mozilla\Firefox\Profiles\z3g3p4u9.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\nton\Application Data\Mozilla\Firefox\Profiles\z3g3p4u9.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\nton\Application Data\Mozilla\Firefox\Profiles\z3g3p4u9.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\nton\Application Data\Mozilla\Firefox\Profiles\z3g3p4u9.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\nton\Application Data\Mozilla\Firefox\Profiles\z3g3p4u9.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\nton\Cookies\anthea baynton@ads.pointroll[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\nton\Cookies\anthea baynton@bs.serving-sys[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settingsynton\Cookies\anthea baynton@casalemedia[1].txt
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\nton\Cookies\anthea baynton@cdfreaks[2].txt
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\nton\Cookies\anthea baynton@club.cdfreaks[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\nton\Cookies\anthea baynton@serving-sys[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\ynton\Cookies\anthea baynton@statcounter[1].txt
Spyware:Spyware/New.net Not disinfected C:\Documents and Settings\nton\Desktop\crap\AresGalaxyClassic.exe[NNWARZ3_88.exe]
Spyware:Spyware/New.net Not disinfected C:\Documents and Settings\nton\Desktop\crap\CEDP-Stealer-Setup.exe[SHNT288.exe]
Adware:Adware/nCase Not disinfected C:\Documents and Settings\nton\Desktop\crap\CEDP-Stealer-Setup.exe[saap.exe]
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\nton\Desktop\crap\CEDP-Stealer-Setup.exe[wh.exe]
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\nton\Desktop\crap\CEDP-Stealer-Setup.exe[wh.exe][whAgent.inf]
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\nton\Desktop\crap\CEDP-Stealer-Setup.exe[wh.exe][whAgent.exe]
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\nton\Desktop\crap\CEDP-Stealer-Setup.exe[wh.exe][whInstaller.exe]
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\nton\Desktop\crap\CEDP-Stealer-Setup.exe[wh.exe][whSurvey.exe]
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\nton\Desktop\crap\CEDP-Stealer-Setup.exe[wh.exe][webhdll.dll]
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\nton\Desktop\crap\CEDP-Stealer-Setup.exe[wh.exe][whiehlpr.dll]
Spyware:Cookie/Mysearch Not disinfected C:\Documents and Settings\LocalService\Cookies\system@mysearch[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\system32\xmltok.dll
|
Senior Member
|
11. January 2007 @ 08:58 |
Link to this message
|
|
Copy the following bold text into Notepad.
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44cf-8957-5838F569A31D}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8FCDF9D9-A28B-480F-8C3D-581F119A8AB8}]
Name the file Fix.reg
Change the "Save as Type" to All Files and save it on the desktop.
Open the Fix.reg file and click Yes when prompted to merge.
Delete these with KillBox in safe mode:
C:\WINDOWS\system32\xmltok.dll
C:\Documents and Settings\nton\Desktop\crap\AresGalaxyClassic.exe
C:\Documents and Settings\nton\Desktop\crap\CEDP-Stealer-Setup.exe
Clean the cookies with CCleaner or ATF Cleaner.
Should be clean now, finally. :-) If anything else comes up let me know. You're very welcome and good luck!
|
AfterDawn Addict
|
11. January 2007 @ 09:46 |
Link to this message
|
|
I am unable to do so at present, however will do so later today as I will be otherwise engaged...I am unsure about cccleaner now as I believe I picked up virus after I d/l the latest version from filehippo, where do yyou recommend I get it from, thanks for all your help. I will get back to you later.
|
Senior Member
|
11. January 2007 @ 17:00 |
Link to this message
|
Link for CCleaner Slim. (no Yahoo! Toolbar)
|
|
Advertisement
|
|
|
AfterDawn Addict
|
11. January 2007 @ 19:05 |
Link to this message
|
@Niobis
I sincerely thank you for helping me with this problem, you really do "know your stuff", if I can ever return the favour then you know where I am.
What do I do with the nasty little zip file called Avenger, back up zip.
Latest Report, I have just run ActiveScan as comp still running a little slow, heres the latest log,
1 HackingTool and Rootkit
12 Spyware
This is after I ran both cccleaner and AVG spyware..any ideas whats going on??
Incident Status Location
Potentially unwanted tool:application/zango Not disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ActiveX Compatibility\{99410cde-6f16-42ce-9d49-3807f78f0287}
Spyware:Spyware/New.net Not disinfected C:\!KillBox\AresGalaxyClassic.exe[NNWARZ3_88.exe]
Spyware:Spyware/New.net Not disinfected C:\!KillBox\CEDP-Stealer-Setup.exe[SHNT288.exe]
Adware:Adware/nCase Not disinfected C:\!KillBox\CEDP-Stealer-Setup.exe[saap.exe]
Adware:Adware/WebHancer Not disinfected C:\!KillBox\CEDP-Stealer-Setup.exe[wh.exe]
Adware:Adware/WebHancer Not disinfected C:\!KillBox\CEDP-Stealer-Setup.exe[wh.exe][whAgent.inf]
Adware:Adware/WebHancer Not disinfected C:\!KillBox\CEDP-Stealer-Setup.exe[wh.exe][whAgent.exe]
Adware:Adware/WebHancer Not disinfected C:\!KillBox\CEDP-Stealer-Setup.exe[wh.exe][whInstaller.exe]
Adware:Adware/WebHancer Not disinfected C:\!KillBox\CEDP-Stealer-Setup.exe[wh.exe][whSurvey.exe]
Adware:Adware/WebHancer Not disinfected C:\!KillBox\CEDP-Stealer-Setup.exe[wh.exe][webhdll.dll]
Adware:Adware/WebHancer Not disinfected C:\!KillBox\CEDP-Stealer-Setup.exe[wh.exe][whiehlpr.dll]
Adware:Adware/SAHAgent Not disinfected C:\!KillBox\xmltok.dll
Spyware:Cookie/Mysearch Not disinfected C:\Documents and Settings\LocalService\Cookies\system@mysearch[2].txt
More late Breaking News
I have traced the Hacking Tool/Rootkit to a file named
C:\Documents and Settings\nton\My Documents\desktop.ini
Details of this file are
Configuration Settings
Attributes: Hidden, System
Date Modified 10 june 2005
Size 85 bytes
Out of interest I r/c the file, went to Delete and got this response
The file 'desktop.ini' is a system file. If you remove it, your computer or one of your programs may no longer work correctly. Are you sure you want to move it to recycle bin.
Naturally I didnt do anything with it.
Does this help in any way?
This message has been edited since posting. Last time this message was edited on 12. January 2007 @ 02:28
|
