1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

A little help please.

Discussion in 'Windows - Virus and spyware problems' started by vwsport80, Jun 4, 2007.

  1. vwsport80

    vwsport80 Regular member

    Joined:
    May 20, 2005
    Messages:
    156
    Likes Received:
    0
    Trophy Points:
    26
    Hey guys and gals,
    My computer is acting up. The firewall (Sygate) will shut down as soon as I boot up, I can't back-up movies as I get errors (which was working fine before). I'll post a HijackThis log. Any suggestions would be great. Thanks in advance.

    Logfile of HijackThis v1.99.1
    Scan saved at 7:57:40 PM, on 6/4/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
    C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
    C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\PeerGuardian2\pg2.exe
    C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
    C:\Program Files\Palm\HOTSYNC.EXE
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\**\Desktop\HijackThis\Scanner.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adelphia.net/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
    O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [winlogons.exe] C:\Program Files\KGB Keylogger\winlogons.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
    O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /Minimized
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
    O4 - Global Startup: WinCinema Manager.lnk = C:\Program Files\Sandisk\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/Coupons.cab
    O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
     
    Last edited: Jun 5, 2007
  2. Indochine

    Indochine Regular member

    Joined:
    Dec 21, 2006
    Messages:
    1,447
    Likes Received:
    0
    Trophy Points:
    46
    Well, A*** R*******, I know know your real name, and so does whoever planted KGB keylogger on your system. I suggest you cancel all your credit cards, and change all your passwords.
     
    Last edited: Jun 5, 2007
  3. vwsport80

    vwsport80 Regular member

    Joined:
    May 20, 2005
    Messages:
    156
    Likes Received:
    0
    Trophy Points:
    26
    Okay, I took my name out, and I know about the keylogger being put on it. Although, I thought I took it off. How would I go about getting it off my computer? Anything else popping out at you guys?
     
    Last edited: Jun 5, 2007
  4. bluecoal

    bluecoal Guest

    Please work through these steps and see if that improves your situation.

    Set your system to show hidden files. Scroll down the instructions here to find the ones for your operating system:
    http://www.bleepingcomputer.com/tutorials/tutorial62.html
    You can reverse these setting changes after you finish cleaning your system.
    (Edited to fix link error.)

    Get ATF cleaner here:
    http://www.atribune.org/content/view/25/2/
    Print the instructions.
    (I am going to ask you to run an online scan, my objective with this cleaner is to have you clean all the temporary file locations and all the cookies you do not have a reason to save. This will reduce the amount of “infected” items the online scan will catch. You do not need to clean the history and prefetch files if you do not want to.

    For the keylogger:
    O4 - HKLM\..\Run: [winlogons.exe] C:\Program Files\KGB Keylogger\winlogons.exe

    First check the add/remove programs for anything relating to it. If you find anything, run the remove. Next, go to C:\Program Files\KGB Keylogger and try to delete that folder. If the folder will not delete, delete as many files inside of it as you can. If the winlogons.exe file will not delete because it is in use, HijackThis has a delete file on reboot option in its misc tool section. Try that on the winlogons file. I’ll get you more instructions on that if you need them.

    After you get the keylogger folder removed, have HijackThis fix these lines.
    (The only reason I included the last two is because they indicated missing files.)

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O4 - HKLM\..\Run: [winlogons.exe] C:\Program Files\KGB Keylogger\winlogons.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

    Then reboot the system.
    Please run the atf cleaner.
    Then please do an online scan. This one will not fix anything, but it is a good scan for catching things. Infections will show up on the screen report as little skulls. Those are the lines we will be interested in.

    Please do an online scan with Kaspersky Online Scanner: http://www.kaspersky.com/virusscanner
    1. Click on Kaspersky Online Scanner.
    2. You will be prompted to install an ActiveX component from Kaspersky, click Yes.
    3. The program will launch and then begin downloading the latest definition files.
    4. Once the files have been downloaded click on Next.
    5. Now click on Scan Settings.
    6. In the scan settings make sure that the following are selected:
    o Scan using the following Anti-Virus database:
    Extended
    o Scan Options:
    Scan Archives
    Scan Mail Bases
    7. Click OK.
    8. Now under select a target to scan:
    o Select My Computer.
    9. This program will start and scan your system.
    10. The scan will take a while so be patient and let it run.
    11. Once the scan is complete it will display if your system has been infected.
    o Now click on the Save Report As button.
    o In the File name: field, type kavscan.
    o In the Save as type: field, select Text file (*.txt).
    12. Save the file to your desktop.
    13. Copy and paste that information in your next post.

    Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.


    Then I think you should do a check for rootkits. If something shows up, I’ll probably have to ask for help in advising you on getting rid of it, but the first thing is just to check it out.

    Let AVG Antirootkit scan
    • Download the Beta Version of AVG AntiRootkit and save it to your desktop.
    • (at the bottom of this link
    http://free.grisoft.com/doc/5390#avg-anti-rootkit-free )
    • Install the program. All applications must be closed. You will have to restart your system.
    • Start antiRootkit.exe in its own folder.
    • Click onto the button "Search for Rootkits".
    • When the scan is finished, click the button "Save result to file",
    rename this log to log1.
    • Click the button "Perform in-depth search". You may not do anything on your machine while the scan is running.
    • When the scan is finished, click onto the button "Save result to file", rename this log to log2.
    • Locate avgark.log in the Grisoft folder, copy its content and post it.
    Then post a fresh hjt log, the Kaspersky scan log, and the rootkit log.
    Thanks.
    bc
     
    Last edited by a moderator: Jun 8, 2007
  5. vwsport80

    vwsport80 Regular member

    Joined:
    May 20, 2005
    Messages:
    156
    Likes Received:
    0
    Trophy Points:
    26
    Thanks for the response. I noticed the last 2 files you mention when I posted. Should I un & reinstall Avast since it has missing files?

    I'll get to work on your suggestions when I get home (at work now).

    Thanks again.
     
  6. bluecoal

    bluecoal Guest

    Hi,

    I don't have the experience to give you a good answer on the avast question, just thinking about what I would do if it was my computer, I think I would do the scans first and fix the things they find and then do the avast reinstall.

    bc
     
  7. vwsport80

    vwsport80 Regular member

    Joined:
    May 20, 2005
    Messages:
    156
    Likes Received:
    0
    Trophy Points:
    26
    Thanks for the advice. I'll keep you all updated.
     
  8. vwsport80

    vwsport80 Regular member

    Joined:
    May 20, 2005
    Messages:
    156
    Likes Received:
    0
    Trophy Points:
    26
    Just wanted to leave a little update.
    I set it to show hidden files, already knew how to do that (BTW your link just brings me to this thread).
    Got the ATF cleaner and ran it. Though you should know I have Firefox set to clean everything everytime I close the browser. I also have a program for IE for when I have to use it (rarely). I think it's called IE privacy keeper. Cool little program.
    I don't remember how I removed the key logger before (uninstall, add & remove, ect.) but obviously it didn't get everything. I looked in add & remove, nothing. I tried going to it's location, nothing. Any ideas?
    I should be doing the rest tonight.
    If it makes any difference, it seems to crash everytime I run DVD Shrink.
     
    Last edited: Jun 7, 2007

Share This Page