| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 71090 | 2006-07-26 08:28:00 | Hijack. | Cicero (40) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 473763 | 2006-07-26 08:28:00 | Got some spyware running,thrown everything at it,but no luck. Could we have a look at this lot,thanks. Logfile of HijackThis v1.99.1 Scan saved at 7:23:10 p.m., on 26/07/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\system32\ICO.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\WordWeb\wweb32.exe C:\WINDOWS\system32\Pelmiced.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\oodag.exe C:\Program Files\Google\GoogleToolbarNotifier\1.0.711.1664\Go ogleToolbarNotifier.exe C:\Program Files\IntCodec\isamonitor.exe C:\Program Files\IntCodec\pmsngr.exe C:\Program Files\IntCodec\isamini.exe C:\Program Files\IntCodec\pmmon.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\WinRAR\WinRAR.exe C:\Documents and Settings\Kids\Desktop\hijackthis\HijackThis.exe O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {5753791b-f607-48ca-814e-91c14d081f9e} - C:\Program Files\IntCodec\isaddon.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE O4 - HKLM\..\Run: [Ad Muncher] C:\Program Files\Ad Muncher\AdMunch.exe /bt O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.711.1664\Go ogleToolbarNotifier.exe O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - housecall65.trendmicro.com O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe |
Cicero (40) | ||
| 473764 | 2006-07-26 08:35:00 | Looks like these are part of spyware C:\Program Files\IntCodec\pmsngr.exe C:\Program Files\IntCodec\isamini.exe C:\Program Files\IntCodec\pmmon.exe C:\Program Files\IntCodec\isamonitor.exe O2 - BHO: (no name) - {5753791b-f607-48ca-814e-91c14d081f9e} - C:\Program Files\IntCodec\isaddon.dll I would scan with Spybot or Adaware as well. And install a firewall. |
Speedy Gonzales (78) | ||
| 473765 | 2006-07-26 08:50:00 | Thanks Speedy,had run both adaware and spybot,they found other spyware but not this lot. How do you remove the c:/ stuff,I highlighted and deleted,but when I did another scan it was still there.? |
Cicero (40) | ||
| 473766 | 2006-07-26 09:08:00 | Thanks Speedy,had run both adaware and spybot,they found other spyware but not this lot. How do you remove the c:/ stuff,I highlighted and deleted,but when I did another scan it was still there.? Boot into safe mode and delete that folder/those files. Or see if there are any strange entries in add/remove programs. And uninstall it. |
Speedy Gonzales (78) | ||
| 473767 | 2006-07-26 21:48:00 | Thanks again speedy. Still no luck. Every time I delete as instructed,they all come back again. It manifests itself when I open I/E I get a page of malware removers,all wanting me to do a scan. |
Cicero (40) | ||
| 473768 | 2006-08-10 21:52:00 | My system was infected with the Trojan.Emcoder.g virus, which resided in the isamini.exe file, this trojan also drops another virus into your system, I have used notorn which detects it, removes the virus it drops but can't remove the Emcoder, quarantine or delete the file, this thing corrupted my internet browser, setting my home page, unchangeable by the way no matter what you enter in tools, to an advertising webb site for a buch of fake spyware and maleware protection software, saying esstially that it will remove the virus they infected your system with if you pay them $40.00 for their software... it slows your system allows popups, mostly fake adds for their extotion software and sends our fake virus alerts etc. ... Norton has a removal method that seemed to work but 3 hours later the file is back... seems everytime you access internet explorer it reloads, the virus, if you look close they claim to be a software company located in Cypres, and will sell you a francise to their scam... This virus is basically a extortion scam, run from off shore, they have found a way to corrupt internet explorer and turn it into a vehicle for the virus.. it even adds a tool bar with 6 icons all leading to their webb site were you can buy the software to remove the virus they infected your system with.....since they are demanding money there must be a way to follow it back to these crooks If anyone knows a fix that they have used, and it has stayed fixed for 48 hours please post it. |
Mickey101 (10820) | ||
| 473769 | 2006-08-10 22:32:00 | My way, I am sorry to say,was to reformat. | Cicero (40) | ||
| 473770 | 2006-08-10 22:37:00 | hey Thomas..:p does that mean you lost everything? no back ups? :confused: beetle |
beetle (243) | ||
| 473771 | 2006-08-11 01:52:00 | Hi IntCodec was very fixable . . . . for furture reference . . Download SmitfraudFix (by S!Ri) to your Desktop . . urz . free . fr/Fix/SmitfraudFix . zip" target="_blank">siri . urz . free . fr Extract all the files to your Destop . A folder named SmitfraudFix will be created on your Desktop . Reboot your computer in Safe Mode . If the computer is running, shut down Windows, and then turn off the power . Wait 30 seconds, and then turn the computer on . Start tapping the F8 key . The Windows Advanced Options Menu appears . If you begin tapping the F8 key too soon, some computers display a "keyboard error" message . To resolve this, restart the computer and try again . Ensure that the Safe Mode option is selected . Press Enter . The computer then begins to start in Safe mode . Login on your usual account . Open the SmitfraudFix Folder, then double-click smitfraudfix . cmd file to start the tool . Select option #2 - Clean by typing 2 and press Enter . Wait for the tool to complete and disk cleanup to finish . You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter . The tool will also check if wininet . dll is infected . If a clean version is found, you will be prompted to replace wininet . dll . Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter . A reboot may be needed to finish the cleaning process, if the computer does not restart automatically please do it yourself manually . . |
Pancake (6359) | ||
| 473772 | 2006-08-11 02:13:00 | My way, I am sorry to say,was to reformat. Those nrop sites are a bugger Ciccy :D Stick to efas surfing and she'll be jake. Cheers Billy 8-{) :thumbs: |
Billy T (70) | ||
| 1 2 3 4 | |||||