Member Panel

confidential · 11:04 PM

here is my hijack this logfile. oh and btw the reason i am posting is because i went to some site called (dont click the following link) freeserials.com or something like that and i got some viruses and some adware and spyware. and now i get a bunch of stupid internet explorer popups and popups in my avant browser. i ran adaware se and microsoft anti spyware they both found a bunch of stuff i deleted all of it and ran both again to make sure it got everything but it kept finding more so i got hijack this and i posted my log file on www.hijackthis.de and i removed the nasties and possibly nasties and the unknown programs that i didnt know why they were on my computer but i still have popups so i ran it again and this is the log file i got.

Logfile of HijackThis v1.99.1
Scan saved at 1:35:54 PM, on 11/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\windows\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Antiy Labs\Alive\ALiveCenter.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\windows\Explorer.EXE
C:\windows\system32\nvsvc32.exe
C:\windows\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MSI\LAN Utility\DiagAP8169.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\windows\system32\MsgSys.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\PROGRA~1\COMMON~1\orom\oroma.exe
C:\PROGRAM FILES\AVANT BROWSER\AVANT.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\windows\system32\NOTEPAD.EXE
C:\windows\system32\rundll32.exe
C:\DOCUME~1\brad\LOCALS~1\Temp\Rar$EX76.157\Hijack This.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [DiagAP8169] C:\Program Files\MSI\LAN Utility\DiagAP8169 /hw
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04b\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O8 - Extra context menu item: Add to AD Black List - C:\PROGRAM FILES\AVANT BROWSER\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\PROGRAM FILES\AVANT BROWSER\AddAllToADBlackList.htm
O8 - Extra context menu item: Highlight - C:\PROGRAM FILES\AVANT BROWSER\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\PROGRAM FILES\AVANT BROWSER\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\PROGRAM FILES\AVANT BROWSER\Search.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/pote_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/277a37bb...p/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1107643408218
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\kt00l7dm1.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Antiy live update (Alive Auto-Update Service) - Unknown owner - C:\Program Files\Antiy Labs\Alive\ALiveCenter.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

btalman

Hi there and welcome to PCHF. Please go to through all these steps and post a log, as an attachment, afterwards.

** All logs submitted for review must be in the form of text attachments to posts **

Doing the following will help our team members assist you more quickly, thank you for your cooperation...

Download [HijackThis!]

Before using HijackThis Please Do the Following

Make sure that HijackThis is installed in it's own folder and not a temporary location.

Show hidden files and folders:

For XP:

On the Tools menu in Windows Explorer, click Folder Options.
Click the View tab.
Under Hidden files and folders, click Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply.
Click OK.

For 98/2000/ME:

Double-click the My Computer icon
Click on the View menu, click Folder Options
Advanced Settings box, under the "Hidden files" folder, click Show all files.
If you see a warning message, click Yes.
Click Apply.
Click OK.

Disable System Restore to prevent re-infection.
(If you have/use it. You can turn it back on when youre PC is clean).

How to disable system restore:

WinXP.

Click the Start button.
Right-click My Computer, and then click Properties.
On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.

WinME.

Click Start > Settings > Control Panel.
Double-click the System icon.
If the System icon is not visible, click View all Control Panel options to display it.
On the Performance tab, click File System.
On the Troubleshooting tab check Disable System Restore.
Click OK. Click Yes, when you are prompted to restart Windows.

Clean up unneccesary files and folders

Please download [CCleaner]

Install and launch CCleaner
Click on check for updates.
Under Cleaner Settings, make sure that everything is checked, including Advanced.
Answer yes to all warnings.
Click Analyze, when it is finished, click Run Cleaner, then OK.
Allow the program to finish and exit application.

Remove any malware using Ewido

Download [Ewido Security Suite]

Install Ewido Security Suite.
When installing, under Additional Options uncheck Install background guard and Install scan via context menu
Launch Ewido, there should be a big "E" icon on your desktop, double-click it.
The program will prompt you to update click the "OK" button
The program will now go to the main screen
You will need to update Ewido to the latest definition files.
On the left hand side of the main screen click update
Click on Start
The update will start and a progress bar will show the updates being installed.*
After the updates are installed, exit ewido.

Once the updates are installed do the following:

If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.
Reboot into Safe Mode, restart your computer, tap the F8* key. Use your up arrow key to highlight Safe Mode, then hit enter.

Close all open windows/programs/folders and then run Ewido.* Have nothing else open while ewido performs its scan!

Click on Scanner , Settings
Under "How to scan" all boxes should be selected
Under "Possibly unwanted software" all boxes should be selected
Under "What to scan" select scan every file
Click OK, Complete system scan
Let the program scan the machine
If ewido finds anything, it will pop up a notification.*

NOTE:* We have been finding some cases of false positives with the new version of Ewido, so you need to step through the fixes one-by-one.* If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, AOL, pcAnywhere and the game "Risk" have been flagged.* In particular, watch for alerts that have the word "Heuristic" in them - if you recognize the file name as "friendly," these may actually be false positives) select "none" as the action.*

DO NOT check "Perform action with all infections."* If you are unsure of an entry, select "none" for the time being.* We will see that in the log when you post it later and let you know if ewido needs to be run again.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report.

Click Save report. Save the report to your desktop, exit ewido

Note:

If during your scan Ewido "crashes" or "hangs", please try scanning again. Before running the scan, click on 'Scanner' (the 3rd bar from the top on the left) and Choose 'Settings'. Uncheck 'Scan in NTFS Alternate Data Streams' as this can cause problems in overly infected systems. Click 'OK' and run a new scan.

Then run HijackThis choosing the top option to save a log file, save it to your desktop. When you post, please include a description of the problem you are having, and Attach your HijackThis log plus the Ewido log.

Good luck

joe5

Hya Confidential , welcome to PCHF.

After you have followed the Prework instructions and posted the Ewido log and a new hjt log we will clean that up in no time im sure. :smiley:

But do you maybe also still have the old hjt log before:

i got hijack this and i posted my log file on www.hijackthis.de and i removed the nasties and possibly nasties and the unknown programs that i didnt know why they were on my computer but i still have popups so i ran it again and this is the log file i got.

So that we can see what was on there and now maybe still partially is , but isn't showing up anymore?

And @ Btalman , might have been better to post the url to the Prework topic , and maybe also say hello and welcome the new member. O0

Hengis

Hi there and welcome to PCHF.

..he did

joe5

Originally Posted by Hengis

..he did

Oops..

Sorry BT..

@Confidential , it looks like you also have the latest version of a "look2me" infection.
Can you , after running Ewido and before making a new hjt log , also run Spysweeper?
That is atm the only tool that can fix that.

Download and scan with Spysweeper from:
http://www.webroot.com/consumer/products/spysweeper (the trial link is on the right)

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.

Click on "Options" > "Sweep Options" and check "Sweep all Folders on Selected drives".

Check "Local Disc C" and under "What to Sweep", check every box.

Click on "Sweep" and allow it to fully scan your system.

When the sweep has finished, click "Remove" to remove any items found.

Exit SpySweeper and reboot your computer.

NOTE: After Spysweeper has finishined and removed any items found, it is important that you exit and reboot your computer right away to ensure the infection is fully removed.

btalman

NP Joe5, I'm going through a little attitude adjustment ;-)

confidential

ok i have another problem which was stated here. http://www.pchelpforum.com/windows-x...-problems.html they closed it. but here is my log file for ewido. but my computer is still restarting for no reason...