Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop Ups...outerinfo?


  • This topic is locked This topic is locked
14 replies to this topic

#1 jacks311

jacks311

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 15 July 2007 - 05:28 PM

I just got my computer back and the person was supposed to wipe it clean and start over reinstalling XP for me. He didn't think it needed that so he added memory, got rid of the viruses, and fixed some other things. I had "uninstalled" something called outerinfo before he got it. I just "uninstalled" it again. I have been getting different kinds of popups, and am wondering if I am still infected. Here is my hijack this log. Any help would be greatly appreciated. Thanks!



Logfile of HijackThis v1.99.1
Scan saved at 5:26:57 PM, on 7/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\soundman.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\X P User\Desktop\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - blank (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xhelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/0634383a105b63...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1146971863468
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:03 AM

Posted 18 July 2007 - 05:34 PM

Hello jacks311,


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u2.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u2".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.



1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Edited by SifuMike, 18 July 2007 - 05:35 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 jacks311

jacks311
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 18 July 2007 - 07:55 PM

Here is the log from ComboFix. I don't see any quarantined files.

"X P User" - 2007-07-18 19:44:00 - ComboFix 07-07-14.6 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\XPUSER~1\MYDOCU~1.\ssembl~1
C:\Program Files\winpop
C:\temp\17o7
C:\temp\17o7\tmpTF.log
C:\temp\iee
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\pppatc~1
C:\WINDOWS\system32\smpi1


((((((((((((((((((((((((( Files Created from 2007-06-19 to 2007-07-19 )))))))))))))))))))))))))))))))


2007-07-18 19:43 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-15 16:47 <DIR> d-------- C:\Program Files\ISM
2007-07-13 07:35 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-07-13 07:35 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-07-13 07:35 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2007-07-13 07:35 113 --a------ C:\WINDOWS\system32\zonedon.reg
2007-07-13 07:35 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2007-07-11 09:02 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-11 08:50 217,088 --------- C:\WINDOWS\alcupd.exe
2007-07-11 08:50 151,552 --------- C:\WINDOWS\alcrmv.exe
2007-07-11 08:50 124,416 --------- C:\WINDOWS\soundman.exe
2007-07-11 08:50 <DIR> d-------- C:\Program Files\AvRack
2007-07-11 08:50 <DIR> d-------- C:\Program Files\Avance Sound Manager
2007-07-11 01:04 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-07-11 01:03 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-07-11 00:54 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-07-11 00:47 <DIR> d-------- C:\WINDOWS\Prefetch
2007-07-10 19:29 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-07-10 19:24 9,728 --------- C:\WINDOWS\system32\comsdupd.exe
2007-07-10 19:24 73,216 --------- C:\WINDOWS\system32\drivers\atintuxx.sys
2007-07-10 19:24 685,056 --------- C:\WINDOWS\system32\drivers\hsfcxts2.sys
2007-07-10 19:24 63,663 --------- C:\WINDOWS\system32\drivers\ati1rvxx.sys
2007-07-10 19:24 63,488 --------- C:\WINDOWS\system32\drivers\atinxsxx.sys
2007-07-10 19:24 57,856 --------- C:\WINDOWS\system32\drivers\atinbtxx.sys
2007-07-10 19:24 56,623 --------- C:\WINDOWS\system32\drivers\ati1btxx.sys
2007-07-10 19:24 52,224 --------- C:\WINDOWS\system32\drivers\atinraxx.sys
2007-07-10 19:24 46,464 --------- C:\WINDOWS\system32\drivers\gagp30kx.sys
2007-07-10 19:24 44,928 --------- C:\WINDOWS\system32\drivers\agpcpq.sys
2007-07-10 19:24 43,008 --------- C:\WINDOWS\system32\drivers\amdagp.sys
2007-07-10 19:24 42,752 --------- C:\WINDOWS\system32\drivers\alim1541.sys
2007-07-10 19:24 42,368 --------- C:\WINDOWS\system32\drivers\agp440.sys
2007-07-10 19:24 40,832 --------- C:\WINDOWS\system32\drivers\irbus.sys
2007-07-10 19:24 4,255 --------- C:\WINDOWS\system32\drivers\adv01nt5.dll
2007-07-10 19:24 38,016 --------- C:\WINDOWS\system32\drivers\bthmodem.sys
2007-07-10 19:24 36,463 --------- C:\WINDOWS\system32\drivers\ati1tuxx.sys
2007-07-10 19:24 36,096 --------- C:\WINDOWS\system32\drivers\intelppm.sys
2007-07-10 19:24 35,456 --------- C:\WINDOWS\system32\drivers\bthprint.sys
2007-07-10 19:24 34,735 --------- C:\WINDOWS\system32\drivers\ati1xsxx.sys
2007-07-10 19:24 327,040 --------- C:\WINDOWS\system32\drivers\ati2mtaa.sys
2007-07-10 19:24 31,744 --------- C:\WINDOWS\system32\drivers\atinxbxx.sys
2007-07-10 19:24 30,671 --------- C:\WINDOWS\system32\drivers\ati1raxx.sys
2007-07-10 19:24 3,967 --------- C:\WINDOWS\system32\drivers\adv02nt5.dll
2007-07-10 19:24 3,775 --------- C:\WINDOWS\system32\drivers\adv11nt5.dll
2007-07-10 19:24 3,711 --------- C:\WINDOWS\system32\drivers\adv09nt5.dll
2007-07-10 19:24 3,647 --------- C:\WINDOWS\system32\drivers\adv07nt5.dll
2007-07-10 19:24 3,615 --------- C:\WINDOWS\system32\drivers\adv05nt5.dll
2007-07-10 19:24 3,135 --------- C:\WINDOWS\system32\drivers\adv08nt5.dll
2007-07-10 19:24 29,455 --------- C:\WINDOWS\system32\drivers\ati1xbxx.sys
2007-07-10 19:24 29,056 --------- C:\WINDOWS\system32\drivers\ip6fw.sys
2007-07-10 19:24 28,672 --------- C:\WINDOWS\system32\drivers\atinsnxx.sys
2007-07-10 19:24 274,304 --------- C:\WINDOWS\system32\drivers\bthport.sys
2007-07-10 19:24 262,784 --------- C:\WINDOWS\system32\drivers\http.sys
2007-07-10 19:24 26,367 --------- C:\WINDOWS\system32\drivers\ati1snxx.sys
2007-07-10 19:24 25,600 --------- C:\WINDOWS\system32\drivers\hidbth.sys
2007-07-10 19:24 25,471 --------- C:\WINDOWS\system32\drivers\atv04nt5.dll
2007-07-10 19:24 220,032 --------- C:\WINDOWS\system32\drivers\hsfbs2s2.sys
2007-07-10 19:24 21,343 --------- C:\WINDOWS\system32\drivers\ati1ttxx.sys
2007-07-10 19:24 21,183 --------- C:\WINDOWS\system32\drivers\atv01nt5.dll
2007-07-10 19:24 18,944 --------- C:\WINDOWS\system32\drivers\bthusb.sys
2007-07-10 19:24 17,279 --------- C:\WINDOWS\system32\drivers\atv10nt5.dll
2007-07-10 19:24 17,024 --------- C:\WINDOWS\system32\drivers\bthenum.sys
2007-07-10 19:24 15,488 --------- C:\WINDOWS\system32\drivers\mssmbios.sys
2007-07-10 19:24 15,423 --------- C:\WINDOWS\system32\drivers\ch7xxnt5.dll
2007-07-10 19:24 15,104 --------- C:\WINDOWS\system32\drivers\hidir.sys
2007-07-10 19:24 14,336 --------- C:\WINDOWS\system32\drivers\atinpdxx.sys
2007-07-10 19:24 14,143 --------- C:\WINDOWS\system32\drivers\atv06nt5.dll
2007-07-10 19:24 13,824 --------- C:\WINDOWS\system32\drivers\atinttxx.sys
2007-07-10 19:24 13,824 --------- C:\WINDOWS\system32\drivers\atinmdxx.sys
2007-07-10 19:24 128,896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2007-07-10 19:24 126,686 --------- C:\WINDOWS\system32\drivers\mtlmnt5.sys
2007-07-10 19:24 12,047 --------- C:\WINDOWS\system32\drivers\ati1pdxx.sys
2007-07-10 19:24 11,868 --------- C:\WINDOWS\system32\drivers\mdmxsdk.sys
2007-07-10 19:24 11,615 --------- C:\WINDOWS\system32\drivers\ati1mdxx.sys
2007-07-10 19:24 11,359 --------- C:\WINDOWS\system32\drivers\atv02nt5.dll
2007-07-10 19:24 104,960 --------- C:\WINDOWS\system32\drivers\atinrvxx.sys
2007-07-10 19:24 100,992 --------- C:\WINDOWS\system32\drivers\bthpan.sys
2007-07-10 19:24 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2007-07-10 19:23 95,424 --------- C:\WINDOWS\system32\drivers\slnthal.sys
2007-07-10 19:23 88,064 --------- C:\WINDOWS\system32\p2pnetsh.dll
2007-07-10 19:23 86,016 --------- C:\WINDOWS\system32\p2pgasvc.dll
2007-07-10 19:23 86,016 --------- C:\WINDOWS\system32\mdmxsdk.dll
2007-07-10 19:23 81,920 --------- C:\WINDOWS\system32\ieencode.dll
2007-07-10 19:23 81,408 --------- C:\WINDOWS\system32\wscsvc.dll
2007-07-10 19:23 8,192 --------- C:\WINDOWS\system32\smbinst.exe
2007-07-10 19:23 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
2007-07-10 19:23 78,464 --------- C:\WINDOWS\system32\drivers\usbvideo.sys
2007-07-10 19:23 75,776 --------- C:\WINDOWS\system32\strmfilt.dll
2007-07-10 19:23 73,832 --------- C:\WINDOWS\system32\slcoinst.dll
2007-07-10 19:23 73,796 --------- C:\WINDOWS\system32\slserv.exe
2007-07-10 19:23 71,680 --------- C:\WINDOWS\system32\blastcln.exe
2007-07-10 19:23 7,680 --------- C:\WINDOWS\system32\kbdsmsno.dll
2007-07-10 19:23 7,680 --------- C:\WINDOWS\system32\kbdsmsfi.dll
2007-07-10 19:23 7,168 --------- C:\WINDOWS\system32\kbdukx.dll
2007-07-10 19:23 7,168 --------- C:\WINDOWS\system32\kbdno1.dll
2007-07-10 19:23 7,168 --------- C:\WINDOWS\system32\kbdfi1.dll
2007-07-10 19:23 7,168 --------- C:\WINDOWS\system32\hccoin.dll
2007-07-10 19:23 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2007-07-10 19:23 67,584 --------- C:\WINDOWS\system32\drivers\sdbus.sys
2007-07-10 19:23 60,416 --------- C:\WINDOWS\system32\fwcfg.dll
2007-07-10 19:23 6,656 --------- C:\WINDOWS\system32\kbdinmal.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-13 04:16:58 -------- d-----w C:\Program Files\Google
2007-07-12 03:45:37 -------- d-----w C:\DOCUME~1\XPUSER~1\APPLIC~1\Roxio
2007-07-11 14:09:15 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-11 14:05:30 -------- d-----w C:\Program Files\Yahoo!
2007-07-11 14:03:05 -------- d-----w C:\DOCUME~1\XPUSER~1\APPLIC~1\Lavasoft
2007-07-11 13:50:00 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-11 08:17:03 -------- d-----w C:\Program Files\Messenger
2007-07-11 00:23:10 -------- d-----w C:\Program Files\Movie Maker
2007-07-11 00:12:28 -------- d-----w C:\Program Files\Windows NT
2007-07-10 22:06:56 22,720 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-07-10 22:06:31 -------- d--h--w C:\Program Files\WindowsUpdate
2007-07-10 22:06:31 -------- d-----w C:\Program Files\Online Services
2007-07-05 10:34:55 -------- d-----w C:\Program Files\LimeWire
2007-06-29 01:19:29 -------- d-----w C:\DOCUME~1\XPUSER~1\APPLIC~1\LimeWire
2007-05-17 02:28:16 1,466,189 --sha-w C:\WINDOWS\system32\xbbeg.ini2
2007-05-16 12:45:51 1,466,113 --sha-w C:\WINDOWS\system32\xbbeg.bak2
2007-05-16 02:11:19 2,472 ----a-w C:\WINDOWS\system32\tmp.reg
2007-05-15 02:47:06 1,466,609 --sha-w C:\WINDOWS\system32\xbbeg.bak1
2007-05-15 02:39:53 2,560 ----a-w C:\WINDOWS\_MSRSTRT.EXE
2007-05-04 05:11:23 167,936 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
2007-05-04 05:11:23 1,211 ----a-w C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Mp4 Codec.dat
2007-05-04 05:09:57 17,871 ----a-w C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2006-06-10 00:35:56 17,144 ----a-w C:\DOCUME~1\XPUSER~1\APPLIC~1\GDIPFONTCACHEV1.DAT


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
2007-05-30 16:18 808472 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2001-03-02 12:02 37808 --a------ C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
2006-10-31 16:29 198136 --a------ C:\Program Files\Yahoo!\Common\yiesrvc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-07-12 04:00 501136 --a------ C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-07-12 23:16 2554944 -ra------ c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
2007-05-31 09:31 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-10 15:07]
"Cmaudio"="cmicnfg.cpl" []
"SoundMan"="soundman.exe" [2001-05-30 03:02 C:\WINDOWS\soundman.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-31 15:25]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-06-11 18:16]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^X P User^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]
RunDll32 cmicnfg.cpl,CMICtrlWnd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
"C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zinio DLM]

*Newly Created Service* - HTTPFILTER

Contents of the 'Scheduled Tasks' folder
2007-07-15 00:47:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-07-18 05:00:00 C:\WINDOWS\tasks\At1.job
2007-07-18 14:00:00 C:\WINDOWS\tasks\At10.job
2007-07-18 15:00:00 C:\WINDOWS\tasks\At11.job
2007-07-18 16:00:00 C:\WINDOWS\tasks\At12.job
2007-07-18 17:00:00 C:\WINDOWS\tasks\At13.job
2007-07-18 18:00:00 C:\WINDOWS\tasks\At14.job
2007-07-18 19:00:00 C:\WINDOWS\tasks\At15.job
2007-07-18 20:00:00 C:\WINDOWS\tasks\At16.job
2007-07-18 21:00:00 C:\WINDOWS\tasks\At17.job
2007-07-18 22:00:00 C:\WINDOWS\tasks\At18.job
2007-07-18 23:00:00 C:\WINDOWS\tasks\At19.job
2007-07-18 06:00:00 C:\WINDOWS\tasks\At2.job
2007-07-19 00:00:00 C:\WINDOWS\tasks\At20.job
2007-07-18 01:00:00 C:\WINDOWS\tasks\At21.job
2007-07-18 02:00:00 C:\WINDOWS\tasks\At22.job
2007-07-18 02:59:59 C:\WINDOWS\tasks\At23.job
2007-07-18 04:00:00 C:\WINDOWS\tasks\At24.job
2007-07-18 07:00:00 C:\WINDOWS\tasks\At3.job
2007-07-18 08:00:00 C:\WINDOWS\tasks\At4.job
2007-07-18 09:00:00 C:\WINDOWS\tasks\At5.job
2007-07-18 10:00:00 C:\WINDOWS\tasks\At6.job
2007-07-18 11:00:00 C:\WINDOWS\tasks\At7.job
2007-07-18 12:00:00 C:\WINDOWS\tasks\At8.job
2007-07-18 13:00:00 C:\WINDOWS\tasks\At9.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-18 19:45:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-18 19:46:20
C:\ComboFix-quarantined-files.txt ... 2007-07-18 19:46

--- E O F ---


Here is my Hijack This Log. I actually deleted a couple of things already that someone told me too. Hopefully I didn't screw anything up. LOL. Thanks for your help.

Logfile of HijackThis v1.99.1
Scan saved at 7:53:43 PM, on 7/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\X P User\Desktop\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/0634383a105b63...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1146971863468
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:03 AM

Posted 19 July 2007 - 12:41 AM

I actually deleted a couple of things already that someone told me too. Hopefully I didn't screw anything up

.

Not a good idea to delete stuff on your own or with the advice of a non trained person.
If you delete items without knowing what they are, it can lead to other problems such as your Internet no longer working or problems with running Windows itself.

Since I dont know what you deleted or why, we may never get your computer running correctly. :thumbsup:

What did you delete?





You have a suspicious file we need to check.

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\_MSRSTRT.EXE

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.
Once scanned, copy and paste the results also in your next reply.

Note: I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.

Edited by SifuMike, 19 July 2007 - 01:05 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 jacks311

jacks311
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 19 July 2007 - 07:13 AM

This is what I deleted per hijacksthis.de:

O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xhelper.dll
O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - blank (file missing)
O9 - Extra button: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)

That is all I deleted. My computer seemed to be working better, but I still wanted your advice to make sure there weren't any hidden infections. Do you still want me to do what you just told me?

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:03 AM

Posted 19 July 2007 - 10:49 AM

Hi jacks311,

Do you still want me to do what you just told me?


Yes, run the Total Virus on that one file, post the report and we will continue.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 jacks311

jacks311
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 19 July 2007 - 08:04 PM

Hi. I scanned the file and it seems to be ok. Here's the log:

Complete scanning result of "_MSRSTRT.EXE", processed in VirusTotal at
07/20/2007 03:00:53 (CET).

[ file data ]
* name: _MSRSTRT.EXE
* size: 2560
* md5.: 815372073da85b2098a37ded84083c8a
* sha1: 0a70574450bee11c9c09f25f082e0253aa32ceaa

[ scan result ]
AhnLab-V3 2007.7.20.0/20070719 found nothing
AntiVir 7.4.0.44/20070719 found nothing
Authentium 4.93.8/20070719 found nothing
Avast 4.7.997.0/20070719 found nothing
AVG 7.5.0.476/20070719 found nothing
BitDefender 7.2/20070720 found nothing
CAT-QuickHeal 9.00/20070719 found [Tool.Win32.Reboot (Not a Virus)]
ClamAV devel-20070416/20070719 found nothing
DrWeb 4.33/20070719 found nothing
eSafe 7.0.15.0/20070719 found nothing
eTrust-Vet 30.8.3795/20070719 found nothing
Ewido 4.0/20070719 found nothing
F-Prot 4.3.2.48/20070719 found nothing
F-Secure 6.70.13030.0/20070719 found nothing
FileAdvisor 1/20070720 found nothing
Fortinet 2.91.0.0/20070719 found nothing
Ikarus T3.1.1.8/20070719 found nothing
Kaspersky 4.0.2.24/20070720 found nothing
McAfee 5078/20070719 found nothing
Microsoft 1.2704/20070720 found nothing
NOD32v2 2408/20070719 found nothing
Norman 5.80.02/20070719 found nothing
Panda 9.0.0.4/20070719 found nothing
Sophos 4.19.0/20070717 found nothing
Sunbelt 2.2.907.0/20070719 found nothing
Symantec 10/20070720 found nothing
TheHacker 6.1.7.149/20070718 found nothing
VBA32 3.12.2.1/20070719 found nothing
VirusBuster 4.3.26:9/20070719 found nothing
Webwasher-Gateway 6.0.1/20070720 found nothing

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:03 AM

Posted 19 July 2007 - 10:12 PM

Hi jacks311,

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\xbbeg.ini2
    C:\WINDOWS\system32\xbbeg.bak2
    C:\WINDOWS\system32\xbbeg.bak1
    C:\WINDOWS\tasks\At1.job
    C:\WINDOWS\tasks\At10.job
    C:\WINDOWS\tasks\At11.job
    C:\WINDOWS\tasks\At12.job
    C:\WINDOWS\tasks\At13.job
    C:\WINDOWS\tasks\At14.job
    C:\WINDOWS\tasks\At15.job
    C:\WINDOWS\tasks\At16.job
    C:\WINDOWS\tasks\At17.job
    C:\WINDOWS\tasks\At18.job
    C:\WINDOWS\tasks\At19.job
    C:\WINDOWS\tasks\At2.job
    C:\WINDOWS\tasks\At20.job
    C:\WINDOWS\tasks\At21.job
    C:\WINDOWS\tasks\At22.job
    C:\WINDOWS\tasks\At23.job
    C:\WINDOWS\tasks\At24.job
    C:\WINDOWS\tasks\At3.job
    C:\WINDOWS\tasks\At4.job
    C:\WINDOWS\tasks\At5.job
    C:\WINDOWS\tasks\At6.job
    C:\WINDOWS\tasks\At7.job
    C:\WINDOWS\tasks\At8.job
    C:\WINDOWS\tasks\At9.job


  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

***************


Run ComboFix and post a fresh ComboFix log.


Finally, Please post the OTMoveIt log, ComboFix log, and a fresh Hijackthis log and tell me how your computer is running. Any popups?

Edited by SifuMike, 19 July 2007 - 10:30 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 jacks311

jacks311
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 19 July 2007 - 10:58 PM

Hi, thanks for all of your help. Here is my OTmove log.

C:\WINDOWS\system32\xbbeg.ini2 moved successfully.
C:\WINDOWS\system32\xbbeg.bak2 moved successfully.
C:\WINDOWS\system32\xbbeg.bak1 moved successfully.
C:\WINDOWS\tasks\At1.job moved successfully.
C:\WINDOWS\tasks\At10.job moved successfully.
C:\WINDOWS\tasks\At11.job moved successfully.
C:\WINDOWS\tasks\At12.job moved successfully.
C:\WINDOWS\tasks\At13.job moved successfully.
C:\WINDOWS\tasks\At14.job moved successfully.
C:\WINDOWS\tasks\At15.job moved successfully.
C:\WINDOWS\tasks\At16.job moved successfully.
C:\WINDOWS\tasks\At17.job moved successfully.
C:\WINDOWS\tasks\At18.job moved successfully.
C:\WINDOWS\tasks\At19.job moved successfully.
C:\WINDOWS\tasks\At2.job moved successfully.
C:\WINDOWS\tasks\At20.job moved successfully.
C:\WINDOWS\tasks\At21.job moved successfully.
C:\WINDOWS\tasks\At22.job moved successfully.
C:\WINDOWS\tasks\At23.job moved successfully.
C:\WINDOWS\tasks\At24.job moved successfully.
C:\WINDOWS\tasks\At3.job moved successfully.
C:\WINDOWS\tasks\At4.job moved successfully.
C:\WINDOWS\tasks\At5.job moved successfully.
C:\WINDOWS\tasks\At6.job moved successfully.
C:\WINDOWS\tasks\At7.job moved successfully.
C:\WINDOWS\tasks\At8.job moved successfully.
C:\WINDOWS\tasks\At9.job moved successfully.

Created on 07/19/2007 22:51:58


Here is my ComboFix log:

"X P User" - 2007-07-19 22:55:17 - ComboFix 07-07-14.6 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-06-20 to 2007-07-20 )))))))))))))))))))))))))))))))


2007-07-18 21:02 <DIR> d-------- C:\Program Files\Incomplete
2007-07-18 19:43 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-15 16:47 <DIR> d-------- C:\Program Files\ISM
2007-07-13 07:35 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-07-13 07:35 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-07-13 07:35 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2007-07-13 07:35 113 --a------ C:\WINDOWS\system32\zonedon.reg
2007-07-13 07:35 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2007-07-11 09:02 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-11 08:50 217,088 --------- C:\WINDOWS\alcupd.exe
2007-07-11 08:50 151,552 --------- C:\WINDOWS\alcrmv.exe
2007-07-11 08:50 124,416 --------- C:\WINDOWS\soundman.exe
2007-07-11 08:50 <DIR> d-------- C:\Program Files\AvRack
2007-07-11 08:50 <DIR> d-------- C:\Program Files\Avance Sound Manager
2007-07-11 01:04 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-07-11 01:03 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-07-11 00:54 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-07-11 00:47 <DIR> d-------- C:\WINDOWS\Prefetch
2007-07-10 19:29 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-07-10 19:24 9,728 --------- C:\WINDOWS\system32\comsdupd.exe
2007-07-10 19:24 73,216 --------- C:\WINDOWS\system32\drivers\atintuxx.sys
2007-07-10 19:24 685,056 --------- C:\WINDOWS\system32\drivers\hsfcxts2.sys
2007-07-10 19:24 63,663 --------- C:\WINDOWS\system32\drivers\ati1rvxx.sys
2007-07-10 19:24 63,488 --------- C:\WINDOWS\system32\drivers\atinxsxx.sys
2007-07-10 19:24 57,856 --------- C:\WINDOWS\system32\drivers\atinbtxx.sys
2007-07-10 19:24 56,623 --------- C:\WINDOWS\system32\drivers\ati1btxx.sys
2007-07-10 19:24 52,224 --------- C:\WINDOWS\system32\drivers\atinraxx.sys
2007-07-10 19:24 46,464 --------- C:\WINDOWS\system32\drivers\gagp30kx.sys
2007-07-10 19:24 44,928 --------- C:\WINDOWS\system32\drivers\agpcpq.sys
2007-07-10 19:24 43,008 --------- C:\WINDOWS\system32\drivers\amdagp.sys
2007-07-10 19:24 42,752 --------- C:\WINDOWS\system32\drivers\alim1541.sys
2007-07-10 19:24 42,368 --------- C:\WINDOWS\system32\drivers\agp440.sys
2007-07-10 19:24 40,832 --------- C:\WINDOWS\system32\drivers\irbus.sys
2007-07-10 19:24 4,255 --------- C:\WINDOWS\system32\drivers\adv01nt5.dll
2007-07-10 19:24 38,016 --------- C:\WINDOWS\system32\drivers\bthmodem.sys
2007-07-10 19:24 36,463 --------- C:\WINDOWS\system32\drivers\ati1tuxx.sys
2007-07-10 19:24 36,096 --------- C:\WINDOWS\system32\drivers\intelppm.sys
2007-07-10 19:24 35,456 --------- C:\WINDOWS\system32\drivers\bthprint.sys
2007-07-10 19:24 34,735 --------- C:\WINDOWS\system32\drivers\ati1xsxx.sys
2007-07-10 19:24 327,040 --------- C:\WINDOWS\system32\drivers\ati2mtaa.sys
2007-07-10 19:24 31,744 --------- C:\WINDOWS\system32\drivers\atinxbxx.sys
2007-07-10 19:24 30,671 --------- C:\WINDOWS\system32\drivers\ati1raxx.sys
2007-07-10 19:24 3,967 --------- C:\WINDOWS\system32\drivers\adv02nt5.dll
2007-07-10 19:24 3,775 --------- C:\WINDOWS\system32\drivers\adv11nt5.dll
2007-07-10 19:24 3,711 --------- C:\WINDOWS\system32\drivers\adv09nt5.dll
2007-07-10 19:24 3,647 --------- C:\WINDOWS\system32\drivers\adv07nt5.dll
2007-07-10 19:24 3,615 --------- C:\WINDOWS\system32\drivers\adv05nt5.dll
2007-07-10 19:24 3,135 --------- C:\WINDOWS\system32\drivers\adv08nt5.dll
2007-07-10 19:24 29,455 --------- C:\WINDOWS\system32\drivers\ati1xbxx.sys
2007-07-10 19:24 29,056 --------- C:\WINDOWS\system32\drivers\ip6fw.sys
2007-07-10 19:24 28,672 --------- C:\WINDOWS\system32\drivers\atinsnxx.sys
2007-07-10 19:24 274,304 --------- C:\WINDOWS\system32\drivers\bthport.sys
2007-07-10 19:24 262,784 --------- C:\WINDOWS\system32\drivers\http.sys
2007-07-10 19:24 26,367 --------- C:\WINDOWS\system32\drivers\ati1snxx.sys
2007-07-10 19:24 25,600 --------- C:\WINDOWS\system32\drivers\hidbth.sys
2007-07-10 19:24 25,471 --------- C:\WINDOWS\system32\drivers\atv04nt5.dll
2007-07-10 19:24 220,032 --------- C:\WINDOWS\system32\drivers\hsfbs2s2.sys
2007-07-10 19:24 21,343 --------- C:\WINDOWS\system32\drivers\ati1ttxx.sys
2007-07-10 19:24 21,183 --------- C:\WINDOWS\system32\drivers\atv01nt5.dll
2007-07-10 19:24 18,944 --------- C:\WINDOWS\system32\drivers\bthusb.sys
2007-07-10 19:24 17,279 --------- C:\WINDOWS\system32\drivers\atv10nt5.dll
2007-07-10 19:24 17,024 --------- C:\WINDOWS\system32\drivers\bthenum.sys
2007-07-10 19:24 15,488 --------- C:\WINDOWS\system32\drivers\mssmbios.sys
2007-07-10 19:24 15,423 --------- C:\WINDOWS\system32\drivers\ch7xxnt5.dll
2007-07-10 19:24 15,104 --------- C:\WINDOWS\system32\drivers\hidir.sys
2007-07-10 19:24 14,336 --------- C:\WINDOWS\system32\drivers\atinpdxx.sys
2007-07-10 19:24 14,143 --------- C:\WINDOWS\system32\drivers\atv06nt5.dll
2007-07-10 19:24 13,824 --------- C:\WINDOWS\system32\drivers\atinttxx.sys
2007-07-10 19:24 13,824 --------- C:\WINDOWS\system32\drivers\atinmdxx.sys
2007-07-10 19:24 128,896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2007-07-10 19:24 126,686 --------- C:\WINDOWS\system32\drivers\mtlmnt5.sys
2007-07-10 19:24 12,047 --------- C:\WINDOWS\system32\drivers\ati1pdxx.sys
2007-07-10 19:24 11,868 --------- C:\WINDOWS\system32\drivers\mdmxsdk.sys
2007-07-10 19:24 11,615 --------- C:\WINDOWS\system32\drivers\ati1mdxx.sys
2007-07-10 19:24 11,359 --------- C:\WINDOWS\system32\drivers\atv02nt5.dll
2007-07-10 19:24 104,960 --------- C:\WINDOWS\system32\drivers\atinrvxx.sys
2007-07-10 19:24 100,992 --------- C:\WINDOWS\system32\drivers\bthpan.sys
2007-07-10 19:24 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2007-07-10 19:23 95,424 --------- C:\WINDOWS\system32\drivers\slnthal.sys
2007-07-10 19:23 88,064 --------- C:\WINDOWS\system32\p2pnetsh.dll
2007-07-10 19:23 86,016 --------- C:\WINDOWS\system32\p2pgasvc.dll
2007-07-10 19:23 86,016 --------- C:\WINDOWS\system32\mdmxsdk.dll
2007-07-10 19:23 81,920 --------- C:\WINDOWS\system32\ieencode.dll
2007-07-10 19:23 81,408 --------- C:\WINDOWS\system32\wscsvc.dll
2007-07-10 19:23 8,192 --------- C:\WINDOWS\system32\smbinst.exe
2007-07-10 19:23 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
2007-07-10 19:23 78,464 --------- C:\WINDOWS\system32\drivers\usbvideo.sys
2007-07-10 19:23 75,776 --------- C:\WINDOWS\system32\strmfilt.dll
2007-07-10 19:23 73,832 --------- C:\WINDOWS\system32\slcoinst.dll
2007-07-10 19:23 73,796 --------- C:\WINDOWS\system32\slserv.exe
2007-07-10 19:23 71,680 --------- C:\WINDOWS\system32\blastcln.exe
2007-07-10 19:23 7,680 --------- C:\WINDOWS\system32\kbdsmsno.dll
2007-07-10 19:23 7,680 --------- C:\WINDOWS\system32\kbdsmsfi.dll
2007-07-10 19:23 7,168 --------- C:\WINDOWS\system32\kbdukx.dll
2007-07-10 19:23 7,168 --------- C:\WINDOWS\system32\kbdno1.dll
2007-07-10 19:23 7,168 --------- C:\WINDOWS\system32\kbdfi1.dll
2007-07-10 19:23 7,168 --------- C:\WINDOWS\system32\hccoin.dll
2007-07-10 19:23 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2007-07-10 19:23 67,584 --------- C:\WINDOWS\system32\drivers\sdbus.sys
2007-07-10 19:23 60,416 --------- C:\WINDOWS\system32\fwcfg.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-19 02:23:58 -------- d-----w C:\Program Files\LimeWire
2007-07-19 02:03:16 -------- d-----w C:\DOCUME~1\XPUSER~1\APPLIC~1\LimeWire
2007-07-13 04:16:58 -------- d-----w C:\Program Files\Google
2007-07-12 03:45:37 -------- d-----w C:\DOCUME~1\XPUSER~1\APPLIC~1\Roxio
2007-07-11 14:09:15 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-11 14:05:30 -------- d-----w C:\Program Files\Yahoo!
2007-07-11 14:03:05 -------- d-----w C:\DOCUME~1\XPUSER~1\APPLIC~1\Lavasoft
2007-07-11 13:50:00 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-11 08:17:03 -------- d-----w C:\Program Files\Messenger
2007-07-11 00:23:10 -------- d-----w C:\Program Files\Movie Maker
2007-07-11 00:12:28 -------- d-----w C:\Program Files\Windows NT
2007-07-10 22:06:56 22,720 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-07-10 22:06:31 -------- d--h--w C:\Program Files\WindowsUpdate
2007-07-10 22:06:31 -------- d-----w C:\Program Files\Online Services
2007-05-16 02:11:19 2,472 ----a-w C:\WINDOWS\system32\tmp.reg
2007-05-15 02:39:53 2,560 ----a-w C:\WINDOWS\_MSRSTRT.EXE
2007-05-04 05:11:23 167,936 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
2007-05-04 05:11:23 1,211 ----a-w C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Mp4 Codec.dat
2007-05-04 05:09:57 17,871 ----a-w C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2006-06-10 00:35:56 17,144 ----a-w C:\DOCUME~1\XPUSER~1\APPLIC~1\GDIPFONTCACHEV1.DAT


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
2007-05-30 16:18 808472 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2001-03-02 12:02 37808 --a------ C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
2006-10-31 16:29 198136 --a------ C:\Program Files\Yahoo!\Common\yiesrvc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-07-12 04:00 501136 --a------ C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-07-12 23:16 2554944 -ra------ c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
2007-05-31 09:31 325048 --a------ C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-10 15:07]
"Cmaudio"="cmicnfg.cpl" []
"SoundMan"="soundman.exe" [2001-05-30 03:02 C:\WINDOWS\soundman.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-31 15:25]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-06-11 18:16]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^X P User^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]
RunDll32 cmicnfg.cpl,CMICtrlWnd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
"C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zinio DLM]

*Newly Created Service* - CATCHME
*Newly Created Service* - HTTPFILTER

Contents of the 'Scheduled Tasks' folder
2007-07-15 00:47:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-19 22:56:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-19 22:57:05
C:\ComboFix-quarantined-files.txt ... 2007-07-19 22:56
C:\ComboFix2.txt ... 2007-07-18 19:46

--- E O F ---


Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:58:20 PM, on 7/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\X P User\Desktop\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/0634383a105b63...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1146971863468
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:03 AM

Posted 20 July 2007 - 10:35 AM

Hi jacks311,

Your log looks clean! :thumbsup: Good job on the cleanup!


Find and delete:
Combofix
OTMoveIt
C:\_OTMoveIt
C:\QOOBOX


Let's reset you files so they are hidden and protected.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading deselect Show hidden files and folders.
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK


Let's clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
NOTE: only do this ONCE, NOT on a regular basis

System Restore will now be active again.


Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.

Edited by SifuMike, 20 July 2007 - 10:52 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 jacks311

jacks311
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 20 July 2007 - 10:38 PM

Done. Thank you sooo much for all of your help. :thumbsup: I have another question about 4 files that AVG changes for me everyday. It doesn't say they were infected, just changed. Can I ask you about it here or do I have to post elsewhere?

Thanks again!

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:03 AM

Posted 20 July 2007 - 10:45 PM

Hi jacks311,

Your welcome. :thumbsup:

Look here:
http://forum.grisoft.cz/freeforum/read.php?8,102236,102236

Since I am not an AVG expert (I use AntiVir), best to post your question at Am I infected? What do I do?

Edited by SifuMike, 20 July 2007 - 10:49 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 jacks311

jacks311
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 20 July 2007 - 10:47 PM

Ok. I will post there. Have a great night. :thumbsup: Thanks.

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:03 AM

Posted 20 July 2007 - 10:51 PM

I just edited my previous post, so look at the link I posted :thumbsup:

If you need further help on your question then this would be the best forum AntiVirus, Firewall and Privacy Products and Protection Methods http://www.bleepingcomputer.com/forums/forum25.html

Edited by SifuMike, 20 July 2007 - 11:00 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:03 AM

Posted 28 July 2007 - 09:25 AM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users