HJT log about 99% clean - Gladiator Security Forum

Forum Rules

Greetings,

Before you post in this forum,please read and follow the instructions in this post: Guidelines for Posting in This Forum

Failure to follow these instructions will only result in delays of the cleaning and removal process.

If you ran other AntiVirus and/or AntiSpyware programs and have the logs available, please post them as well.

Our goal is to help you clean your PC and restore it to pre-infection condition wherever possible.

Thank You

HJT log about 99% clean, PSGuard left

Options

saucydad View Member Profile	Dec 19 2005, 02:41 AM Post #1
Sen. Member Group: Malware Experts Posts: 154 Joined: 31-January 04 From: ND, USA Member No.: 5297	QUOTE Well I have cleaned up a few by myself but this one has me stumped. Am I missing something? I am posting the before and after logs. The WinAntiVirus Pro 2006 found two keys that I can’t delete in safe mode logged in as admin. HKLM\Software\ShudderLTD HKLM\Software\Classes\Catalyst.SocketCtrl1 WinAntiVirus Pro 2006 can’t delete them and Microsoft Antispyware Beta1 gets to Shudder and hangs up. Says it is PSGuard. So far have deleted: Trojan Zlob-BC Trojan Zlob-F Troj-PUPER.AL CWS-SE.5000 I don’t know for sure what the O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll are. Must be something with the AV program Logfile of HijackThis v1.99.1 Scan saved at 10:27:45 AM, on 12/18/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\system32\nvctrl.exe C:\WINDOWS\system32\mssearchnet.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\WinAntiVirus Pro 2006\WinAV.exe C:\Program Files\Common Files\Companion Wizard\compwiz.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe C:\Program Files\Messenger\msmsgs.exe C:\Hijackthis\HijackThis - v1.99.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.swgrain.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/ O2 - BHO: HomepageBHO - {1ca480cd-c0e5-4548-874e-b85b17905b3a} - C:\WINDOWS\system32\hp58CE.tmp O3 - Toolbar: (no name) - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - (no file) O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [WinAntiVirusPro2006] "C:\Program Files\WinAntiVirus Pro 2006\WinAV.exe" O4 - HKLM\..\Run: [CompanionWizard] "C:\Program Files\Common Files\Companion Wizard\compwiz.exe" /silent O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - Global Startup: hp officejet 4100 series.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Firewall service (FWSvc) - WinSoftware, Ltd. - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe Logfile of HijackThis v1.99.1 Scan saved at 8:13:09 PM, on 12/18/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Common Files\Companion Wizard\compwiz.exe C:\Program Files\WinAntiVirus Pro 2006\winav.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe C:\Program Files\Google\ggviewer81-23.exe C:\WINDOWS\system32\wuauclt.exe C:\Hijackthis\HijackThis - v1.99.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.swgrain.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/ O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [CompanionWizard] "C:\Program Files\Common Files\Companion Wizard\compwiz.exe" /silent O4 - HKLM\..\Run: [WinAntiVirusPro2006] C:\Program Files\WinAntiVirus Pro 2006\winav.exe /min O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - Global Startup: hp officejet 4100 series.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/...ivex/hcImpl.cab O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Firewall service (FWSvc) - WinSoftware, Ltd. - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

Bobbi Flekman View Member Profile	Dec 19 2005, 11:26 AM Post #2
The computer whisperer Group: Admin Posts: 5988 Joined: 17-April 04 From: Isla Nublar Member No.: 6954	Hi Saucydad, Download smitRem.exe and save the file to your desktop. Double click on the file to extract it to it's own folder on the desktop. Place a shortcut to Panda ActiveScan on your desktop. Please download the trial version of Ewido Security Suite here: http://www.ewido.net/en/download/ Please read Ewido Setup Instructions Install it, and update the definitions to the newest files. Do NOT run a scan yet. If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates: Ad-Aware SE Setup Don't run it yet! Next, please reboot your computer in SafeMode by doing the following: Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, press F8. Instead of Windows loading as normal, a menu should appear Select the first option, to run Windows in Safe Mode. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply. Open Ad-aware and do a full scan. Remove all it finds. Run Ewido: Click on scanner Click on Complete System Scan and the scan will begin. NOTE: During some scans with ewido it is finding cases of false positives. You will need to step through the process of cleaning files one-by-one. If ewido detects a file you KNOW to be legitimate, select none as the action. DO NOT select "Perform action on all infections" If you are unsure of any entry found select none for now. When the scan is finished, click the Save report button at the bottom of the screen. Save the report to your desktop Close Ewido Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present. Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked! Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply. Let us know if any problems persist. About the LSP-file... It is in debate whether it is okay or not. It is very shady to say the least. This is from one of the websites I found QUOTE Part of WinAntivirus 2004, an antivirus product with very suspicous marketing practices. Their site/product are designed to look very similar to Symantec's Norton Antivirus, and tricked several people into thinking they were buying a new version os Norton. In addition, they've registered the domain symantic.com in an obvious attempt to further the misconception that this is Symantec's Norton Antivirus. There are also unconfirmed reports of this (either through unwanted install or through regular internet ad popups) popping up false warnings that a user's Norton Antivirus subscription has expired and trying to get you to buy their product, presumably under the assumption that this is a new version of Norton , http://www.winantivirus.com --------------------

saucydad View Member Profile	Dec 19 2005, 02:04 PM Post #3
Sen. Member Group: Malware Experts Posts: 154 Joined: 31-January 04 From: ND, USA Member No.: 5297	Thanks Bobby, I have run everything but Ewido. I did disable WinAntiVirus Pro 2006 and installed AVG Free and did a scan and didn't show any of the things that Win Pro did. I am going to disable Win Pro and just run AVG for now and see what happens. Seems like every time I go on line another threat appears. Will do the rest of the things above and get back to you saucydad

saucydad View Member Profile	Dec 19 2005, 05:03 PM Post #4
Sen. Member Group: Malware Experts Posts: 154 Joined: 31-January 04 From: ND, USA Member No.: 5297	Bobbi, Things went pretty well except Panda. When I clicked on scan opened a new window and said done at the bottom and just sites there. It did say in the FAQ that it might take a while to start but will try that layer again. The HKLM\Software\ShudderLTD is gone from the Reg now but the HKLM\Software\Classes\Catalyst.SocketCtrl1 is still there. It is called Portal of Dream. Last night after I posted and you told me about Win Pro this morning, I did another scan and it came up with another one at HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSSVC\0000. Said something about e.Bates. I have WinPro disabled and just running AVG, but the 010's still come up in the HJT log. I wondeer if I should have HJT fix these? Here are the results of the scans. QUOTE smitRem © log file version 2.8 by noahdfear Microsoft Windows XP [Version 5.1.2600] The current date is: Mon 12/19/2005 The current time is: 9:06:54.21 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ checking for ShudderLTD key ShudderLTD key present! Running LTDFix/PSGuard.com fix! checking for PSGuard.com key PSGuard.com key not present! ShudderLTD key was successfully removed! :) if previously present, PSGuard.com key was successfully removed! :) spyaxe uninstaller NOT present ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Existing Pre-run Files ~~~ Program Files ~~~ Security Toolbar ~~~ Shortcuts ~~~ Online Security Guide.url Security Troubleshooting.url ~~~ Favorites ~~~ Antivirus Test Online.url ~~~ system32 folder ~~~ 1024 dir msvol.tlb logfiles ~~~ Icons in System32 ~~~ ot.ico ptainfo1 ptainfo2 ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03 Copyright© 2002-2003 Craig.Peacok@beyondlogic.org Killing PID 732 'explorer.exe' Killing PID 732 'explorer.exe' Starting registry repairs Deleting files Remaining Post-run Files ~~~ Program Files ~~~ ~~~ Shortcuts ~~~ Online Security Guide.url ~~~ Favorites ~~~ ~~~ system32 folder ~~~ ~~~ Icons in System32 ~~~ ~~~ Windows directory ~~~ ~~~ Drive root ~~~ ~~~ Miscellaneous Files/folders ~~~ ~~~ Wininet.dll ~~~ CLEAN! :) --------------------------------------------------------- QUOTE ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 9:38:27 AM, 12/19/2005 + Report-Checksum: 6D0F686 + Scan result: HKLM\SOFTWARE\Classes\CLSID\{FB986A68-EAE4-11D4-9BD1-0080C6F60B6A} -> Spyware.Coupon : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\AUI -> Spyware.WebSearch : Cleaned with backup C:\Documents and Settings\Katrina Hummel\Cookies\katrina hummel@cz11.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup C:\Documents and Settings\Katrina Hummel\Cookies\katrina hummel@cz3.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup C:\Documents and Settings\Katrina Hummel\Cookies\katrina hummel@cz4.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup C:\Documents and Settings\Katrina Hummel\Cookies\katrina hummel@cz5.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup C:\Documents and Settings\Katrina Hummel\Cookies\katrina hummel@cz6.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup C:\Documents and Settings\Katrina Hummel\Cookies\katrina hummel@cz7.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup C:\Documents and Settings\Katrina Hummel\Cookies\katrina hummel@cz8.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup C:\Documents and Settings\Katrina Hummel\Cookies\katrina hummel@cz9.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup C:\Documents and Settings\Katrina Hummel\Cookies\katrina hummel@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup C:\Documents and Settings\Katrina Hummel\Cookies\katrina hummel@sales.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup C:\Documents and Settings\Katrina Hummel\Cookies\katrina hummel@vip.clickzs[1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup C:\Documents and Settings\Katrina Hummel\Desktop\MNPASSetup_cb02.exe/wbhshare.dll -> Spyware.WebHancer : Cleaned with backup C:\Documents and Settings\Katrina Hummel\Desktop\MNPASSetup_cb02.exe/Webhdll.dll -> Spyware.WebHancer : Cleaned with backup C:\Documents and Settings\Katrina Hummel\Desktop\MNPASSetup_cb02.exe/WhAgent.exe -> Spyware.WebHancer : Cleaned with backup C:\Documents and Settings\Katrina Hummel\Desktop\MNPASSetup_cb02.exe/whiehlpr.dll -> Spyware.WebHancer : Cleaned with backup C:\Documents and Settings\Katrina Hummel\Desktop\MNPASSetup_cb02.exe/whieshm.dll -> Spyware.WebHancer : Cleaned with backup C:\Hijackthis\backups\backup-20051218-135354-982.dll -> Downloader.Zlob.co : Cleaned with backup ::Report End QUOTE Logfile of HijackThis v1.99.1 Scan saved at 10:03:05 AM, on 12/19/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Common Files\Companion Wizard\compwiz.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Google\ggviewer81-23.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe C:\Hijackthis\HijackThis - v1.99.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.swgrain.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.weather.com/ O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [CompanionWizard] "C:\Program Files\Common Files\Companion Wizard\compwiz.exe" /silent O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - Global Startup: hp officejet 4100 series.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll O10 - Unknown file in Winsock LSP: c:\program files\winantivirus pro 2006\mailscan.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/...ivex/hcImpl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: Firewall service (FWSvc) - WinSoftware, Ltd. - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe This post has been edited by saucydad*: Dec 19 2005, 05:11 PM

Bobbi Flekman View Member Profile	Dec 20 2005, 12:09 PM Post #5
The computer whisperer Group: Admin Posts: 5988 Joined: 17-April 04 From: Isla Nublar Member No.: 6954	Hi saucydad, The logs are clean. If you want to get rid of WinAntivirus I suggest simply uninstalling it. The program comes with more than just the intrusion in the LSP chain. And never get rid of O10s through HijackThis. I think in 1.99 it is impossible to do this, but in older versions it kills the Internet access. QUOTE The HKLM\Software\ShudderLTD is gone from the Reg now but the HKLM\Software\Classes\Catalyst.SocketCtrl1 is still there. It is called Portal of Dream. Can MSAS delete it now? This log looks clean! This is a good time to set up protection against further attacks. Read the article behind this link "How did I get infected". If you don't already have them, you need an antivirus that is updated, a good firewall for example Sygate Personal Firewall or Kerio Personal Firewall or ZoneLabs Zone Alarm, a spyware blocker like SpywareBlaster and also IE-Spyads and spyware detection (Ad-aware SE and SpyBot S+D). All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them.... Instead of Internet Explorer, use a different browser like Opera, Mozilla or Firefox. Last, but not least, you need to keep Windows and Internet Explorer up to date by getting all the latest security patches that protects your computer. This can be accessed by going to http://windowsupdate.microsoft.com/ and following the prompts. If you are running Windows XP get updated to SP-2 Please post back if you are still having any problems.... --------------------

saucydad View Member Profile	Dec 20 2005, 02:28 PM Post #6
Sen. Member Group: Malware Experts Posts: 154 Joined: 31-January 04 From: ND, USA Member No.: 5297	Thanks Bobbi, Darn I am not getting e-mail notices again even though I set it to send them immediatley. Hummm I did finnaly get Panda to run, but had to go to the home page and start from there, the link didn't work. It came up clean and didn't even give me a report. Ran Housecall to and it came up clean too. I talked to her last night and she agrees to get rid of Win Pro. Think she paid $49.95 for it. The computer guy that comes to our town twice a month talked her into putting it on. I checked their website and it says to just use Add/Remove, but also has a manuel workaround the I will check the Reg. after using Add/Remove. I think that Win Pro is putting these in itself to make you think it is doing something: HKLM\Software\Classes\Catalyst.SocketCtrl1 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSSVC\0000. Said something about e.Bates. The second one came after it had updated itself and I had done a scan with it. None of the other AV scanners even see's them. QUOTE Can MSAS delete it now? It doesn't even see them. I did get all the things you mentioned installed for her, so she should be pretty safe now. She is only using the XP firewall, so maybe can talk her into doing something about that. Thanks for the help. Wish I was close enough to buy you a:beer: saucydad This post has been edited by saucydad: Dec 20 2005, 02:29 PM

saucydad View Member Profile	Dec 20 2005, 03:26 PM Post #7
Sen. Member Group: Malware Experts Posts: 154 Joined: 31-January 04 From: ND, USA Member No.: 5297	Bobbi, Just an update. Uninstalled Win Pro and the 010's are gone saucydad

« Next Oldest · HELP! Think you are Infected? · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members: