Go Back   Computer Juice > Computer Software > Virus, Spyware & Security
Reload this Page

Problem - GOOGLE DISABLED BY SPYWARE!!

Register Points Site Spy New Posts Donate Unanswered Posts Members Search

>>> Get Paid to Hang Out Here! Activity = Points = Prizes. Want to Know More? <<<

Closed Thread
1 234 >
 
LinkBack Thread Tools
  #1  
Old 29th Mar 2008
No Avatar
lawt555  England
CJ Member
 
lawt555 is offline
 
Join Date: 29th Mar 2008
Last Online: 11th Aug 2008 09:41 PM
Posts: 29
iTrader: (0)
lawt555 is on a distinguished road
Default Problem - GOOGLE DISABLED BY SPYWARE!!
can anyone help?

i appear to have a problem with my PC. i think it may be malicious spyware or something which has attacked my PC and is causing it problems..

i'm unable to use google - whenever i look to search for something, the google homepage changes to a similar looking page which starts to scan my pc (or so it appears to?). i then get told that my pc is infected and need to purchase a piece of software for £20.....

its causing all sorts of unusual activity when i use other internet sites. for example - if i'm looking on my health insrance site, i get another window popping up for cosmetic surgery! if i'm on my betting site, i get a rogue betting site popping up... and so on.

i've run AVG; ad-aware; spybot; etc - but the problem persists.

any ideas please?

k
Digg this postDel.icio.us this postTechnorati this postNetscape this postStumble this post
  #2  
Old 29th Mar 2008
evilfantasy's Avatar
CJ Moderator
Intel ATi
evilfantasy is online now
Send a message via Yahoo to evilfantasy
 
Join Date: 16th Jul 2007
Last Online: 1 Hour Ago 09:56 PM
Posts: 4,915
iTrader: (0)
evilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond repute
Default Problem - GOOGLE DISABLED BY SPYWARE!!
Welcome to CJ.

Lets take a look at a HJT log.

Download and rename HijackThis (HJT)
  • Double-click on HJTInstall.
  • Click on the Install button.
  • It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
  • Upon install, HijackThis should open for you.
    • Close HijackThis and rename it.
    • Go to C:\Program Files\Trend Micro\HijackThis.exe
    • Right click on HijackThis.exe and select Rename.
    • Type in sniper.exe and press Enter.
    • Right-click on sniper.exe and select Send To > Desktop (create shortcut)
  • From the desktop open Hijackthis.
  • If using Windows Vista, Right-click and Run As Administrator.
  • Click on the Do a system scan and save a log file button
  • Hijackthis will scan and then a log will open in notepad.
  • Copy and then paste the entire contents of the log in your post.
    • Do not have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
Although we have renamed Hijackthis to sniper, we will still refer to it as Hijackthis or HJT.
__________________
.
.
Digg this postDel.icio.us this postTechnorati this postNetscape this postStumble this post
  #3  
Old 29th Mar 2008
No Avatar
lawt555  England
CJ Member
 
lawt555 is offline
 
Join Date: 29th Mar 2008
Last Online: 11th Aug 2008 09:41 PM
Posts: 29
iTrader: (0)
lawt555 is on a distinguished road
Default Problem - GOOGLE DISABLED BY SPYWARE!!
thank evilfantasy.

just doing as you advise.

as soon as contents are logged i'll send to you.

thanks.

k
Digg this postDel.icio.us this postTechnorati this postNetscape this postStumble this post
  #4  
Old 29th Mar 2008
No Avatar
lawt555  England
CJ Member
 
lawt555 is offline
 
Join Date: 29th Mar 2008
Last Online: 11th Aug 2008 09:41 PM
Posts: 29
iTrader: (0)
lawt555 is on a distinguished road
Default Problem - GOOGLE DISABLED BY SPYWARE!!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:50:08, on 29/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\drivers\ctfmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Comodo\Firewall\cfp.exe
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
C:\Program Files\Gigabyte\ET5Pro\GUI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\abc\Local Settings\Application Data\spool.exe
C:\Documents and Settings\abc\Local Settings\Application Data\spool.exe
C:\Documents and Settings\abc\Local Settings\Application Data\spool.exe
C:\Documents and Settings\abc\Local Settings\Application Data\spool.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\TalkTalk\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer Provided By Wanadoo
O1 - Hosts: 124.217.251.159 google.dk
O1 - Hosts: 124.217.251.159 google.se
O1 - Hosts: 124.217.251.159 google.co.nz
O1 - Hosts: 124.217.251.159 google.cn
O1 - Hosts: 124.217.251.159 google.com.pr
O1 - Hosts: 124.217.251.159 google.com.ca
O1 - Hosts: 124.217.251.159 google.com.ch
O1 - Hosts: 124.217.251.159 google.fi
O1 - Hosts: 124.217.251.159 google.co.in
O1 - Hosts: 124.217.251.159 google.co.uk
O1 - Hosts: 124.217.251.159 google.lv
O1 - Hosts: 124.217.251.159 google.co.hu
O1 - Hosts: 124.217.251.159 google.lk
O1 - Hosts: 124.217.251.159 google.com.au
O1 - Hosts: 124.217.251.159 google.ru
O1 - Hosts: 124.217.251.159 google.nl
O1 - Hosts: 124.217.251.159 google.be
O1 - Hosts: 124.217.251.159 google.de
O1 - Hosts: 124.217.251.159 gogle.de
O1 - Hosts: 124.217.251.159 googel.de
O1 - Hosts: 124.217.251.159 google.ro
O1 - Hosts: 124.217.251.159 google.kz
O1 - Hosts: 124.217.251.159 google.by
O1 - Hosts: 124.217.251.159 google.no
O1 - Hosts: 124.217.251.159 google.pl
O1 - Hosts: 124.217.251.159 google.com.pl
O1 - Hosts: 124.217.251.159 google.es
O1 - Hosts: 124.217.251.159 google.pt
O1 - Hosts: 124.217.251.159 google.com.br
O1 - Hosts: 124.217.251.159 google.vc
O1 - Hosts: 124.217.251.159 google.co.za
O1 - Hosts: 124.217.251.159 google.tm
O1 - Hosts: 124.217.251.159 google.com.my
O1 - Hosts: 124.217.251.159 google.bg
O1 - Hosts: 124.217.251.159 google.co.jp
O1 - Hosts: 124.217.251.159 google.ie
O1 - Hosts: 124.217.251.159 google.co.ck
O1 - Hosts: 124.217.251.159 google.com.mx
O1 - Hosts: 124.217.251.159 google.com.om
O1 - Hosts: 124.217.251.159 google.fr
O1 - Hosts: 124.217.251.159 google.mu
O1 - Hosts: 124.217.251.159 google.com.ph
O1 - Hosts: 124.217.251.159 google.com.jm
O1 - Hosts: 124.217.251.159 google.com
O1 - Hosts: 124.217.251.159 google.us
O1 - Hosts: 124.217.251.159 google.ro
O1 - Hosts: 124.217.251.159 www.google.dk
O1 - Hosts: 124.217.251.159 www.google.se
O1 - Hosts: 124.217.251.159 www.google.co.nz
O1 - Hosts: 124.217.251.159 www.google.cn
O1 - Hosts: 124.217.251.159 www.google.com.pr
O1 - Hosts: 124.217.251.159 www.google.com.ca
O1 - Hosts: 124.217.251.159 www.google.com.ch
O1 - Hosts: 124.217.251.159 www.google.fi
O1 - Hosts: 124.217.251.159 www.google.co.in
O1 - Hosts: 124.217.251.159 www.google.co.uk
O1 - Hosts: 124.217.251.159 www.google.lv
O1 - Hosts: 124.217.251.159 www.google.co.hu
O1 - Hosts: 124.217.251.159 www.google.lk
O1 - Hosts: 124.217.251.159 www.google.com.au
O1 - Hosts: 124.217.251.159 www.google.ru
O1 - Hosts: 124.217.251.159 www.google.nl
O1 - Hosts: 124.217.251.159 www.google.be
O1 - Hosts: 124.217.251.159 www.google.de
O1 - Hosts: 124.217.251.159 www.gogle.de
O1 - Hosts: 124.217.251.159 www.googel.de
O1 - Hosts: 124.217.251.159 www.google.ro
O1 - Hosts: 124.217.251.159 www.google.kz
O1 - Hosts: 124.217.251.159 www.google.by
O1 - Hosts: 124.217.251.159 www.google.no
O1 - Hosts: 124.217.251.159 www.google.pl
O1 - Hosts: 124.217.251.159 www.google.com.pl
O1 - Hosts: 124.217.251.159 www.google.es
O1 - Hosts: 124.217.251.159 www.google.pt
O1 - Hosts: 124.217.251.159 www.google.com.br
O1 - Hosts: 124.217.251.159 www.google.vc
O1 - Hosts: 124.217.251.159 www.google.co.za
O1 - Hosts: 124.217.251.159 www.google.tm
O1 - Hosts: 124.217.251.159 www.google.com.my
O1 - Hosts: 124.217.251.159 www.google.bg
O1 - Hosts: 124.217.251.159 www.google.co.jp
O1 - Hosts: 124.217.251.159 www.google.ie
O1 - Hosts: 124.217.251.159 www.google.co.ck
O1 - Hosts: 124.217.251.159 www.google.com.mx
O1 - Hosts: 124.217.251.159 www.google.com.om
O1 - Hosts: 124.217.251.159 www.google.fr
O1 - Hosts: 124.217.251.159 www.google.mu
O1 - Hosts: 124.217.251.159 www.google.com.ph
O1 - Hosts: 124.217.251.159 www.google.com.jm
O1 - Hosts: 124.217.251.159 www.google.com
O1 - Hosts: 124.217.251.159 www.google.us
O1 - Hosts: 124.217.251.159 www.google.ro
O1 - Hosts: 124.217.251.159 www.video.google.com
O1 - Hosts: 124.217.251.159 www.maps.google.com
O1 - Hosts: 124.217.251.159 www.groups.google.com
O1 - Hosts: 124.217.251.159 www.news.google.com
O1 - Hosts: 124.217.251.159 www.images.google.com
O1 - Hosts: 124.217.251.159 www.earth.google.com
O1 - Hosts: 124.217.251.159 www.code.google.com
O1 - Hosts: 124.217.251.159 www.directory.google.com
O1 - Hosts: 124.217.251.159 www.labs.google.com
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EasyTuneVPro] C:\Program Files\Gigabyte\ET5Pro\ETcall.exe
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\abc\Local Settings\Application Data\spool.exe
O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\ctfmon.exe
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\abc\Local Settings\Application Data\spool.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\ctfmon.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SupportSoft Sprocket Service (TalkTalk) (sprtsvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\TalkTalk\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
O23 - Service: SupportSoft Repair Service (TalkTalk) (tgsrvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
--
End of file - 12506 bytes
Digg this postDel.icio.us this postTechnorati this postNetscape this postStumble this post
  #5  
Old 29th Mar 2008
evilfantasy's Avatar
CJ Moderator
Intel ATi
evilfantasy is online now
Send a message via Yahoo to evilfantasy
 
Join Date: 16th Jul 2007
Last Online: 1 Hour Ago 09:56 PM
Posts: 4,915
iTrader: (0)
evilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond repute
Default Problem - GOOGLE DISABLED BY SPYWARE!!
Yes there are some nasty entries in the log. We should be able to get you fixed up.


Download SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard).
  • Finally add the contents of the Report.txt in your next post.
----------

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop from either of these two links.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Please copy and paste the log into your next reply
Note: If you accidentally close the log it can be retrieved at any time from the Malwarebytes' Anti-Malware main screen.
  • Launch Malwarebytes' Anti-Malware.
  • Click the Logs tab.
  • Double-click log-mm.dd.yyyy [xxxxxx].txt
----------

Download HostsXpert
  • Unzip HostXpert to your desktop
  • Open up the HostXpert program.
  • Make sure that the "Make Hosts Writable?" button in the upper right corner is enabled.
  • Click Create Back Up
  • Then click on Restore Microsoft's Host Files
  • Close the HostXpert program
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself as well as run Spybots Immunize and enable all protection in SpywareBlaster.

----------

Reset Web Settings & Default Security Settings

Note for IE 7 users:

 Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.

Note for IE 6 users:

 To Reset Web Settings:
  • Right click on your desktop Internet Explorer icon and select Properties.
  • Click the Programs tab and then click Reset Web Settings.
  • Now go back to the General tab and set your home page address to something useful like www.computer-juice.com
  • Click Apply.
  • Next click Delete Cookies, Click Delete Files and select Delete all offline content.
  • Click OK > OK
If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.computer-juice.com
Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

To Reset Default Security Settings:
  • Right click on your desktop Internet Explorer icon and select Properties
  • Then click the Security tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.
  • For IE 7 users, simply click the "Reset all zones to default level" button.
----------

Now run a new Hijackthis scan and post that log along with the SDfix and MBAM log.

----------

Next post
SDFix log
MBAM log
NEW Hijackthis log
__________________
.
.
Digg this postDel.icio.us this postTechnorati this postNetscape this postStumble this post
  #6  
Old 29th Mar 2008
No Avatar
lawt555  England
CJ Member
 
lawt555 is offline
 
Join Date: 29th Mar 2008
Last Online: 11th Aug 2008 09:41 PM
Posts: 29
iTrader: (0)
lawt555 is on a distinguished road
Default Problem - GOOGLE DISABLED BY SPYWARE!!
hi evilfantasy

results of SDFix below:

SDFix: Version 1.164
Run by abc on 29/03/2008 at 20:37
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting

Checking Files :
Trojan Files Found:
C:\DOCUME~1\ABC\FTPDLL.DLL - Deleted
C:\DOCUME~1\LOCALS~1\FTPDLL.DLL - Deleted
C:\WINDOWS\SYSTEM32\FTPDLL.DLL - Deleted
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url - Deleted
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url - Deleted
C:\Documents and Settings\abc\Local Settings\Temp\tem1A.tmp.exe - Deleted
C:\Documents and Settings\abc\Local Settings\Temp\tem1E.tmp.exe - Deleted
C:\Documents and Settings\abc\Local Settings\Temp\tem22.tmp.exe - Deleted
C:\Documents and Settings\abc\Local Settings\Temp\tem23.tmp.exe - Deleted
C:\Documents and Settings\abc\Local Settings\Temp\upd25.tmp.exe - Deleted


Removing Temp Files
ADS Check :


Final Check :
catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-29 20:42:50
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwClose
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avgine t.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgam svr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.ex e"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc. exe"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr .exe"="C:\\WINDOWS\\pchealth\\helpctr\\binaries\\H elpCtr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\\Program Files\\TalkTalk\\bin\\sprtsvc.exe"="C:\\Program Files\\TalkTalk\\bin\\sprtsvc.exe:*:Enabled:sprtsv c.exe"
"C:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe"="C:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe:*:Enabled:sprtcm d.exe"
"C:\\Program Files\\TalkTalk\\agent\\bin\\bcont_nm.exe"="C:\\Pr ogram Files\\TalkTalk\\agent\\bin\\bcont_nm.exe:*:Enable d:bcont_nm.exe"
"C:\\Program Files\\TalkTalk\\agent\\bin\\bcont.exe"="C:\\Progr am Files\\TalkTalk\\agent\\bin\\bcont.exe:*:Enabled:b cont.exe"
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Prog ram Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled: BlueSoleil"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
Remaining Files :
C:\DOCUME~1\LOCALS~1\FTPDLL.DLL Found
C:\WINDOWS\SYSTEM32\FTPDLL.DLL Found
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Thu 13 Dec 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 25 Mar 2008 47,422 ..SH. --- "C:\WINDOWS\system32\drivers\ctfmon.exe"
Tue 25 Mar 2008 48,434 ..SH. --- "C:\Documents and Settings\abc\Local Settings\Application Data\spool.exe"
Mon 25 Feb 2008 23,552 ...H. --- "C:\Documents and Settings\abc\My Documents\business files\~WRL0001.tmp"
Wed 26 Mar 2008 74,454 ..SH. --- "C:\Documents and Settings\LocalService\Local Settings\Application Data\spool.exe"
Wed 12 Mar 2008 1,579 A..H. --- "C:\Documents and Settings\abc\Local Settings\Application Data\SupportSoft\talktalk\abc\data\sprt_articlefaq \BIT52.tmp"
Wed 12 Mar 2008 1,554 A..H. --- "C:\Documents and Settings\abc\Local Settings\Application Data\SupportSoft\talktalk\abc\data\sprt_articlefaq \BIT53.tmp"
Wed 12 Mar 2008 1,469 A..H. --- "C:\Documents and Settings\abc\Local Settings\Application Data\SupportSoft\talktalk\abc\data\sprt_articlefaq \BIT54.tmp"
Wed 12 Mar 2008 2,072 A..H. --- "C:\Documents and Settings\abc\Local Settings\Application Data\SupportSoft\talktalk\abc\data\sprt_articlefaq \BIT55.tmp"
Wed 12 Mar 2008 2,013 A..H. --- "C:\Documents and Settings\abc\Local Settings\Application Data\SupportSoft\talktalk\abc\data\sprt_articlefaq \BIT56.tmp"
Wed 12 Mar 2008 1,595 A..H. --- "C:\Documents and Settings\abc\Local Settings\Application Data\SupportSoft\talktalk\abc\data\sprt_articlefaq \BIT57.tmp"
Wed 12 Mar 2008 2,654 A..H. --- "C:\Documents and Settings\abc\Local Settings\Application Data\SupportSoft\talktalk\abc\data\sprt_articlefaq \BIT58.tmp"
Wed 12 Mar 2008 1,538 A..H. --- "C:\Documents and Settings\abc\Local Settings\Application Data\SupportSoft\talktalk\abc\data\sprt_articlefaq \BIT59.tmp"
Wed 12 Mar 2008 2,548 A..H. --- "C:\Documents and Settings\abc\Local Settings\Application Data\SupportSoft\talktalk\abc\data\sprt_articlefaq \BIT5A.tmp"
Wed 12 Mar 2008 1,686 A..H. --- "C:\Documents and Settings\abc\Local Settings\Application Data\SupportSoft\talktalk\abc\data\sprt_articlefaq \BIT5B.tmp"
Wed 12 Mar 2008 1,969 A..H. --- "C:\Documents and Settings\abc\Local Settings\Application Data\SupportSoft\talktalk\abc\data\sprt_articlefaq \BIT5C.tmp"
Wed 12 Mar 2008 1,581 A..H. --- "C:\Documents and Settings\abc\Local Settings\Application Data\SupportSoft\talktalk\abc\data\sprt_articlefaq \BIT5D.tmp"
Wed 12 Mar 2008 2,551 A..H. --- "C:\Documents and Settings\abc\Local Settings\Application Data\SupportSoft\talktalk\abc\data\sprt_articlefaq \BIT5E.tmp"
Finished!
Digg this postDel.icio.us this postTechnorati this postNetscape this postStumble this post
  #7  
Old 29th Mar 2008
evilfantasy's Avatar
CJ Moderator
Intel ATi
evilfantasy is online now
Send a message via Yahoo to evilfantasy
 
Join Date: 16th Jul 2007
Last Online: 1 Hour Ago 09:56 PM
Posts: 4,915
iTrader: (0)
evilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond repute
Default Problem - GOOGLE DISABLED BY SPYWARE!!
Looks good so far, how are the other scans coming along?
__________________
.
.
Digg this postDel.icio.us this postTechnorati this postNetscape this postStumble this post
  #8  
Old 30th Mar 2008
No Avatar
lawt555  England
CJ Member
 
lawt555 is offline
 
Join Date: 29th Mar 2008
Last Online: 11th Aug 2008 09:41 PM
Posts: 29
iTrader: (0)
lawt555 is on a distinguished road
Default Problem - GOOGLE DISABLED BY SPYWARE!!
hi

here are the results from the malware scan.

just gonna do teh hostsexpert one now.

Malwarebytes' Anti-Malware 1.09
Database version: 567
Scan type: Full Scan (C:\|)
Objects scanned: 107589
Time elapsed: 26 minute(s), 17 second(s)
Memory Processes Infected: 4
Memory Modules Infected: 0
Registry Keys Infected: 32
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 29
Memory Processes Infected:
C:\WINDOWS\system32\drivers\ctfmon.exe (Trojan.Agent) -> Unloaded process successfully.
C:\WINDOWS\system32\drivers\ctfmon.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Documents and Settings\abc\Local Settings\Application Data\spool.exe (Trojan.Agent) -> Unloaded process successfully.
C:\Documents and Settings\abc\Local Settings\Application Data\spool.exe (Trojan.Agent) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{50a1aa3b-80e3-15cf-0f1a-83a98ad98fe9} (AdWare.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7f68785e-4894-7bb2-5fde-cc3eee2ebc82} (AdWare.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e698e657-649e-5d40-752d-9a3b78ea832a} (AdWare.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{fe3af205-54df-b146-1f0e-c9262829ed18} (AdWare.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\browsingtool.browserwatcher (AdWare.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0daee015-a728-c212-9b8f-298391b8328e} (AdWare.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{aaf21892-e4d8-e8ed-e36a-3a91e3b2db29} (AdWare.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d0661233-42d4-f7f1-80e1-8a9e0e99e71d} (AdWare.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\browsingtool.browserwatcher.1 (AdWare.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\browsingtool.precachebrowserhost (AdWare.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\browsingtool.precachebrowserhost .1 (AdWare.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\browsingtool.pornpro_bho (AdWare.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\browsingtool.pornpro_bho.1 (AdWare.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{84d39d08-a551-a4e5-c8d1-3327573d4640} (AdWare.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\browsingtool (AdWare.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\playmp3 (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\s chedule (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\s chedule (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\schedule (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Mirar (AdWare.Mirar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\BrowsingTool (AdWare.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\PlayMP3 (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\Browsing Tool.DLL (AdWare.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowsingTool.B rowserWatcher (AdWare.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowsingTool.B rowserWatcher.1 (AdWare.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowsingTool.P ornPro_BHO (AdWare.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowsingTool.P ornPro_BHO.1 (AdWare.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowsingTool.P recacheBrowserHost (AdWare.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\BrowsingTool.P recacheBrowserHost.1 (AdWare.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\fbrowsingadvisor_is1 (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\ntuser (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run\ntuser (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\autoload (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run\autoload (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\FBrowsingAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowserAdvisor (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\BrowsingTool (AdWare.Agent) -> Quarantined and deleted successfully.
C:\Program Files\PlayMP3z (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
C:\Documents and Settings\abc\Start Menu\Programs\PlayMP3z (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files\BrowsingTool\BrowsingTool-2.dll (AdWare.Agent) -> Quarantined and deleted successfully.
C:\regxpcom.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\XPCOMEvents.dll (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\PlayMP3z\PlayMP3.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-2000478354-484763869-682003330-1003\Dc85.exe (Rogue.SpywareIsolator) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-2000478354-484763869-682003330-1003\Dc87.exe (Rogue.SpywareIsolator) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{58D83684-347A-4A7F-8A6D-84FD6AF2818F}\RP109\A0072347.dll (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{58D83684-347A-4A7F-8A6D-84FD6AF2818F}\RP114\A0077643.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{58D83684-347A-4A7F-8A6D-84FD6AF2818F}\RP114\A0077644.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{58D83684-347A-4A7F-8A6D-84FD6AF2818F}\RP114\A0077645.exe (Adware.SaveNow) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{58D83684-347A-4A7F-8A6D-84FD6AF2818F}\RP114\A0077646.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{58D83684-347A-4A7F-8A6D-84FD6AF2818F}\RP114\A0077647.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{58D83684-347A-4A7F-8A6D-84FD6AF2818F}\RP92\A0060370.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\IXPCOMEvents.xpt (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\Logo.png (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\main.db (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\unins000.dat (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\FBrowsingAdvisor\unins000.exe (Trojan.FBrowsingAdvisor) -> Quarantined and deleted successfully.
C:\Program Files\BrowsingTool\BrowsingTool.dat (AdWare.Agent) -> Quarantined and deleted successfully.
C:\Program Files\BrowsingTool\pcre3.dll (AdWare.Agent) -> Quarantined and deleted successfully.
C:\Program Files\BrowsingTool\uninstall.exe (AdWare.Agent) -> Quarantined and deleted successfully.
C:\Program Files\PlayMP3z\uninstall.exe (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
C:\Documents and Settings\abc\Start Menu\Programs\PlayMP3z\Run PlayMP3z.lnk (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\ctfmon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\abc\Local Settings\Application Data\spool.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\ftpdll.dll (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\abc\Favorites\Online Security Test.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Application Data\spool.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\ftpdll.dll (Trojan.Agent) -> Quarantined and deleted successfully.
Digg this postDel.icio.us this postTechnorati this postNetscape this postStumble this post
  #9  
Old 30th Mar 2008
evilfantasy's Avatar
CJ Moderator
Intel ATi
evilfantasy is online now
Send a message via Yahoo to evilfantasy
 
Join Date: 16th Jul 2007
Last Online: 1 Hour Ago 09:56 PM
Posts: 4,915
iTrader: (0)
evilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond reputeevilfantasy has a reputation beyond repute
Default Problem - GOOGLE DISABLED BY SPYWARE!!
Good job, those got most of what I was worried about. Need a new Hijackthis log. Also let me know how things are now.
__________________
.
.
Digg this postDel.icio.us this postTechnorati this postNetscape this postStumble this post
  #10  
Old 30th Mar 2008
No Avatar
lawt555  England
CJ Member
 
lawt555 is offline
 
Join Date: 29th Mar 2008
Last Online: 11th Aug 2008 09:41 PM
Posts: 29
iTrader: (0)
lawt555 is on a distinguished road
Default Problem - GOOGLE DISABLED BY SPYWARE!!
ok evilfantasy, just reset my internet stuff as you requested.

here is the second hijack this scan.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:57:01, on 30/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\TalkTalk\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Comodo\Firewall\cfp.exe
C:\Program Files\TalkTalk\bin\sprtcmd.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\Program Files\Gigabyte\ET5Pro\GUI.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer Provided By Wanadoo
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EasyTuneVPro] C:\Program Files\Gigabyte\ET5Pro\ETcall.exe
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\abc\Local Settings\Application Data\spool.exe
O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SupportSoft Sprocket Service (TalkTalk) (sprtsvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\TalkTalk\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
O23 - Service: SupportSoft Repair Service (TalkTalk) (tgsrvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
--
End of file - 7563 bytes
Digg this postDel.icio.us this postTechnorati this postNetscape this postStumble this post

Please support this forum, donate towards our running costs.


Closed Thread
1 234 >

« Malicious windows pop-up advising spyware | Virus thing... »

Thread Tools

Forum Jump