I guess it is my turn

TheLostSwedeTheLostSwede Trondheim, Norway Icrontian
edited September 2007 in Spyware & Virus Removal
Haven't had a popup in years. Been running AVG, Defender and Ad-Aware. Ad-Aware find a lot of suspicious files, but can't get rid of them. I did get an error starting HJT as well, but at least it scanned and here it is.

Logfile of HijackThis v1.99.1
Scan saved at 22:08:55, on 23.08.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\logon.scr
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ocztechnologyforum.com/forum/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bleedinedge.com/forum/forumdisplay.php?f=45
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 64.24.35.14:8965
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\WebAssist.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\RunServices: [Windows Services] Iexplore.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123280927000
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {B6A084E0-BF8F-101C-AED5-00608CF525A5} (TX - ButtonBar Control) - http://www.netshop.se:8090/aspx/publisher/admin/tx.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe

Comments

  • edited August 2007
    Hi!

    Download SDFix and save it to your Desktop.
    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
    ______________________________

    Please download Combofix to your desktop.
    Doubleclick combo.exe to launch the application.
    Follow the prompts that will be displayed on the screen.
    Don't click on the window while the fix is running, because that will cause your system to hang.
    When finished, it should produce a log, combofix.txt.
    Post this log in your next reply together with a new hijackthislog.
    _________________________

    Please, post a fresh hijackthis log, combofix log and sdfix log :)
  • TheLostSwedeTheLostSwede Trondheim, Norway Icrontian
    edited August 2007
    Logfile of HijackThis v1.99.1
    Scan saved at 12:58:45, on 27.08.2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\logonui.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\system32\oodag.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
    C:\WINDOWS\system32\rdpclip.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\DAEMON Tools\daemon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\WINDOWS\system32\logon.scr
    C:\Program Files\FlashGet\flashget.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ocztechnologyforum.com/forum/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bleedinedge.com/forum/forumdisplay.php?f=45
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 64.24.35.14:8965
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\WebAssist.dll (file missing)
    O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\RunServices: [Windows Services] Iexplore.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
    O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123280927000
    O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
    O16 - DPF: {B6A084E0-BF8F-101C-AED5-00608CF525A5} (TX - ButtonBar Control) - http://www.netshop.se:8090/aspx/publisher/admin/tx.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe

    The combofix link doesn't work i'm afraid.
  • TheLostSwedeTheLostSwede Trondheim, Norway Icrontian
    edited August 2007
    Hi and thanks,

    There was no "Y" choice, but i ran all 3 of those applications though and here are all the logs i got out of it.

    Asquared:

    a-squared Command Line Scanner - Version 3.0
    Last update: N/A

    Scan settings:

    Objects: Memory, Traces, Cookies, C:
    Scan archives: On
    Heuristics: Off
    ADS Scan: On

    Scan start: 26.08.2007 23:50:40

    [2324] C:\WINDOWS\WebAssist.dll detected: Adware.Win32.BHO.cz
    [2568] C:\WINDOWS\WebAssist.dll detected: Adware.Win32.BHO.cz
    [7684] C:\WINDOWS\WebAssist.dll detected: Adware.Win32.BHO.cz
    c:\documents and settings\all users\start menu\programs\realvnc detected: Trace.Directory.VNC
    c:\program files\realvnc detected: Trace.Directory.VNC
    Key: HKEY_CLASSES_ROOT\clsid\{7b87a1e1-481a-47a5-b58f-bb1430dcc930} detected: Trace.Registry.Eventlog
    c:\program files\gamespy arcade detected: Trace.Directory.GameSpy Arcade
    c:\documents and settings\mackanz\start menu\programs\gamespy arcade detected: Trace.Directory.GameSpy Arcade
    c:\documents and settings\mackanz\application data\microsoft\internet explorer\quick launch\gamespy arcade.lnk detected: Trace.File.GameSpy Arcade
    Value: HKEY_CURRENT_USER\Software\GameSpy\GameSpy Arcade --> InstDir detected: Trace.Registry.GameSpy Arcade
    Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GameSpy Arcade --> DisplayName detected: Trace.Registry.GameSpy Arcade
    Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GameSpy Arcade --> UninstallString detected: Trace.Registry.GameSpy Arcade
    C:\Documents and Settings\mackanz\Cookies\mackanz@247realmedia[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@2o7[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@about[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@adknowledge[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@ads.cdfreaks[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@adserver.adreactor[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@adserver.adremedy[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@adserver.bluereactor[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@adserver.easyad[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@adserver.filefront[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@adtech[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@advertising[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@adviva[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@as-us.falkag[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@atdmt[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@atdmt[3].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@bfast[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@bilbo.counted[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@bizrate[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@bluestreak[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@bravenet[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@bs.serving-sys[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@burstnet[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@casalemedia[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@cdfreaks[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@centrport[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@cgi-bin[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@citi.bridgetrack[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@clickability[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@commission-junction[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@commonsensemedia[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@community.codemasters[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@community.sgdotnet[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@completealbumlyrics[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@compulenta[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@computerhope[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@computersoc[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@com[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@com[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@coolsavings[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@counter.hitslink[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@counter2.hitslink[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@countercentral[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@data.coremetrics[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@dealtime[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@doubleclick[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@doubleclick[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@edge.ru4[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@ehg-bestbuy.hitbox[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@ehg-idg.hitbox[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@ehg-micron.hitbox[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@ehg-oreilly.hitbox[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@ehg-sonyesolutions.hitbox[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@ehg-techtarget.hitbox[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@ehg-ubisoft.hitbox[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@ehg.hitbox[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@ercva[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@fastclick[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@gamespyid[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@gamespy[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@hitbox[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@hotlog[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@hypertracker[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@indextools[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@landing.domainsponsor[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@linkconnector[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@linksynergy[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@linksys[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@link[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@maxserving[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@media.putfile[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@media.sweclockers[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@media101.sitebrand[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@media6.sitebrand[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@mediahump[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@mediaonenetwork[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@mediaplex[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@mediaserver.avolutia[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@phg.hitbox[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@popunder.paypopup[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@pricegrabber[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@qksrv[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@questionmarket[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@realmedia[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@revenue[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@server.iad.liveperson[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@serving-sys[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@spylog[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@stat.dealtime[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@stat.onestat[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@statcounter[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@stats1.clicktracks[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@statse.webtrendslive[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@superstats[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@targetnet[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@tradedoubler[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@trafficmp[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@tribalfusion[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@tripod[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@valueclick.ne[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@valueclick[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@valueclick[2].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@valueclick[3].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@z1.adserver[1].txt detected: Trace.TrackingCookie
    C:\Documents and Settings\mackanz\Cookies\mackanz@zedo[2].txt detected: Trace.TrackingCookie
    C:\ATI\SUPPORT\5-13_xp-2k_dd_ccc_wdm_enu_29124\AtiCimUn.exe detected: Trojan-Downloader.Win32.Agent.bkw
    C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe detected: Trojan-Downloader.Win32.Agent.bkw
    C:\WINDOWS\WebAssist.dll detected: Adware.Win32.BHO.cz

    Scanned

    Files: 162477
    Traces: 135708
    Cookies: 2268
    Processes: 40

    Found

    Files: 3
    Traces: 9
    Cookies: 105
    Processes: 3

    Quarantined

    Files: 3
    Traces: 5
    Cookies: 105
    Processes: 3

    Scan end: 27.08.2007 00:31:30
    Scan time: 0:40:50
  • edited August 2007
    Ok.
    Let's use dss.
    ___________________

    Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible.
    Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.
    ___________________

    Please open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below:

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\WebAssist.dll (file missing)
    O4 - HKLM\..\RunServices: [Windows Services] Iexplore.exe
    O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/F...ansferCtrl.cab


    Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
    ________________________

    Reboot into Safe Mode by continuously tapping the F8 key as soon as the computer begins to boot. A menu should come up where you will be given the option to enter Safe Mode.

    ________________________

    Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.
    _________________________

    Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

    C:\WINDOWS\WebAssist.dll

    C:\WINDOWS\Iexplore.exe
    or C:\WINDOWS\System32\Iexplore.exe
    _________________________

    Please set your system to hide all hidden files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.
    Check: Hide file extensions for known file types
    Check the Hide protected operating system files (recommended) option.
    Click Yes to confirm.
    __________________________

    When you are finished, please reboot the computer normally.
    __________________________

    Please do an online scan with Kaspersky WebScanner

    Click on Kaspersky Online Scanner

    You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
        Extended (if available otherwise Standard)
      • Scan Options:
        Scan Archives
        Scan Mail Bases


        [*]Click OK
        [*]Now under select a target to scan:
          Select
        My Computer

        [*]This will program will start and scan your system.
        [*]The scan will take a while so be patient and let it run.
        [*]Once the scan is complete it will display if your system has been infected.
        • Now click on the Save as Text button:
        [*]Save the file to your desktop.
        [*]Copy and paste that information in your next post.
        ______________________

        Please download Deckard's System Scanner to your Desktop


        * Close all applications and windows.
        * Double-click on Dss.exe to run it, and follow the prompts.
        * The scan may take a minute. When the scan is complete, a text file will open Main.txt and extra.txt

        Please post Main.txt and Extra.txt
        ___________________________

        Please, post main.txt, extra.txt and Kaspersky's results.
      • edited August 2007
        Did you try run SdFix in safemode?
      • edited September 2007
        Whilst we appreciate that you may be busy, it has been 7 days or more since we heard from you.

        Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Spyware & Virus Removal Forum

        If you wish this topic reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.

        Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.
        If you are not the user who started this thread, you must start a new Thread instead :)
      This discussion has been closed.