Author Topic: Virus Problem (Read 665 times)

funkandjazz · « **on:** June 26, 2008, 10:43:46 AM »

Hello,

This forum has been extremely helpful to me in the past. I'd appreciate your help with this new problem:

I seem to have acquired a virus that's causing several problems. I was notified by my internet provider that spam was suddenly being sent from my email address (unbeknownst to me) and also whenever I do a search through Yahoo or Google and select one of the links, I get redirected to "my-fast-search.com". Can you please help me find and remove what's casuing the problem?

Here's my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:43:07 AM, on 6/26/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\gearsec.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\WDBtnMgr.exe
C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\lsass.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Adobe\Photoshop CS\Photoshop.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.

yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.

yahoo.com
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:

\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program

Files\McAfee\VirusScan\scriptsn.dll
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-

Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.

dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital

Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05

\bin\jusched.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -

atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe

/runkey
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape

Streaming Services\Owner\OctoshapeClient.exe" -inv:bootrun
O4 - HKCU\..\Run: [lsass] C:\Documents and Settings\Owner\Application

Data\Microsoft\Windows\lsass.exe
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program

Files\ColorVisionaltsetup\Utility\ColorVisionStartup.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program

Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321

Studios\Xpress\DriveSelect.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:

\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-

00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -

C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage

Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {14026E16-CA00-0E7F-DE94-4CA444CE0DA9} - http://69.50.182.94/1/

rdgUS1953.exe
O16 - DPF: {3162787C-FE67-43E2-5B17-63A1077EF4B2} - http://69.50.182.94/1/

rdgUS1953.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://by14fd.bay14.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: avicore - avicore.dll (file missing)
O20 - Winlogon Notify: __c00D6FBA - C:\WINDOWS\SYSTEM32\__c00D6FBA.jpg
O22 - SharedTaskScheduler: OLE Module - {03B1C4D9-BC71-8916-38AD-9DEA5D

213614} - (no file)
O23 - Service: McAfee Application Installer Cleanup (0156521214483532) (

0156521214483532mcinstcleanup) - McAfee, Inc. - C:\DOCUME~1\Owner\LOCALS~1

\Temp\015652~1.EXE
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program

Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common

Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program

Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1

\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1

\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1

\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1

\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:

\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1

\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. -

C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C

:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:

\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program

Files\Photodex\ProShowGold\ScsiAccess.exe

--
End of file - 7011 bytes

Thanks!

guestolo · « **Reply #1 on:** July 04, 2008, 10:18:36 AM »

Sorry for the delay funkandjazz

If you still need a hand, can you post a fresh hijackthis log please
But do the following
When you run Scan and Save Logfile with Hijackthis
When the log opens in Notepad, before you copy it, click on FORMAT at the top
and UNCheck Word Wrap
Then copy>paste back here the fresh log, this will eliminate the spaces in your log

funkandjazz · « **Reply #2 on:** July 04, 2008, 08:02:02 PM »

[quote name=\'guestolo\' post=\'434562\' date=\'Jul 4 2008, 09:18 AM\']Sorry for the delay funkandjazz

If you still need a hand, can you post a fresh hijackthis log please
But do the following
When you run Scan and Save Logfile with Hijackthis
When the log opens in Notepad, before you copy it, click on FORMAT at the top
and UNCheck Word Wrap
Then copy>paste back here the fresh log, this will eliminate the spaces in your log[/quote]

Hi,

Thanks for the reply. Since I wrote my original post, I have run a couple more virus/spyware removal programs and they all "fixed" stuff. The browser hijack problem does seem to have been fixed. Still, I'm not entirely sure that I've cleared away all my problems. Could you take a look and see what you think, please? Below is the updated HJT log, per your request.

Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 6:11:50 PM, on 7/4/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\gearsec.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\WDBtnMgr.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\WordWeb\wweb32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\ColorVisionaltsetup\Utility\ColorVisionStartup.exe
O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {14026E16-CA00-0E7F-DE94-4CA444CE0DA9} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {3162787C-FE67-43E2-5B17-63A1077EF4B2} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: aawservice - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

guestolo · « **Reply #3 on:** July 05, 2008, 11:02:46 AM »

Do a "System scan only" with Hijackthis and put a check next to these entries:

O16 - DPF: {14026E16-CA00-0E7F-DE94-4CA444CE0DA9} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {3162787C-FE67-43E2-5B17-63A1077EF4B2} - http://69.50.182.94/1/rdgUS1953.exe

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer
Come back here and post a fresh hijackthis log

In addition, I notice you may have ran SuperAntispyware
Can you post the log from it's last scan please
To get the log, Open SA> click Preferences and then click the Statistics/Logs tab. Click the dated log and press View Log and a text file will appear.

funkandjazz · « **Reply #4 on:** July 06, 2008, 01:14:57 AM »

[quote name=\'guestolo\' post=\'434632\' date=\'Jul 5 2008, 10:17 AM\']Do a "System scan only" with Hijackthis and put a check next to these entries:

O16 - DPF: {14026E16-CA00-0E7F-DE94-4CA444CE0DA9} - http://69.50.182.94/1/rdgUS1953.exe
O16 - DPF: {3162787C-FE67-43E2-5B17-63A1077EF4B2} - http://69.50.182.94/1/rdgUS1953.exe

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot the computer
Come back here and post a fresh hijackthis log

In addition, I notice you may have ran SuperAntispyware
Can you post the log from it's last scan please
To get the log, Open SA> click Preferences and then click the Statistics/Logs tab. Click the dated log and press View Log and a text file will appear.[/quote]

Done. Here are the logs:

Logfile of HijackThis v1.99.1
Scan saved at 11:26:19 PM, on 7/5/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\gearsec.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WDBtnMgr.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\WordWeb\wweb32.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Adobe\Photoshop CS\Photoshop.exe
C:\Program Files\IrfanView\I_VIEW32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
c:\PROGRA~1\mcafee.com\agent\McUpdate.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: ColorVisionStartup.lnk = C:\Program Files\ColorVisionaltsetup\Utility\ColorVisionStartup.exe
O4 - Global Startup: DriveSelect.lnk = C:\Program Files\321Studios\Xpress\DriveSelect.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by14fd.bay14.Email Removed.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: aawservice - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

----------------------

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/03/2008 at 05:57 AM

Application Version : 4.15.1000

Core Rules Database Version : 3496
Trace Rules Database Version: 1487

Scan type : Quick Scan
Total Scan Time : 00:23:37

Memory items scanned : 469
Memory threats detected : 0
Registry items scanned : 451
Registry threats detected : 2
File items scanned : 10839
File threats detected : 71

Adware.Tracking Cookie
   C:\Documents and Settings\Owner\Cookies\owner@adultdvdexplorer[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@fonefinder[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@windowsmedia[2].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\owner@crackdb[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@90044751[1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\owner@azjmp[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@adecn[1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\owner@kanoodle[2].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\owner@32000[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@consumersdiscountrx[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@labels=0[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@mediablvd[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@labels=0[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@tacoda[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@adserver[1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\owner@trafficdashboard[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@warlog[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@teenboom[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@yadro[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@qnsr[1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\owner@mediabistro[3].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\owner@interclick[3].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][4].txt
   C:\Documents and Settings\Owner\Cookies\owner@nandomedia[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@collective-media[5].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\owner@toplist[1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\owner@nextag[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@starware[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@adinterax[3].txt
   C:\Documents and Settings\Owner\Cookies\owner@belnk[1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\owner@adknowledge[2].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\owner@empornium[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@atwola[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@shopica[1].txt
   C:\Documents and Settings\Owner\Cookies\owner@mb[5].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][3].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\owner@kontera[3].txt
   C:\Documents and Settings\Owner\Cookies\owner@dmtracker[3].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][3].txt
   C:\Documents and Settings\Owner\Cookies\owner@revsci[5].txt
   C:\Documents and Settings\Owner\Cookies\owner@nextstat[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@adbrite[1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][4].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][1].txt
   C:\Documents and Settings\Owner\Cookies\[email protected][2].txt
   C:\Documents and Settings\Owner\Cookies\owner@partner2profit[1].txt
   .statcounter.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   media.adrevolver.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   .adrevolver.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   ad.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   .dynamic.media.adrevolver.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   .adrevolver.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   ad.yieldmanager.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   .dynamic.media.adrevolver.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   .easycracks.net [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   .superstats.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   .yadro.ru [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   www.smartserial.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   www.smartserial.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   www.smartserial.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   www.smartserial.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   www.smartserial.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   www.smartserial.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   www.smartserial.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   www.smartserial.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   www.smartserial.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   www.smartserial.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   www.fullreleases.biz [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   .usenext.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   .engine.adnet.ru [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   .engine.adnet.ru [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   .engine.adnet.ru [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   .burstnet.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   .partner2profit.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   .partner2profit.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   .partner2profit.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]
   .partner2profit.com [ C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6n01vx4r.default\cookies.txt ]

Rootkit.Unclassified/SysDamp-Traces
   HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Reserved
   HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\System Reserved

Trojan.Crafted-A
   C:\WINDOWS\SYSTEM32\TRF32.DLL

guestolo · « **Reply #5 on:** July 06, 2008, 08:07:19 AM »

You posted your first Hijackthis log with version 2.0.2

Then the next 2 logs were from an older version of Hijackthis?

Regardless, your logs look good, but just as a double check
Can you do the following please
Download [color=\"#008000\"]Deckard's System Scanner (dss.exe)[/color] to your desktop.
Close all applications and windows.
Double-click on dss.exe to run it and follow the prompts.
When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post back the Whole contents of Main.txt and Extra.txt

TheTechGuide Forum

News:

Author Topic: Virus Problem (Read 665 times)

funkandjazz

Virus Problem

guestolo

Virus Problem

funkandjazz

Virus Problem

guestolo

Virus Problem

funkandjazz

Virus Problem

guestolo

Virus Problem