System virus
My PC Hell Forum
November 19, 2008, 09:20:22 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Moving to New Location Soon! Watch out for notification. 14th Dec 2007.
 
   Home   Help Search Calendar Login Register  
Pages: [1]
« previous next »
  Print  
Author Topic: System virus  (Read 2679 times)
kfar
New FixmyXP Member
*
Posts: 8


View Profile
« on: January 06, 2007, 04:52:00 AM »
Hi,

I have something going on in my system volume information folder. It's called _restore{BDAD7895-CACD-41F8-851F-E533A765DE3A}. I have tried everything and I can't seem to get rid of it.

I have tried turning system restore off but when I go into the system volume information folder it is gone. As soon as I turn it back on it is there again.

None of my antivirus or spyware is picking it up. Can someone please help ASAP.
Logged
Essexboy
Administrator
*****
Posts: 899



View Profile WWW
« Reply #1 on: January 06, 2007, 01:30:13 PM »
One way is to delete your current system restore and create a new one.  The best way I find to do it is as follows

First go START > ALL PROGRAMS > ACCESSORIES >SYSTEM TOOLS > SYSTEM RESTORE
Then on the dialogue select create a new restore point then click OK 

Next

Go START > ALL PROGRAMS > ACCESSORIES >SYSTEM TOOLS > DISK CLEANUP

The first dialogue will allow you to select the drive having done that select OK
After a moment or two a tabbed box will appear select the MORE OPTIONS one
At the bottom will be  a system restore section, select clean up this will delete all restore points except the one you have just created.  Accept all warnings and you are done.

If you are still concerned then

* Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
Logged
VISTA
XPsp2
Avast (of course)



http://spaces.msn.com/members/essexboymkn/

 If ignorance is bliss  why aren't more people happy?
kfar
New FixmyXP Member
*
Posts: 8


View Profile
« Reply #2 on: January 07, 2007, 12:56:08 AM »
here is the log from hijack this

Logfile of HijackThis v1.99.1
Scan saved at 3:23:20 PM, on 7/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark 7300 Series\lxcimon.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\Telstra\BigPond Wireless Broadband\Connection Manager\BPConnect.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\lxcicoms.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [lxcimon.exe] "C:\Program Files\Lexmark 7300 Series\lxcimon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe"
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ikqk] C:\PROGRA~1\COMMON~1\ikqk\ikqkm.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136878434328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136880574421
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{41EBA81A-3699-47C0-8C08-06344F3AF29E}: NameServer = 61.9.134.49 61.9.194.49
O17 - HKLM\System\CS1\Services\Tcpip\..\{41EBA81A-3699-47C0-8C08-06344F3AF29E}: NameServer = 61.9.134.49 61.9.194.49
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: lxci_device -   - C:\WINDOWS\system32\lxcicoms.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

I followed the other steps that you suggested but the folder is still there.
Logged
Essexboy
Administrator
*****
Posts: 899



View Profile WWW
« Reply #3 on: January 07, 2007, 07:52:14 AM »
Just re-read your post and that is the actual name of the restore folder so it is not a problem. Can you confirm that your ISP is in Australasia.
However, looking at your log you have a trojan  (O4 - HKCU\..\Run: [ikqk] C:\PROGRA~1\COMMON~1\ikqk\ikqkm.exe) and I am concerned that you have no 020 entries.  There is also no indication of a firewall, do you have one?

so I will help you to get rid of it.    Please follow the instructions below

 1. Download ComboFix.exe using either of these links:

BleepingComputer

Techsupportforum.com

2. Double click on combofix.exe & follow the prompts to allow the tool to run.

3. When it has finished, it will produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Logged
VISTA
XPsp2
Avast (of course)



http://spaces.msn.com/members/essexboymkn/

 If ignorance is bliss  why aren't more people happy?
kfar
New FixmyXP Member
*
Posts: 8


View Profile
« Reply #4 on: January 08, 2007, 02:54:01 AM »
Thanks for all your help.

I am in Australia and no I don't have any firewall. 

The cobofix text is as follows

Jessica - 07-01-08 17:16:02.35    Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Jessica\Desktop"

((((((((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
 

C:\WINDOWS\system32\bszip.dll
C:\Program Files\winupdates

 
(((((((((((((((((((((((((((((((   Files Created from 2006-12-08 to 2007-01-08  ))))))))))))))))))))))))))))))))))
 
 
2007-01-03   09:17   <DIR>   d--------   C:\THE_BREAK_UP
2007-01-02   17:15   <DIR>   d--------   C:\WILL_AND_GRACE2_DISC_3
2007-01-01   21:17   <DIR>   dr-h-----   C:\Documents and Settings\Jessica\Recent
2007-01-01   20:43   <DIR>   d--------   C:\Program Files\XoftSpySE
2007-01-01   20:39   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\TEMP
2007-01-01   15:18   <DIR>   d--------   C:\WINDOWS\system32\ActiveScan
2007-01-01   13:07   4,928   --a------   C:\WINDOWS\system32\drivers\avg7rsw.sys
2007-01-01   13:07   343,168   --a------   C:\WINDOWS\system32\drivers\avg7core.sys
2007-01-01   13:07   18,944   --a------   C:\WINDOWS\system32\drivers\avg7rsxp.sys
2007-01-01   13:07   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Grisoft
2007-01-01   12:59   <DIR>   d--------   C:\WINDOWS\BDOSCAN8
2007-01-01   08:49   <DIR>   d--------   C:\Program Files\Java
2007-01-01   08:49   <DIR>   d--------   C:\Program Files\Common Files\Java
2007-01-01   08:49   <DIR>   d--------   C:\Documents and Settings\Jessica\Application Data\Sun
2007-01-01   08:46   <DIR>   d--------   C:\Program Files\Sunbelt Software
2007-01-01   08:26   <DIR>   d--------   C:\Program Files\Spybot - Search & Destroy
2007-01-01   08:26   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-31   14:09   <DIR>   d--------   C:\Program Files\CCleaner
2006-12-31   13:43   <DIR>   d--------   C:\WINDOWS\pss


((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-07 15:23   5289   --a------   C:\Program Files\hijackthis.log
2006-11-10 18:13   --------   d--------   C:\Program Files\Lexmark Applications
2006-11-10 18:12   --------   d--------   C:\Program Files\Lx_cats
2006-11-10 18:09   --------   d--------   C:\Program Files\Lexmark 7300 Series
 
 
((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))
 
*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"NBJ"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""
"ikqk"="C:\\PROGRA~1\\COMMON~1\\ikqk\\ikqkm.exe"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"LiveMonitor"="C:\\Program Files\\MSI\\Live Update 3\\LMonitor.exe"
"SoundMan"="SOUNDMAN.EXE"
"lxcimon.exe"="\"C:\\Program Files\\Lexmark 7300 Series\\lxcimon.exe\""
"EzPrint"="\"C:\\Program Files\\Lexmark 7300 Series\\ezprint.exe\""
"SunServer"="C:\\Program Files\\Sunbelt Software\\CounterSpy\\Consumer\\sunserver.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgemc.exe"
"AVG7_RegCleaner"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgregcl.exe /BOOT"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
  00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
  ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
  00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{076394AD-7FDD-44EF-A075-32C68DBAB99B}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:0000009d

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]   
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

 
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\XoftSpySE.job

Completion time: 07-01-08 17:19:45.98
C:\ComboFix.txt ... 07-01-08 17:19


HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 5:23:06 PM, on 8/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark 7300 Series\lxcimon.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\lxcicoms.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Telstra\BigPond Wireless Broadband\Connection Manager\BPConnect.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [lxcimon.exe] "C:\Program Files\Lexmark 7300 Series\lxcimon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe"
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ikqk] C:\PROGRA~1\COMMON~1\ikqk\ikqkm.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136878434328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136880574421
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{41EBA81A-3699-47C0-8C08-06344F3AF29E}: NameServer = 61.9.134.49 61.9.133.193
O17 - HKLM\System\CS1\Services\Tcpip\..\{41EBA81A-3699-47C0-8C08-06344F3AF29E}: NameServer = 61.9.134.49 61.9.133.193
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: lxci_device -   - C:\WINDOWS\system32\lxcicoms.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
Logged
Squeezebox
Administrator
******
Posts: 2756



View Profile
« Reply #5 on: January 08, 2007, 03:58:24 AM »
I won't interfere in Essexboy's diagnostics, but I'm certain he will tell you to get a firewall. You don't have any control over outgoing traffic without one.

Zone Alarm is about the best of the free firewalls. Download it and install it.
Logged
Essexboy
Administrator
*****
Posts: 899



View Profile WWW
« Reply #6 on: January 08, 2007, 05:00:02 PM »
Would agree with that Dave on that Kfar

Please re-open HiJackThis and scan.  Check the boxes next to all the entries listed below.

O4 - HKCU\..\Run: [ikqk] C:\PROGRA~1\COMMON~1\ikqk\ikqkm.exe

Now close all windows other than HiJackThis, then click Fix Checked.  Close HiJackThis.

Then download File assassin from here and extract then install (only 137kb) http://www.malwarebytes.org/FileASSASSIN.zip

When the programme opens use the browse button to go to C:\PROGRAM FILES\COMMON FILES\ikqk\ikqkm.exe highlight this file then click delete, a reboot may be required


Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\PROGRAM FILES\COMMON FILES\ikqk

Combofix showed the remnants of a smitfraud infection which is now gone 

I would like you to download and run  this spyware programme for me, as it looks deeper than the ones you currently have.   http://www.superantispyware.com/superantispywarefreevspro.html this is a free programme so if you like it you can keep it or bin it your choice.  As soon as the programme is installed then check for updates (a button in the bottom left hand corner)

Then run SuperAntispyware

On the first page select SCAN YOUR COMPUTER
On the next page select COMPLETE SCAN and tick ALL your drives
The next stage will take a while as your entire drive(s), memory and registry are scanned
When it has completed click NEXT
The next screen shows the problems found click OK
On the next screen place a tick against all items and select NEXT

Now to get the log Go to the PREFERENCES button on the right bottom
Select the STATISTICS/LOG tab
Highlight the scan just completed and click VIEW LOG
This will open a notepad text file copy and paste this to your next reply

I highly recommend that you download and install a firewall, the easiest set and forget version is Zone Alarm free http://download.zonelabs.com/bin/free/1001_cnet_zdnet/zlsSetup_65_737_000_en.exe

Could you now post back with a new HJT and SAS log 


Logged
VISTA
XPsp2
Avast (of course)



http://spaces.msn.com/members/essexboymkn/

 If ignorance is bliss  why aren't more people happy?
kfar
New FixmyXP Member
*
Posts: 8


View Profile
« Reply #7 on: January 19, 2007, 05:52:14 PM »
Hi,

Sorry it took so long.

Here is my HJT and my SAS log.

SUPERAntiSpyware Scan Log
Generated 01/19/2007 at 10:00 PM

Application Version : 3.4.1000

Core Rules Database Version : 3143
Trace Rules Database Version: 1159

Scan type       : Complete Scan
Total Scan Time : 00:32:42

Memory items scanned      : 441
Memory threats detected   : 0
Registry items scanned    : 4852
Registry threats detected : 0
File items scanned        : 20031
File threats detected     : 6

Adware.Tracking Cookie
   C:\Documents and Settings\Jessica\Cookies\jessica@mb[2].txt
   C:\Documents and Settings\Jessica\Cookies\jessica@adv.webmd[2].txt
   C:\Documents and Settings\Jessica\Cookies\jessica@1069870899[1].txt
   C:\Documents and Settings\Jessica\Cookies\jessica@media.sensis.com[1].txt
   C:\Documents and Settings\Jessica\Cookies\jessica@adbrite[2].txt
   C:\Documents and Settings\Jessica\Cookies\jessica@tacoda[1].txt

Logfile of HijackThis v1.99.1
Scan saved at 8:14:48 AM, on 20/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark 7300 Series\lxcimon.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\system32\lxcicoms.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [lxcimon.exe] "C:\Program Files\Lexmark 7300 Series\lxcimon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe"
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [AVG7_RegCleaner] C:\PROGRA~1\Grisoft\AVG7\avgregcl.exe /BOOT
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136878434328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136880574421
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: lxci_device -   - C:\WINDOWS\system32\lxcicoms.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
Logged
Essexboy
Administrator
*****
Posts: 899



View Profile WWW
« Reply #8 on: January 20, 2007, 07:11:53 AM »
Hi Kfar there is no problem with the timing I,m not going anywhere for a while....

OK you are CLEAN  hooray


Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done


Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
To keep your operating system up to date visit monthly.
To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Any further problems just shout

Logged
VISTA
XPsp2
Avast (of course)



http://spaces.msn.com/members/essexboymkn/

 If ignorance is bliss  why aren't more people happy?
malvachat
Rising Star
***
Posts: 81



View Profile
« Reply #9 on: January 20, 2007, 07:37:26 AM »
Quote from: Squeezebox on January 08, 2007, 03:58:24 AM
I won't interfere in Essexboy's diagnostics, but I'm certain he will tell you to get a firewall. You don't have any control over outgoing traffic without one.

Zone Alarm is about the best of the free firewalls. Download it and install it.
Zone alarm is a great firewall,but I found it slows down any p2p I was using.
So I switched to Comodo Free Firewall.Good move on my part,p2p is a lot faster.
It can be a bit of a pain at first,having to click all the permission.
Once it settles down it runs lovely.
You can also set up your own rules which can be handy for some p2p using single ports.

http://www.personalfirewall.comodo.com/
Logged
Beer is for life not just Christmas
Essexboy
Administrator
*****
Posts: 899



View Profile WWW
« Reply #10 on: January 20, 2007, 12:10:33 PM »
Be carefull with P2P programmes you need to scan any and all files downloaded with your AV before running.  On G2G the majority of victims are users of these programmes.  In themselves the programmes are not dangerous it is what they are used for.  So please be careful
Logged
VISTA
XPsp2
Avast (of course)



http://spaces.msn.com/members/essexboymkn/

 If ignorance is bliss  why aren't more people happy?
malvachat
Rising Star
***
Posts: 81



View Profile
« Reply #11 on: January 20, 2007, 12:44:23 PM »
Quote from: Essexboy on January 20, 2007, 12:10:33 PM
Be carefull with P2P programmes you need to scan any and all files downloaded with your AV before running.  On G2G the majority of victims are users of these programmes.  In themselves the programmes are not dangerous it is what they are used for.  So please be careful
But of course,always careful.
Logged
Beer is for life not just Christmas
Pages: [1]
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.2 | SMF © 2006-2007, Simple Machines LLC Valid XHTML 1.0! Valid CSS!