Removal of trojan W32.Sinnaka.A@mm unsuccessful

[Guest]

My computer got infected by a spyware that itself generates a security
message saying that it is the W32.sinnaka.A@mm virus. MS AntiSyware
discovered the virus and said it removed it; however, when I start Internet
Explorer it still goes to the site: www.warningmessage.com and I get all
kinds of pop-ups; as well as a security message in my Windows taskbar which
brings me to a site where anti-spyware is advertized. It also intercepts if
I go from one to another website. I cannot apply the instructions on the
Norton website because I have not found the mentioned files in the Registry.
So this spyware still sits somewhere and I don't know where... Any help?

 

[Guest]

PS: I have not been able to report this to Microsoft using the Reporting
Tool; when sending this message as below I get an error.

 

[Guest]

Hey Max

You do not have the W32.Sinnaka.A worm you have a Trojan's related to the
Smitfraud Infection which has Hijacked your IE settings to that site to try
get you to install PSGuard/ SpySheriff (Spytrooper)/ Raze /WorldAntispy.

Use Smitrem & Ewido and Ccleaner to remove temp files (Copy and save this to
notepad so you can still view it in safe mode)

Download SmitRem

http://noahdfear.geekstogo.com/click counter/click.php?id=1

Save it to your desktop,Right click on the file and extract it to it's own
folder on the desktop.

Download Ewido Security Suite

http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background
guard" and "Install scan via context menu". Click on update in the left menu,
then click the Start update button. After the update finishes (the status bar
at the bottom will display "Update successful") Exit Ewido. DO NOT scan yet.

Download Ccleaner (To Remove Temp and unused files from your system)

http://download.ccleaner.com/download124bin.asp

Install Then close

Now reboot to Safe Mode - Restart your computer and immediately begin
tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe
Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.

Run Smitrem :

Open the smitRem folder, then double click the RunThis.bat file to start the
tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive,
eg; Local Disk C: or partition where your operating system is installed.

Run Ewido

Click on the Scanner button in the left menu, then click on complete system
scan.
When ewido finds something, it will pop up a notification.
Select "clean" and check the boxes "Perform action with all infections" and
"Create encrypted backup" before clicking on ok. When the scan finishes,
click on "Save Report" from the bottom of the screen and save it to your
desktop incase you need more help with this.

Run Ccleaner and press "Run Cleaner" then exit.

While still in safe mode reset the Internet Settings : Goto Start Menu then
Control Panel then to Internet Options, Click the Programs Tab and press
"Reset Web Settings" and include the homepage then press Yes, Then goto the
General Tab and enter the homepage you want to use into the space provided
and press Apply .

Then Reboot back to Normal Mode

Let us know if you have any problems

Regards

Andy

 

[Guest]

Hi Andy,
My pc has similar problems: I have probably installed spytrooper, or I have
the trojan.
A windows (look alike?) pop up appears all the time saying: [yellow triangle
with exclamation mark] Your computer is infected! Windows has detected
spyware infection ... etc
After running spy bot with no effect, I googled spytrooper and found the
instructions below. I followed them to the letter, but the pop-up still
appears.

You know of anything else I might try?

And do you know if it is save for me to type in webmail passwords etc while
this spyware is active?

Any help would be greatly appreciated.

Anton

 

[Guest]

Hi AntonO

With you saying you followed the instructions below I assume you mean the
Ewido and Smitrem fix ? If that didnt help then we should use Hijack This and
check your system in more detail, There is alot of junk using these fake
warnings to make users download thier junk so It could be a different
infection.

Regarding the passwords you should avoid banking online and logging into
sites like paypal untill we know whats on your system but thats just to be
safe untill I see a hijack log, SpyTrooper which is just SpySheriff and the
other rogue removers will not record passwords, they just want to trick users
into buying thier products by infecting the system then displaying pop ups
that link to thier removers, then they will scan and show your systems
infected and say you need to pay them to remove it which they wouldnt even if
you did pay them as they are connected to the trojans causing this, They
would probably remove cookies and show them as critical threats but leave the
trojans and hijacked settings in place.

Use Hijack This and post the logs to (e-mail address removed) and I will
check them over and let you know whats causing the problems.

Download 'Hijack This'.

http://www.spywareinfo.com/~merijn/files/HijackThis.exe

Save it in a convenient permanent folder such as C:\HJT\, double click
HijackThis.exe, and click "System scan and save the logfile".

When the scan is finished it will open the results in notepad and also save
the log into the Hijack This folder, Can you email me that log, Most of what
it lists will be harmless or even essential to your system so don't fix
anything at this stage.

Run HijackThis Again and from the main menu click on 'Open the Misc Tools
section', and then on “Open Uninstall Managerâ€. Click the 'Save list' button,
save the file 'uninstall_list.txt' to your Desktop, and post the contents
with the Hijack This log .

Regards

Andy

 

[Guest]

Hi Andy,
yep: I did the ewido / smitrem / ccleaner fix.
Thanks for the reassurance on the use of internet / password etc.

And thanks in advance for your time!
Anton


here is the hijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 21:01:53, on 10-11-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\OpenVPN\bin\openvpn-gui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Freecom Personal Media Suite\FCPMS.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1043\nt\MAPISP32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.euro.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak =
http://www.google.nl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
Koppelingen
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} -
C:\Program Files\Security Toolbar\Security Toolbar.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network
Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network
Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [Zone Labs Client]
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [NiLGzD.exe] D:\temp\NiLGzD.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [szsj] C:\WINDOWS\szsj.exe
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows
ControlAd\WinCtlAd.exe
O4 - HKLM\..\Run: [openvpn-gui] C:\Program Files\OpenVPN\bin\openvpn-gui.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware
Doctor\swdoctor.exe" /Q
O4 - Startup: Freecom Personal Media Suite.lnk = C:\Program Files\Freecom
Personal Media Suite\FCPMS.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st
800-840\dslmon.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -
C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program
Files\ewido\security suite\ewidoctrl.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network
Associates, Inc. - C:\Program Files\Network Associates\Common
Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates,
Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network
Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program
Files\Spyware Doctor\sdhelp.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. -
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe






and here is the uninstall_list.txt
ABF Fonts
Actiontec MD56ORD V92 MDC Modem
Adobe Acrobat 5.0
AH Fotoservice
Ahead Nero - Burning Rom
Binary News Reaper 0.14.6 Beta
Canon Camera Window for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon PhotoRecord
Canon S330
Canon Utilities Easy-PhotoPrint
Canon Utilities File Viewer Utility 1.2
Canon Utilities PhotoStitch 3.1
Canon Utilities RemoteCapture 2.7
Canon Utilities ZoomBrowser EX
CCleaner (remove only)
Dell Modem-On-Hold
Dell Solution Center
Delphi 3
Digital Line Detect
E2give Plug-in
EditPlus 2
EPSON TWAIN 5
Euroglot Professional 4.0
ewido security suite
Freecom Personal Media Suite 1.27
Girotel
Google Earth
HASP Device Driver
HijackThis 1.99.1
Hotfix voor Windows Media Player [zie Q828026 voor meer informatie]
hp deskjet 3420 series
Internet Explorer Q832894
Ipswitch WS_FTP Pro
J2SE Runtime Environment 5.0 Update 3
LimeWire 4.9.30
Macromedia Flash Player 8
McAfee VirusScan Enterprise
Microsoft Office 2000 SR-1 Professional
Modem Helper
MP3 Player
Music Manager
NoteWorthy Player
NVIDIA Windows 2000/XP Display Drivers
OpenVPN 2.0_rc9-gui-1.0-rc2
Outlook Express Q837009
PA090
Pdf995
PrintMusic! 2002
RealPlayer
Roll
ROUTE 66 Route 2001-2002
ROUTE 66 Route 2004
SAGEM F@st 800-840
Security Toolbar
SPSS 7.5 for Windows
Spybot - Search & Destroy 1.3
Spyware Doctor 3.2
Synaptics TouchPad
Visual Fortran 6.0
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix (SP2), Q819696
WinZip
ZoneAlarm

 

[Guest]

Hi Again

Sorry for the delay I was helping someone with a different spyware problem
through email and just came back on here, Can you give me about 30 minutes to
check your log and I will post a fix,

Thanks Andy

 

[Guest]

Hi Again, There's a couple of problems showing but Im sure we can fix them
easily

Copy this to notepad and save it to desktop so you can still view it in safe
mode, double clicking my name on the response section will open it into a new
window if needed.

Update the definitions in Ewido but use it later in safe mode.

Reboot to safe mode (Reboot and keep tapping F8 then choose safe mode from
the list)

Goto Add/Remove Programs screen (Start Menu > Control Panel > Add/Remove
programs)

Then remove these :

Security Toolbar
E2give Plug-in

Run Hijack this and choose system scan and place a check next to these
entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
about:blank

O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} -
C:\Program Files\Security Toolbar\Security Toolbar.dll (file missing)

O4 - HKLM\..\Run: [NiLGzD.exe] D:\temp\NiLGzD.exe

O4 - HKLM\..\Run: [szsj] C:\WINDOWS\szsj.exe

O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows
ControlAd\WinCtlAd.exe

With the above checked close all open browser windows except Hijack This and
press 'Fix Checked'

Next delete these files and folders:

C:\WINDOWS\szsj.exe <-- Delete this file
D:\temp\NiLGzD.exe <-- Delete this file

C:\Program Files\Windows ControlAd <-- Delete this folder
C:\Program Files\E2Give (Or E2G) <-- Delete this folder
C:\Program Files\Security Toolbar <-- Delete this folder

Run Ewido again. From the main menu click on 'scanner' then click 'Complete
System Scan' When ewido finds something, it will pop up a notification.
Select "Remove" and check the boxes "Perform action with all infections" and
"Create encrypted backup" then click on ok.When the scan finishes, click on
"Save Report" and save it to your desktop or c:/drive incase you need it
again.

Run Ccleaner and press Run Cleaner to remove temp and unused files.

Reboot back to normal mode :

Your done Below I have included a number of recommendations for how to
protect your computer in order to prevent future malware infections.
Please take them seriously; these few simple steps can prevent the vast
majority of spyware problems.

Please navigate to http://windowsupdate.microsoft.com and download all the
"critical updates" for Windows, including the latest version of Internet
Explorer. This can patch many of the security holes through which attackers
can gain access to your computer. Your current versions are outdated. I
cannot stress enough how important this is.

In order to protect yourself against spyware, you should consider installing
and running the following free programs:

Ad-Aware SE

http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10045910.html

Spybot Search & Destroy (I can see you have it installed but you have
version 1.3)

Remove Spybot Search and Destroy using the Add/Remove screen and update to
the new version from here:

http://www.safer-networking.org/en/mirrors/index.html

Please also remember to enable Spybot's "Immunize" feature.

SpywareBlaster

http://www.javacoolsoftware.com/spywareblaster.html

Make sure to keep these programs up-to-date and to run them regularly, as
this can prevent a great deal of spyware hassle.

Hopefully this should take care of your problems but let me know if I can
help more

Good luck.

Andy

 

[Guest]

I am not able to create questions, apparently only allowed by the above
trojan to place my questions in the reply column. I have been infected for 1
week now and all programs run very slowly and i am always referre to
spyware/spyshefirr/malware as the default window whenever i enter WIN
internet window and mcafee did not seen it for 5 days and the worm repeated
defeats the mcafee virus/firewall blocks that were bundled within their
internet security 2006 suite. The worm cannot be cleaned, delted or
quarentined.--can you please help me.
ALLAN AVBEL

 

[Ira]

Allan, try running Ewido and PcCillin 2006, just might take care of your
problem.
If not use "System Recovery" to a time prior to your problem.

Ira


:I am not able to create questions, apparently only allowed by the above
: trojan to place my questions in the reply column. I have been infected
for 1
: week now and all programs run very slowly and i am always referre to
: spyware/spyshefirr/malware as the default window whenever i enter WIN
: internet window and mcafee did not seen it for 5 days and the worm
repeated
: defeats the mcafee virus/firewall blocks that were bundled within their
: internet security 2006 suite. The worm cannot be cleaned, delted or
: quarentined.--can you please help me.
: ALLAN AVBEL
:
:
: "Max-SR" wrote:
:
: > My computer got infected by a spyware that itself generates a security
: > message saying that it is the W32.sinnaka.A@mm virus. MS AntiSyware
: > discovered the virus and said it removed it; however, when I start
Internet
: > Explorer it still goes to the site: www.warningmessage.com and I get all
: > kinds of pop-ups; as well as a security message in my Windows taskbar
which
: > brings me to a site where anti-spyware is advertized. It also
intercepts if
: > I go from one to another website. I cannot apply the instructions on
the
: > Norton website because I have not found the mentioned files in the
Registry.
: > So this spyware still sits somewhere and I don't know where... Any
help?

 

[Guest]

Hi ALLAN

Have you tried the fix I posted to Max (Smitrem, Ewido & Ccleaner) as its
likely you have a variant of the smitfraud infection if its hijacked your IE
settings, Its also worth running a online Virus scanners to make sure there
isnt other virus problems on your system :

Download SmitRem

http://noahdfear.geekstogo.com/click counter/click.php?id=1


Save it to your desktop,Double click Smitrem.exe to extract it to it's own
folder on the desktop.

Please download, install, and update the free version of ewido security suite

http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background
guard" and "Install scan via context menu". Click on update in the left menu,
then click the Start update button. After the update finishes close Ewido

Download Ccleaner

http://www.ccleaner.com/ccdownload.asp

Install then close

Copy this to notepad and save it so you can still view it in safe mode

Reboot into safe mode (Reboot and keep tapping F8 then choose safe mode from
the list)

Open the smitRem folder, then double click the RunThis.bat file to start the
tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive,
eg; Local Disk C: or partition where your operating system is installed.

When thats finished run Ewido again.

From the main menu click on 'scanner' then click 'Complete System Scan'
When ewido finds something, it will pop up a notification. Select "Remove"
and check the boxes "Perform action with all infections" and "Create
encrypted backup" then click on ok.When the scan finishes, click on "Save
Report" and save it to your desktop or c:/drive incase you need it again.

Next run Ccleaner and press the run cleaner button

Reboot Back To Normal Mode

Then do a full system scan with Panda's Activescan. Make sure the autoclean
box is checked and Save the scan logwhen its finished.

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

You will need to reload your wallpaper after this tool finishes, Smitrem
will reset it because Trojans related to this infection will display a
spyware warning as a desktop wallpaper which cannot be removed, To change
your wallpaper right click desktop and choose properties, Set the Theme to XP
if you are running XP then goto the Desktop tab and choose your wallpaper
from there.

All The Best

Andy

 

[Guest]

Hi AndyManchesta,
I have the same virus/adware, but do not have the IE redirected to sites
other than what I use for a homepage. The Adware Killer Pro had detected this
a couple of weeks ago, but none of the following finds it, MS Spyware Beta,
Norton Internet Security, McAfee, and Defender Pro. I did the 'Safe' mode
adware check/cleaned with the Adware Killer Pro and temporarily clean the
affected registry:

HKEY_LOCAL_MACHINE:SOFTWARE\Microsof\Windows\CurrentVersion\Run
HKEY_CURRENT_USER:SOFTWARE\Microsoft\Windows\CurrentVersion\Run

The Trojan is back in the normal mode once again. I will try the information
you gave below and post back for conclusions.

 

[Guest]

Hi AndyManchesta,
I have the same virus/adware, but do not have the IE redirected to sites
other than what I use for a homepage. The Adware Killer Pro had detected this
a couple of weeks ago, but none of the following finds it, MS Spyware Beta,
Norton Internet Security, McAfee, and Defender Pro. I did the 'Safe' mode
adware check/cleaned with the Adware Killer Pro and temporarily clean the
affected registry:
The Trojan is back in the normal mode once again. I will try the information
you gave below and post back for conclusions.

Hi Fredmandude

Im not familiar with Adware Killer Pro but if your homepage has been changed
then its likely you have some form of infection. Try running Ewido and
PandaActive scan and save the logs from both programs.

Run Panda Activescan from

http://www.pandasoftware.com/products/activescan

Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the bigScan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See
Report button, then Save Report and save it to a convenient location so you
can post it back.

Download Ewido from

Here http://www.ewido.net/en/download

When installing, under "Additional Options" uncheck "Install background
guard". Click on update in the left menu, then click the Start update button.
After the update finishes from the main menu click on 'scanner' then click
'Complete System Scan' , If ewido finds something, it will pop up a
notification. Select "Remove" and check the boxes "Perform action with all
infections" and "Create encrypted backup" then click on ok.When the scan
finishes, click on "Save Report" and save it to your desktop or c:/drive and
post back the results if it detects any malware (except cookies).

Let us know if you have any problems

Andy

 

[Guest]

I need help. Can some tell me what's wrong with my pc? I ran hijackthis
and the log was:
Logfile of HijackThis v1.99.1
Scan saved at 12:34:16 PM, on 7/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\AOL\1166397881\ee\AOLSoftware.exe
C:\Program Files\Common
Files\AOL\1166397881\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
C:\Program Files\mcafee.com\antivirus\oasclnt.exe
C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\AOL\1166397881\ee\SSCEvtHdlr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ipalm Camera Driver 1.0\ipalmmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common
Files\AOL\1166397881\ee\services\safetyCore\ver210_5_4_1\aolavupd.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1166397881\ee\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\mcafee.com\personal firewall\MpfTray.exe
C:\Program Files\AOL 9.0a\waol.exe
C:\Program Files\AOL 9.0a\shellmon.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\sonia\Local Settings\Temporary Internet
Files\Content.IE5\5VBMG364\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common
Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -
C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -
C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [IntelWireless] C:\Program
Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common
Files\AOL\1166397881\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common
Files\AOL\1166397881\ee\services\safetyCore\ver210_5_4_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common
Files\AOL\1166397881\ee\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program
Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal
firewall\MPfTray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program
Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common
Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program
Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe"
-atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows
Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.0a\AOL.EXE" -b
O4 - Global Startup: ipalm Monitor 1.0.lnk = C:\Program Files\ipalm Camera
Driver 1.0\ipalmmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -
%windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network
Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -
http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {40F8967E-34A6-474A-837A-CEC1E7DAC54C} (QuickBooks Online Edition
Utilities Class v9) - https://accounting.quickbooks.com/c12/v16.568/qboax9.cab
O16 - DPF: {4CCA4E6B-9259-11D9-AC6E-444553544200} (FixController Control) -
http://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1184015843968
O20 - Winlogon Notify: IntelWireless - C:\Program
Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -
C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program
Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - AOL LLC -
C:\Program Files\Common
Files\AOL\1166397881\ee\services\safetyCore\ver210_5_4_1\aolavupd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program
Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA,
Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. -
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee
Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program
Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel
Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program
Files\Intel\Wireless\Bin\WLKeeper.exe