|
|
|
Access Members Area.exe
|
|
|
Flacian
Newbie
|
14. March 2006 @ 14:38 |
Link to this message
|
First of all, hello AfterDawn, long time fan of all your tutorials. But now I need some help. Recently I picked up this annoying dialer and it keeps reappearing on my desktop every half hour, I've located the source and deleted it but it keeps returning.
Here is my HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 00:34:05, on 15/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\HHVcdV7Sys\VC7SecS.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\HHVcdV7Sys\VC7Play.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\Virtual CD v7\System\VC7Tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
Z:\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.broadband.blueyonder.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {B9532165-BBF4-9002-F0B9-972C851400C6} - C:\WINDOWS\System32\qgfdh.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [MSNPluginSrvcs] p6.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [ICcontrol] C:\WINDOWS\iccontrol.exe
O4 - HKLM\..\Run: [VC7Player] C:\Program Files\HHVcdV7Sys\VC7Play.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [MSNPluginSrvcs] p6.exe
O4 - HKCU\..\Run: [fofo] C:\PROGRA~1\COMMON~1\fofo\fofom.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
O9 - Extra 'Tools' menuitem: &Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.broadband.blueyonder.co.uk
O16 - DPF: {4EDD7E56-3BAA-13B6-D0D4-4A6A2FE914A6} - http://69.50.173.166/1/rdgGB2404.exe
O16 - DPF: {FAFF0003-0A01-121A-A1C9-08032B23E0CC} - http://uk.global-acces.com/seed/nat3.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: wineak32 - C:\WINDOWS\SYSTEM32\wineak32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Virtual CD v7 Management Service (VC7SecS) - H+H Software GmbH - C:\Program Files\HHVcdV7Sys\VC7SecS.exe
If somebody can help me remove this stupid dialer I would be extremely grateful.
Thanks in advance.
Flacian.
|
|
Advertisement
|
 |
|
|
Senior Member
|
14. March 2006 @ 19:47 |
Link to this message
|
Hi Flacian, and yes you got some infections.
You have two antivirus programs running. This can cause problems.
Go to Control Panel -> Add or remove programs-> Remove AVG OR Norton
(I suggest that you remove AVG especially if you have a paid lisence to Norton)
Download and install Ewido, UPDATE it, but do NOT run a scan yet. -> http://www.ewido.net/en/download/
Cleaning instructions:
Move HijackThis.exe to its own folder, for example C:\HJT
Run HijackThis and fix these entries (if found): (Do a system scan only, check entries, close all other windows, press Fix checked)
O2 - BHO: (no name) - {B9532165-BBF4-9002-F0B9-972C851400C6} - C:\WINDOWS\System32\qgfdh.dll (file missing)
O4 - HKLM\..\Run: [MSNPluginSrvcs] p6.exe
O4 - HKLM\..\Run: [ICcontrol] C:\WINDOWS\iccontrol.exe
O4 - HKLM\..\RunServices: [MSNPluginSrvcs] p6.exe
O4 - HKCU\..\Run: [fofo] C:\PROGRA~1\COMMON~1\fofo\fofom.exe
O9 - Extra button: Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
O9 - Extra 'Tools' menuitem: &Messenger Addon - {FB5F1911-F110-11d2-BB9E-00C04F795683} - http://messenger.ipfox.com (file missing)
O16 - DPF: {4EDD7E56-3BAA-13B6-D0D4-4A6A2FE914A6} - http://69.50.173.166/1/rdgGB2404.exe
O16 - DPF: {FAFF0003-0A01-121A-A1C9-08032B23E0CC} - http://uk.global-acces.com/seed/nat3.exe
O20 - Winlogon Notify: wineak32 - C:\WINDOWS\SYSTEM32\wineak32.dll
Restart your computer to the safe mode (Press F8 button when computer is starting and choose safe mode)
Make your hidden files visible:
->On the Tools menu in Windows Explorer, click Folder Options.
->Click the View tab.
->Under Hidden files and folders, click Show hidden files and folders.
Delete this folder if found:
C:\PROGRA~1\COMMON~1\-->fofo
Delete these files if found:
C:\WINDOWS\System32\-->qgfdh.dll
C:\WINDOWS\-->iccontrol.exe
C:\WINDOWS\SYSTEM32\-->wineak32.dll
Use the Windows "search" function (make sure that you search from hidden files and folders and from system folders too)
Search for this and delete if found: p6.exe
Empty the Recycle Bin
Make your hidden files invisible again:
->On the Tools menu in Windows Explorer, click Folder Options.
->Click the View tab.
->Under Hidden files and folders, click Do not show hidden files and folders.
Scan yor computer with Ewido and save the log file.
Restart your computer normally.
Post a fresh HijackThis log and Ewido's log to here so we can see if your computer is now clean.
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
This message has been edited since posting. Last time this message was edited on 14. March 2006 @ 20:15
|
Senior Member
|
14. March 2006 @ 21:31 |
Link to this message
|
|
EDITED...because it was rudely ignored... :p
This message has been edited since posting. Last time this message was edited on 15. March 2006 @ 06:49
|
|
Flacian
Newbie
|
15. March 2006 @ 03:38 |
Link to this message
|
Thanks you very much JaPK your help got rid of that dialer and I've left my PC running for 2 hours while I was away and nothing has returned. I still think there are a couple of threats that remain but anyways here's the HJT and Ewido logs after fixing.
HJT:
Logfile of HijackThis v1.99.1
Scan saved at 10:04:39, on 15/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\HHVcdV7Sys\VC7Play.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HHVcdV7Sys\VC7SecS.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Virtual CD v7\System\VC7Tray.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
Z:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.broadband.blueyonder.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [VC7Player] C:\Program Files\HHVcdV7Sys\VC7Play.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.broadband.blueyonder.co.uk
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: wineak32 - wineak32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Virtual CD v7 Management Service (VC7SecS) - H+H Software GmbH - C:\Program Files\HHVcdV7Sys\VC7SecS.exe
Ewido:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 13:31:04, 15/03/2006
+ Report-Checksum: 86C03736
+ Scan result:
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup
[892] C:\WINDOWS\system32\wineak32.dll -> Downloader.Small.cml : Error during cleaning
C:\WINDOWS\system32\__delete_on_reboot__wineak32.dll -> Downloader.Small.cml : Cleaned with backup
C:\WINDOWS\Temp\win34.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\Temp\win770.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\Temp\win663.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\mtuninst.exe -> Adware.MediaTickets : Cleaned with backup
C:\Documents and Settings\Kirby\Local Settings\Temporary Internet Files\Content.IE5\CFRBIS1L\WinFixer2005FreeInstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.f : Cleaned with backup
C:\Documents and Settings\Kirby\Cookies\kirby@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Kirby\Cookies\kirby@ilead.itrack[1].txt -> TrackingCookie.Itrack : Cleaned with backup
C:\Documents and Settings\Kirby\Cookies\kirby@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Kirby\Cookies\kirby@stats.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned with backup
C:\Documents and Settings\Kirby\Cookies\kirby@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Kirby\Cookies\kirby@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Kirby\Cookies\kirby@starware[2].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\Kirby\Cookies\kirby@www.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\Kirby\Cookies\kirby@h.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\Kirby\Cookies\kirby@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\Kirby\Cookies\kirby@adopt.euroclick[3].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP410\A0069679.exe -> Dialer.GBDialer.d : Cleaned with backup
C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0069687.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0069688.exe -> Downloader.IstBar.er : Cleaned with backup
C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0069689.exe -> Downloader.PurityScan.bt : Cleaned with backup
C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070743.exe -> Dialer.GBDialer.d : Cleaned with backup
C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070796.exe -> Dialer.GBDialer.d : Cleaned with backup
C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070799.exe -> Dialer.GBDialer.d : Cleaned with backup
C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP412\A0070805.exe -> Dialer.GBDialer.d : Cleaned with backup
C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP412\A0070807.exe -> Dialer.GBDialer.d : Cleaned with backup
C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP412\A0070809.exe -> Downloader.PurityScan.by : Cleaned with backup
C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP412\A0070823.exe -> Dialer.GBDialer.d : Cleaned with backup
C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP412\A0070829.exe -> Dialer.GBDialer.d : Cleaned with backup
C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP412\A0070837.exe -> Dialer.GBDialer.d : Cleaned with backup
C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP412\A0070841.exe -> Dialer.GBDialer.d : Cleaned with backup
C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP412\A0070842.exe -> Dialer.GBDialer.d : Cleaned with backup
C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP412\A0070852.exe -> Dialer.GBDialer.d : Cleaned with backup
::Report End
I deliberately edited the Ewido log since they were mostly FireFox Tracking Cookies, the ones shown are the ones which seem to be threatening.
|
Senior Member
|
15. March 2006 @ 08:27 |
Link to this message
|
|
Ok, almost clean.
Fix this entry with HijackThis.
O20 - Winlogon Notify: wineak32 - wineak32.dll (file missing)
You can fix these entries with HijackThis if you want to make your computer (especially the startup) faster.
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VC7Player] C:\Program Files\HHVcdV7Sys\VC7Play.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Post a new HijackThis log.
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
This message has been edited since posting. Last time this message was edited on 15. March 2006 @ 08:32
|
|
Flacian
Newbie
|
15. March 2006 @ 09:09 |
Link to this message
|
Ah nuts it came back, although it's been a good 5 hours, I've used HJT to locate the line and deleted it, along with wineak32.dll plus all the others you've listed to improve system performance.
Here is he new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 19:05:23, on 15/03/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\HHVcdV7Sys\VC7SecS.exe
C:\Program Files\Virtual CD v7\System\VC7Tray.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\BitComet\BitComet.exe
Z:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.broadband.blueyonder.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.broadband.blueyonder.co.uk
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Virtual CD v7 Management Service (VC7SecS) - H+H Software GmbH - C:\Program Files\HHVcdV7Sys\VC7SecS.exe
|
Senior Member
|
15. March 2006 @ 09:23 |
Link to this message
|
Ok, log looks clean now.
But to make sure that you are clean, lets try this:
Download eScan from here and save it to your desktop -> http://www.spywareinfo.dk/download/mwav.exe
Doubleclick to file mwaw.exe (on your desktop) and unzip the program to its default location (C:\Kaspersky)
Close the eScan window.
Then go to the folder C:\Kaspersky and run a file called kavupd.exe. It will update the program. (If firewall alerts about connections to this program, allow those)
When kavupd.exe has finished go to the folder C:\Downloads and press CTRL+A (Select all files) then press CTRL+C (Copy) and go to the folder C:\Kaspersky and press CTRL+V (Paste), overwrite files when asked.
Then go to the folder C:\Kaspersky and run a file named mwavscan. Check these options:
Memory, Registry, Startup Folders, System Folders, Services, Drive -> All Local drives, Scan all files
Then press Scan Clean button. (scanning may take some time)
When scan has finished, copy the results from the field in the scan window. Just copy those with your mouse and paste and save those with the Notepad to your desktop. Name it to viruslog.txt
Post the eScan's results (viruslog.txt) to here.
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
This message has been edited since posting. Last time this message was edited on 15. March 2006 @ 09:40
|
|
Flacian
Newbie
|
15. March 2006 @ 11:36 |
Link to this message
|
File C:\WINDOWS\Temp\win37.tmp.exe infected by "Trojan.Win32.Dialer.oy" Virus. Action Taken: File Deleted.
File C:\WINDOWS\Temp\win3CD.tmp.exe infected by "Trojan.Win32.Dialer.oy" Virus. Action Taken: File Deleted.
File C:\Program Files\mIRC\mirc.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.616. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\33B8323D.exe tagged as not-a-virus:Porn-Dialer.Win32.GBDialer.d. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\33BB5C39.exe tagged as not-a-virus:Porn-Dialer.Win32.GBDialer.d. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\053048EA.exe tagged as not-a-virus:Porn-Dialer.Win32.GBDialer.d. No Action Taken.
File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070720.EXE tagged as not-a-virus:Porn-Dialer.Win32.Agent.z. No Action Taken.
File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070721.EXE infected by "Trojan.Win32.LowZones.g" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070722.SCR infected by "Email-Worm.Win32.Wurmark.j" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070723.SCR infected by "Email-Worm.Win32.Wurmark.j" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070724.EXE infected by "Backdoor.Win32.Rbot.sh" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070725.EXE tagged as not-a-virus:Porn-Dialer.Win32.GBDialer.d. No Action Taken.
File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070726.EXE infected by "Trojan-Downloader.Win32.PurityScan.bt" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070727.EXE infected by "Trojan-Downloader.Win32.TSUpdate.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070728.EXE infected by "P2P-Worm.Win32.VB.ca" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070729.COM infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070730.EXE infected by "Trojan-Downloader.Win32.TSUpdate.p" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070731.EXE infected by "Trojan.Win32.Pakes" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070732.EXE infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070733.EXE tagged as not-a-virus:Downloader.Win32.WinFixer.b. No Action Taken.
File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070734.EXE tagged as not-a-virus:Downloader.Win32.WinFixer.c. No Action Taken.
File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070735.EXE tagged as not-a-virus:Downloader.Win32.WinFixer.b. No Action Taken.
File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP411\A0070792.dll tagged as not-a-virus:AdWare.Win32.PurityScan.ak. No Action Taken.
File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP412\A0070810.exe tagged as not-a-virus:AdWare.Win32.PurityScan.bu. No Action Taken.
File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP412\A0070962.exe tagged as not-a-virus:AdWare.Win32.MediaTickets.u. No Action Taken.
File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP413\A0070969.exe tagged as not-a-virus:Porn-Dialer.Win32.GBDialer.d. No Action Taken.
File C:\System Volume Information\_restore{98C6DB5A-F312-482E-9A78-8E4C88115843}\RP413\A0070976.dll infected by "Trojan-Downloader.Win32.Small.cml" Virus. Action Taken: File Deleted.
File C:\Installation Files\mirc616.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.616. No Action Taken.
Its been almost 3 hours since the last time the dialer showed up, however I'm not gonna get over confident over it, wineak32.dll seems to regenerate itself whenever the PC is restarted, I have turned to using HJT every once in a while to keep control should the dialer and the .dll return but would be nice if they were one once and for all, hopefully with eScan they should be gone for good.
|
Senior Member
|
15. March 2006 @ 19:29 |
Link to this message
|
|
Ok. It is still coming back, right? Post me a dirty HijackThis log (don't clean it yourself) because I need to know exact files and entries that are coming back.
So post me a new HijackThis log and don't remove eScan from your computer just yet.
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
This message has been edited since posting. Last time this message was edited on 15. March 2006 @ 19:30
|
Senior Member
|
15. March 2006 @ 21:46 |
Link to this message
|
|
Like i said before, its in the start upi think..uncheck it from msconfig...this will stop it appearing but it wil stil be on your system...
This message has been edited since posting. Last time this message was edited on 15. March 2006 @ 21:46
|
|
Flacian
Newbie
|
16. March 2006 @ 01:45 |
Link to this message
|
|
Nah, msconfig shows nothing.
It looks fine now, the dialer hasn't returned for about 8 hours of PC runtime, wineak32.dll didn't regenerate itself when I ran HJT first thing I switched the PC on this morning and eScan purged the rest of the threatening files that Ewido didn't. If anything comes up I'll stick a new HJT log but right now it's pretty much the same one you said was clean JaPK
|
Senior Member
|
16. March 2006 @ 03:10 |
Link to this message
|
Ok, good but eScan couldn't clean everything because some of the files were in the system restore.
To get rid of those files, do this:
-> Disable system restore, instructions here -> http://service1.symantec.com/support/tsgeninfo.nsf/docid/20011119...
-> Run eScan again
->Post eScan's findings to here the same way you did earlier.
->Enable system restore
->If everything is clean, then the next step is to update your windows....but post the eScan's findings first....
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
This message has been edited since posting. Last time this message was edited on 16. March 2006 @ 03:12
|
|
Flacian
Newbie
|
16. March 2006 @ 05:36 |
Link to this message
|
|
Disabled system restore, ran eScan again, nothing came up. Looks clean now, been over 12 hours of PC runtime and not a trace of the dialer, but i'll update windows and check HJT once in a while to keep my PC in check. Thanks very much for all the help JaPK.
|
Senior Member
|
16. March 2006 @ 08:07 |
Link to this message
|
Ok, that is great to hear. If problems occur then just post here and we help you.
And yes, update your windows and internet explorer -> http://windowsupdate.microsoft.com/
You are welcome =)
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
|
|
aasimn
Junior Member
|
24. March 2006 @ 16:58 |
Link to this message
|
|
can u please guide me thru this again PLEASE PLEASE
I HAVE THE SAME PROBLEM !
CAN U PLEASE MAKE IT EASIR??
THANKS AAAAA LOTTT !!!
|
Senior Member
|
24. March 2006 @ 19:54 |
Link to this message
|
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
This message has been edited since posting. Last time this message was edited on 24. March 2006 @ 19:55
|
|
aasimn
Junior Member
|
25. March 2006 @ 14:41 |
Link to this message
|
|
hey .... i cant get thru the hijack this ? it dloads then doesnt open
|
|
Advertisement
|
|
|
Senior Member
|
25. March 2006 @ 19:23 |
Link to this message
|
Ok, lets try again.
Download HijackThis from here -> http://koti.mbnet.fi/pattaya1/lataus/hijackthis_self.exe
Save it to your desktop.
The go to your desktop and doubleclick the file
hijackthis_self.exe
Press OK button. [Don't mind the Finnish text =)]
Then press Unzip button.
Then press OK button.
IF HijackThis doesn't open automatically, go to C:\HJT and doubleclick the file hijackthis.exe
Then (in hijackthis) press Do a system scan and save a log file button.
Wait when it creates the log.
When it is ready, log opens in a Notepad window.
Go to this document, select all text with your mouse and copy it.
Then paste the log to your new thread.
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
This message has been edited since posting. Last time this message was edited on 25. March 2006 @ 20:00
|
|
