Solved: Malware came with download of "GetRight"

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

redoak

Thread Starter
Gone but never forgotten
Joined
Jun 24, 2004
Messages
6,781
Two days ago I downloaded and installed the 'download accelerator' "GetRight, which had received a recommendation here at TSG. Coincidentally, I immediately after ran the MS antispyware beta program quite coincidentally. That program found the following malware on my machine, all installed at the time I acquired GetRight:

VX2. Buddy [IDed as spyware]
Trojan G [IDed as a Trojan]
ClockSpring.PuritySCAN. - - - [IDed as adware]
WinRecon [IDed as Commercial Key log- - -]

See also near the end of the Thread at: http://forums.techguy.org/t381908.html

{redoak} usually :) , but now :mad:
 

redoak

Thread Starter
Gone but never forgotten
Joined
Jun 24, 2004
Messages
6,781
David: FYI I "quarantined" the malware after finding it using the MS beta program. Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:44:35 AM, on 7/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
D:\gcasServ.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\gcasDtServ.exe
C:\WINDOWS\system32\pctspk.exe
D:\sunasDtServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
D:\SpywareGuard\sgmain.exe
D:\SpywareGuard\sgbhp.exe
C:\Program Files\AcmeNET\dialer.exe
C:\Program Files\AcmeNet TurboNet\ARTERAUI.EXE
C:\Program Files\AcmeNet TurboNet\artera.exe
C:\PROGRA~1\mozilla.org\Mozilla\Mozilla.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8081;http=localhost:8081
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - D:\Program Files\GetRight\xx2gr.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [gcasServ] "D:\gcasServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "D:\DkIcon.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [sunasDTServ] D:\\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] D:\sunasServ.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Startup: Shortcut to SynTPEnh.exe.lnk = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - Startup: SpywareGuard.lnk = D:\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Download using LeechGet - file://D:\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://D:\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Download with GetRight - D:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - D:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Parse with LeechGet - file://D:\LeechGet 2004\\Parser.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1121596083953
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E0F9E2C-91DA-4883-96C5-4F0FCBC5054C}: NameServer = 204.97.128.2 204.97.128.4
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\DkService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

END OF LOG, [redoak} :)
 
Joined
May 13, 2005
Messages
4,699
Beofre fixing anything please run in safe mode.

Safe Mode
*Here is the information on how to start in safe mode if you don’t know already:
http://service1.symantec.com/SUPPOR...src=sec_doc_nam


You need to put a tick next to the following entries on a new HJT scan, then click fix

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8081;http=localhost:8081
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - D:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [DiskeeperSystray] "D:\DkIcon.exe
O8 - Extra context menu item: Download with GetRight - D:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - D:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file
)


CCleaner

*Download CCleaner from http://www.filehippo.com/download_ccleaner.html
*Run the program and make sure you are on the windows tab in the top left corner.
*Click run cleaner
*This gets rid of all history, cookies, junk and temporary files

Startup Manager
* Download the program from http://www.mlin.net/files/StartupCPL_EXE.zip
* Run the program
* Click on each of the following tabs in succession and decide whether or not you want the things that appear there to start when your computer starts. All programs can be started in a different way, usually start/all programs etc….:

Startup (user)
Startup (common)
HKLM / Run
HKCU / Run
Services
Run Once

The more programs you move when start up, the faster your computer will run.

Ewido Security Suite

*Download Ewido from http://download.ewido.net/ewido-setup.exe
*This is a 30day free trial to use.
*At the end of the scan, a log will come up, post the log on here in the same way you did the Hijack This Log



David
p.s. GO FOR IT!!!!!!!!! (y)
 

DaveBurnett

Account Closed
Joined
Nov 11, 2002
Messages
12,970
All the above are confirmed as ok to action.
Are you on dial-up or broadband?
You have several different spyware etc protection programs running. I don't have any permanently running in the background. I just schedule updates and scans to run overnight every so often.
Do you use ReWriteable CDs/DVDs? If not you can lose the INCD service.
Do all the above and post another HJT log.
 

redoak

Thread Starter
Gone but never forgotten
Joined
Jun 24, 2004
Messages
6,781
Dave: Thanks for "coming aboard." I decide to try a System Restore" in place of working through the HJT log, as suggested by "David." In addition to putting "bad guys" into my system. "GetRight" also removed icons from my desktop. I did not think to check to see if the programs were still in place. Now the DT looks like it should, a good sign! I had done little to nothing i the past three days that would require "hand work" to bring the system back to the condition it was post the restore;point I used.

I am on dial-up. I have "SpywareGuard" and the MS beta running for their current/ongoing vigilance feature. Perhaps I should only use "SpywareGuard," discontinuing MS' beta. Your advice would be appreciated. I do update and run all my security progs at least weekly. What I am using were put in place based on favorable comments I saw here on TSG. {I back upmy entire system weekly to an external HDD using Acronis' "True Image."}

Here is a new HJT log produced adter I restored my system to before downloading "GetRight." Comment from both of you will be appreciated.
{redoak"

Logfile of HijackThis v1.99.1
Scan saved at 8:48:31 PM, on 7/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
D:\SpywareGuard\sgmain.exe
D:\SpywareGuard\sgbhp.exe
D:\gcasServ.exe
C:\Program Files\AcmeNET\dialer.exe
C:\Program Files\AcmeNet TurboNet\ARTERAUI.EXE
C:\Program Files\AcmeNet TurboNet\artera.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\mozilla.org\Mozilla\Mozilla.exe
C:\DOCUME~1\CGS\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8081;http=localhost:8081
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [gcasServ] "D:\gcasServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "D:\DkIcon.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Startup: Shortcut to SynTPEnh.exe.lnk = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - Startup: SpywareGuard.lnk = D:\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Download using LeechGet - file://D:\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://D:\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Parse with LeechGet - file://D:\LeechGet 2004\\Parser.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E0F9E2C-91DA-4883-96C5-4F0FCBC5054C}: NameServer = 204.97.128.2 204.97.128.4
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\DkService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Logfile of HijackThis v1.99.1
Scan saved at 9:07:12 PM, on 7/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
D:\SpywareGuard\sgmain.exe
D:\SpywareGuard\sgbhp.exe
D:\gcasServ.exe
C:\Program Files\AcmeNET\dialer.exe
C:\Program Files\AcmeNet TurboNet\ARTERAUI.EXE
C:\Program Files\AcmeNet TurboNet\artera.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\mozilla.org\Mozilla\Mozilla.exe
C:\DOCUME~1\CGS\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\DOCUME~1\CGS\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8081;http=localhost:8081
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [gcasServ] "D:\gcasServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "D:\DkIcon.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Startup: Shortcut to SynTPEnh.exe.lnk = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - Startup: SpywareGuard.lnk = D:\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Download using LeechGet - file://D:\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://D:\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Parse with LeechGet - file://D:\LeechGet 2004\\Parser.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E0F9E2C-91DA-4883-96C5-4F0FCBC5054C}: NameServer = 204.97.128.2 204.97.128.4
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\DkService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
 

redoak

Thread Starter
Gone but never forgotten
Joined
Jun 24, 2004
Messages
6,781
Dave: I seldom use InCD. I use rewritable CDs when I do. I don't understand what you mean by "lose the InCD service." Please clarify.
{redoak}
 
Joined
May 13, 2005
Messages
4,699
DaveBurnett said:
All the above are confirmed as ok to action.
Are you on dial-up or broadband?
You have several different spyware etc protection programs running. I don't have any permanently running in the background. I just schedule updates and scans to run overnight every so often.
Do you use ReWriteable CDs/DVDs? If not you can lose the INCD service.
Do all the above and post another HJT log.
You still have nasties in your HJT log
Please follow the steps as posted by me earlier and as recommended by dave, as you aren't clean

David
 

DaveBurnett

Account Closed
Joined
Nov 11, 2002
Messages
12,970
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E0F9E2C-91DA-4883-96C5-4F0FCBC5054C}: NameServer = 204.97.128.2 204.97.128.4
As a priority, get rid of this one.

You don't need both sets of protection. I personally would use the one provided by SpyBot Search and destroy rather than either of the ones you are using.

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe can go.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8081;http=localhost:8081 and this
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) already told about this
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\WinStylerThemeSvc.exe and this


As for the services (INCD etc) , lets get this clean first, and we'll start on those later.
 

redoak

Thread Starter
Gone but never forgotten
Joined
Jun 24, 2004
Messages
6,781
Many thanks to both of you. I will proceed with the short list of HJT 'tweaking.' I'll post another HJT log soon. By the way, my computer is running very well as of this time. I have updated the 'definitions,' etc. for all my security programs and have run a few, with no malware being found.
{redoak}
 
Joined
Feb 15, 2004
Messages
12,302
Leave these ones alone, these are for his ISP.


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=localhost:8081;http=localhost:8081 and this
O17 - HKLM\System\CCS\Services\Tcpip\..\{2E0F9E2C-91DA-4883-96C5-4F0FCBC5054C}: NameServer = 204.97.128.2 204.97.128.4
 

redoak

Thread Starter
Gone but never forgotten
Joined
Jun 24, 2004
Messages
6,781
First, I did NOT see the immediately preceding posts until this very moment, and the 017 and R 1 entries had been previously removed. What now??

I wrote the following off-line:
Dave: The reason I employ "SpywareBlaster" to constantly monitor incoming info is because it is recommended by "Spybot S & E" over their parallel "tool." I am attaching a print screen image wherein you will see the rec centered in very small print. {"Manage Attachments" is not functioning at this time! Suffice to say, the message from Spybot is very clear and direct.}

In preparation for proceeding with another HJT run, I ran those security programs that are able to ID problems. Only two malwares were fingered, both by "Xoftspy." Of course, I removed them.

Along the way both the MS antispyware beta1 and "CounterSpy" would not run. Perhaps my subscription to the MS program had expired. In the case of "CounterSpy" an error message was shown as #103. I had that program only for a trial period; therefore, I removed it from my system. I did the same with the MS proogram. If advisable, I can download it again with an end of the year termination date.

The HJT log as of this very moment, with the ‘short list’ of tweaks done, follows.

Many thanks again to both of you. {redoak}.

Logfile of HijackThis v1.99.1
Scan saved at 9:36:16 AM, on 7/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\DkService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
D:\Spybot - Search & Destroy\TeaTimer.exe
D:\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\DOCUME~1\CGS\LOCALS~1\Temp\Temporary Directory 8 for hijackthis.zip\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Zone Labs Client] D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "D:\DkIcon.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [Artera] "D:\arteraui.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Shortcut to SynTPEnh.exe.lnk = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - Startup: ERUNT AutoBackup.lnk = D:\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: Download using LeechGet - file://D:\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: Download using LeechGet Wizard - file://D:\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Parse with LeechGet - file://D:\LeechGet 2004\\Parser.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - D:\DkService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
 

DaveBurnett

Account Closed
Joined
Nov 11, 2002
Messages
12,970
First, I did NOT see the immediately preceding posts until this very moment, and the 017 and R 1 entries had been previously removed. What now??
Maybe Nothing. You may not even notice they've gone. If it was going to affect anything, it would be getting on to the internet (mmmmmm!).
is because it is recommended by "Spybot
Can't argue with THEM.
The HJ Log is looking a lot cleaner.

Now to work on the Services.
Go to Start/Administrative Tools/Services which opens up the Services screen. Adjust the column widths untill you can see the Name, Description,Status and Start Type columns. Click on the Status column heading twice so that you see all the Started tasks in alphabetical order.
Now click on the Action button and Export List and save as a TAB DELIMITED TXT (not comma as there are commas in the descriptions) file. Attach this text file to a post so we can look at it (it opens well in Excel as a tab delimitted file).
I presume your machine is stand-alone and is not in a network of any sort.
How often do you run Diskeeper?
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Top