Options

MSN photovirus confirmation please :(

edited August 2007 in Spyware & Virus Removal
ahh well, i got the photovirus, and attempted to fix it with a way my friend taught me, so can you take a look at my hijackthis log and tell me whether its gone for good?

Thx in advance ^^


so, it was all smooth, until i ran combofix lol, the virus just started all over again,

"nicholas" - 2007-07-24 22:11:23 [GMT 8:00] - ComboFix 07-07-24 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\nicholas\APPLIC~1.\macromedia\Flash Player\#SharedObjects\GHYYQKDG\iforex.com
C:\DOCUME~1\nicholas\APPLIC~1.\macromedia\Flash Player\#SharedObjects\GHYYQKDG\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\DOCUME~1\nicholas\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\DOCUME~1\nicholas\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol


((((((((((((((((((((((((( Files Created from 2007-06-24 to 2007-07-24 )))))))))))))))))))))))))))))))


2007-07-24 22:10 51,200 --a
C:\WINDOWS\nircmd.exe
2007-07-24 19:31 26,000 --a
C:\WINDOWS\system32\firewallav.dll
2007-07-23 19:13 <DIR> d
C:\Program Files\YouTube Downloader
2007-07-21 18:12 <DIR> d
C:\Program Files\DAMN NFO Viewer
2007-07-18 22:43 3,311 --a
C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Windows Media Audio 9 Codec.dat
2007-07-18 20:32 <DIR> d
C:\Program Files\DietMP3
2007-07-18 20:24 <DIR> d
C:\Program Files\FileZilla
2007-07-18 19:55 3,229 --a
C:\WINDOWS\system32\SpoonUninstall-dBpoweramp AAC Encoder.dat
2007-07-18 19:45 3,087 --a
C:\WINDOWS\system32\SpoonUninstall-dBpoweramp mp3 (Fraunhofer IIS) Codec.dat
2007-07-18 15:00 <DIR> d
C:\DOCUME~1\nicholas\APPLIC~1\Apple Computer
2007-07-18 14:55 <DIR> d
C:\Program Files\QuickTime
2007-07-18 14:55 <DIR> d
C:\Program Files\Apple Software Update
2007-07-18 14:55 <DIR> d
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-07-18 14:55 <DIR> d
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-15 15:49 26,112 --a
C:\WINDOWS\system32\nircmd.exe
2007-07-15 15:05 <DIR> drahs---- C:\autorun.inf
2007-07-11 16:17 <DIR> d
C:\DOCUME~1\nicholas\int
2007-07-10 20:17 0 -ra
C:\logwmemory.bin
2007-07-08 13:48 <DIR> d
C:\Program Files\MozBackup


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-24 13:47:34
d
w C:\DOCUME~1\nicholas\APPLIC~1\MegauploadToolbar
2007-07-24 11:36:27
d
w C:\Program Files\FlashGet
2007-07-24 02:55:36
d
w C:\Program Files\MegauploadToolbar
2007-07-22 13:54:00
d
w C:\Program Files\Warcraft III
2007-07-22 01:58:25
d
w C:\Program Files\F-CRC
2007-07-18 14:43:00 133,632 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
2007-07-18 11:48:40 3,590 ----a-w C:\WINDOWS\system32\SpoonUninstall-dBpoweramp m4a Codec.dat
2007-07-13 02:23:54
d
w C:\DOCUME~1\nicholas\APPLIC~1\uTorrent
2007-06-19 23:20:27
d
w C:\Program Files\7-Zip
2007-06-19 12:06:36
d
w C:\DOCUME~1\nicholas\APPLIC~1\Azureus
2007-06-10 11:30:34 43,220 ---ha-w C:\WINDOWS\system32\mlfcache.dat
2007-06-02 10:57:11
d
w C:\Program Files\Creative
2007-05-25 23:18:05 499 ----a-w C:\WINDOWS\system32\cid_store.dat
2007-05-08 11:24:48 8,112 ----a-w C:\WINDOWS\system32\SpoonUninstall-dBpoweramp DSP Effects.dat
2007-05-08 11:18:48 2,999 ----a-w C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Ogg Vorbis Codec.dat
2007-05-08 10:14:32 13,013 ----a-w C:\WINDOWS\system32\SpoonUninstall-dBpoweramp Music Converter.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-07-27 17:01 C:\WINDOWS\SOUNDMAN.EXE]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-08-12 15:13]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-08-12 15:12]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 15:07]
"AGRSMMSG"="AGRSMMSG.exe" [2004-07-22 13:38 C:\WINDOWS\AGRSMMSG.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-04-21 21:20]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-03-20 23:28]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"=0 (0x0)
"NoFind"=0 (0x0)
"NoRun"=0 (0x0)
"NoDesktop"=0 (0x0)
"NoControlPanel"=0 (0x0)
"NoClose"=0 (0x0)
"StartMenuLogOff"=0 (0x0)
"HideClock"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"antivirus"= {DB01C943-ACA0-4649-88A3-D1D4FAA469D2} - firewallav.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cleanup]
C:\DOCUME~1\nicholas\LOCALS~1\Temp\200742120351_mcappins.exe /v=3 /cleanup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msci]
C:\DOCUME~1\nicholas\LOCALS~1\Temp\2007421203457_mcinfo.exe /insfin

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
C:\Program Files\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)

R1 FsVga;FsVga;C:\WINDOWS\system32\DRIVERS\fsvga.sys
R1 Tcpip6;Microsoft IPv6 Protocol Driver;C:\WINDOWS\system32\DRIVERS\tcpip6.sys
R2 6to4;IPv6 Helper Service;C:\WINDOWS\system32\svchost.exe -k netsvcs
R2 EpmPsd;Acer EPM Power Scheme Driver;\??\C:\WINDOWS\system32\drivers\epm-psd.sys
R2 EpmShd;Acer EPM System Hardware Driver;\??\C:\WINDOWS\system32\drivers\epm-shd.sys
R3 ALCXSENS;Service for WDM 3D Audio Driver;C:\WINDOWS\system32\drivers\ALCXSENS.SYS
R3 SynTP;Synaptics TouchPad Driver;C:\WINDOWS\system32\DRIVERS\SynTP.sys
R3 tunmp;Microsoft Tun Miniport Adapter Driver;C:\WINDOWS\system32\DRIVERS\tunmp.sys
S3 ba1;ba1;\??\C:\Documents and Settings\nicholas\Desktop\Ba Gay Engine\ba.sys
S3 spuce1;spuce1;\??\C:\Documents and Settings\nicholas\Desktop\SPUCE 2.0\spuce.sys
S3 w29n51;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows XP;C:\WINDOWS\system32\DRIVERS\w29n51.sys
S3 zenos1;zenos1;\??\C:\Documents and Settings\nicholas\Desktop\zenosengine2.5\zenos.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac156bce-d6e6-11db-86da-000e35a6f8cf}]
AutoRun\command- F:\browsercall.exe index.html

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c108eec3-e8f5-11db-871b-000e35a6f8cf}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e379c80a-8365-11db-862b-000e35a6f8cf}]
Auto\command- RavMonE.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e379c80b-8365-11db-862b-000e35a6f8cf}]
Auto\command- RavMonE.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-24 22:14:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\1\x4e40Q\vN}]
"Order"=hex:08,00,00,00,02,00,00,00,74,01,00,00,01,00,00,00,03,00,00,00,84,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\x8254\x9cc0]
"Order"=hex:08,00,00,00,02,00,00,00,76,01,00,00,01,00,00,00,03,00,00,00,7a,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9AF09C3A-2A4B-B63A-7BC0-09024A9F8C87}]
"iaanejpbgooljlnfmk"=hex:6a,61,65,70,69,68,66,65,6b,6b,63,63,65,63,70,6b,6d,64,68,6b,00,..
"hakncdaeoopmlpeo"=hex:6a,61,65,70,69,68,66,65,6b,6b,63,63,65,63,70,6b,6d,64,68,6b,00,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\hQ\x9eda]
"\x86ec\x97f9T\x20ac\x9aae???"=dword:00000001
"\x86ec\x97f9\x6439eQ???"=dword:00000001
"\20?n\x884f:y??"=dword:00000001
"\26Y\1x\x884f:y?"=dword:00000001
"\x895dzz<h?"=dword:00000000
"IQ\ah\x9096\x5f47??"=dword:00000001
"<SPACE>"=dword:00000001
"<ENTER>"=dword:00000000
"FC Input"=dword:00000000
"FC aid"=dword:00000000
"GB/GBK"=dword:00000000

scanning hidden files ...

C:\WINDOWS\Look how wasted Paris Hilton is, after she got jailed :(41.zip 117982 bytes hidden from API
C:\WINDOWS\Look how wasted Paris Hilton is, after she got jailed :(54.zip 117982 bytes hidden from API
C:\WINDOWS\Look how wasted Paris Hilton is, after she got jailed :(8.zip 117982 bytes hidden from API

scan completed successfully
hidden files: 3

**************************************************************************

Completion time: 2007-07-24 22:15:39
C:\ComboFix-quarantined-files.txt ... 2007-07-24 22:15

--- E O F ---

thx in advance

Comments

  • NuppiNuppi South Ostrobothnia (Finland)
    edited July 2007
    Hi itikgoreng,

    And welcome to icrontic :D

    Open Notepad and copy and paste quote boxes text:
    file::
    C:\WINDOWS\system32\firewallav.dll

    registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad]
    "antivirus"=-

    Save to nameCFScript

    Then drag and drop CFScript to ComboFix.exe As shows below.

    CFScript.gif

    Reboot your comp and send contens off combofix.txt file to responce.
  • edited July 2007
    ok, so i just drag the new text file i created into combofix, and let is create a log, after which i restart my computer and post here?

    Thx for the fast reply XD
  • NuppiNuppi South Ostrobothnia (Finland)
    edited July 2007
    Yes, exactly :D
  • edited July 2007
    attached is the new log
  • NuppiNuppi South Ostrobothnia (Finland)
    edited July 2007
    Hi

    Please send a fresh hijack log,

    Instructions
  • edited July 2007
    Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 12:24:40 AM, on 7/25/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe C:\WINDOWS\AGRSMMSG.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\nicholas\Desktop\HiJackThis_v2.exe O2 - BHO: ThunderAtOnce Class - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll (file missing) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O3 - Toolbar: ?ì3μ(FlashGet) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: ?ì3μ - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: ?ì3μ(FlashGet) - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab O16 - DPF: {7606693A-C18D-4567-AF85-6194FF70761E} (GomWeb Control) - http://app.ipop.co.kr/gom/GomWeb.cab O21 - SSODL: antivirus - {DB01C943-ACA0-4649-88A3-D1D4FAA469D2} - firewallav.dll (file missing) O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe -- End of file - 5156 bytes well this is the new log, i did the ATF-cleaner, spybot snd updates and check, avg antivirus check, and retook a new log file for hijackthis
  • NuppiNuppi South Ostrobothnia (Finland)
    edited July 2007
    HI


    Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
    http://www.ewido.net/en/download/
    • Install AVG Anti-Spyware by double clicking the installer.
    • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
    • On the main screen under Your Computer's security.
      • Click on Change state next to Resident shield. It should now change to inactive.
      • Click on Change state next to Automatic updates. It should now change to inactive.
      • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
      • Wait until you see the Update succesfull message.
    • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
    • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
    If you are having problems with the updater, you can use this link to manually update ewido.
    AVG Anti-Spyware manual updates.
    Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.


    Rescan with hijack and check :

    O21 - SSODL: antivirus - {DB01C943-ACA0-4649-88A3-D1D4FAA469D2} - firewallav.dll (file missing)

    Close all windows and click fix checked.


    Reboot your computer in Safe Mode.
    • If the computer is running, shut down Windows, and then turn off the power.
    • Wait 30 seconds, and then turn the computer on.
    • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
    • Ensure that the Safe Mode option is selected.
    • Press Enter. The computer then begins to start in Safe mode.
    • Login on your usual account.
    Once in Safe Mode:

    Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
    • Click on Scanner on the toolbar.
    • Click on the Settings tab.
      • Under How to act?
        • Click on Recommended Action and choose Quarantine from the popup menu.
      • Under How to scan?
        • All checkboxes should be ticked.
      • Under Possibly unwanted software:
        • All checkboxes should be ticked.
      • Under Reports:
        • Select Automatically generate report after every scan and uncheck Only if threats were found.
      • Under What to scan?
        • Select Scan every file.
    • Click on the Scan tab.
    • Click on Complete System Scan to start the scan process.
    • Let the program scan the machine.
    • When the scan has finished, follow the instructions below.
      IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
      • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
      • At the bottom of the window click on the Apply all Actions button. (3)
        scanavgjk2.jpg
    • When done, click the Save Scan Report button. (4)
      • Click the Save Report as button.
      • Save the report to your Desktop.
    • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
    Reboot back into Normal Mode, and post a new HJT log, along with the AVG Anti-Spyware report.
  • edited July 2007
    newlogs. Logfile of Trend Micro HijackThis v2.0.0 (BETA) Scan saved at 8:15:16 AM, on 7/25/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\AGRSMMSG.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\nicholas\Desktop\HiJackThis_v2.exe O2 - BHO: ThunderAtOnce Class - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll (file missing) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll O3 - Toolbar: ?ì3μ(FlashGet) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll O9 - Extra button: (no name) - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - (no file) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: ?ì3μ - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra 'Tools' menuitem: ?ì3μ(FlashGet) - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab O16 - DPF: {7606693A-C18D-4567-AF85-6194FF70761E} (GomWeb Control) - http://app.ipop.co.kr/gom/GomWeb.cab O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe -- End of file - 5260 bytes http://www.megaupload.com/?d=BGAWWCJ8 this is the antispy log file, i cant seem to use the attach function in the forums.
  • NuppiNuppi South Ostrobothnia (Finland)
    edited July 2007
    Hi,

    logs are clean :D

    There is some tracking cookies, needed to remove :

    Please Download ATF-Cleaner by Atribune to your desktop.

    Run ATF Cleaner Under Main choose: Select All
    Click the Empty Selected button.

    If you use Firefox browser Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    Click Exit on the Main menu to close the program.

    Boot comp, and tell is problem away :D
  • edited July 2007
    im not sure whether the problem is totally away, but for now, there is no sign of it, and i am hopeful of this to continue.
    as for the tracking cookies, i know where i got them from, and i will delete them as recommended.

    thanks for all your help, and for all the help u provide freely to others in need ^^. I know where to come to next time i need help with my pc.

    Salute!
  • NuppiNuppi South Ostrobothnia (Finland)
    edited July 2007
    Hi,

    Okei we wait few days. Please post if occur problems :D
  • NuppiNuppi South Ostrobothnia (Finland)
    edited August 2007
    Glad I could be of assistance! The help you received here was free. Please read through some of these Prevention Tips that Short-Media offers.

    This topic is now closed. If you wish it reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.

    Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.

    If you are not the user who started this thread, you must start a new Thread instead :)

    Would you also be interested to join Short-Media (Team #93) with the Folding@Home Project? More information available here
Sign In or Register to comment.