Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winfixer Removal Keeps Failing


  • Please log in to reply
7 replies to this topic

#1 ninjafencer

ninjafencer

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 29 November 2005 - 01:14 AM

Hi,
My name is William and I am infected with winfixer.
I never installed the program, but its popups keep displaying while I'm on the internet, and my computer is also running slow (something I heard winfixer causes).
Here's my HiJackThis log, the questionable file is jkhhe.dll:

Logfile of HijackThis v1.99.1
Scan saved at 1:11:28 AM, on 11/29/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\XoftSpy\XoftSpy.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\Documents and Settings\Owner\Desktop\Ad-Killing Programs\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mycat1.wcu.edu/cp/home/loginf
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mycat1.wcu.edu/cp/home/loginf
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: MSEvents Object - {B313D637-F405-4052-AC37-E2119AB3C8F8} - C:\WINDOWS\System32\jkhhe.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open PDF in Word - res://C:\Program Files\ScanSoft\PDF Converter\IEShellExt.dll /100
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125459132017
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/apop/default/popcaploader_v6.cab
O20 - Winlogon Notify: jkhhe - C:\WINDOWS\System32\jkhhe.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Edited by ninjafencer, 29 November 2005 - 01:19 AM.


BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:32 AM

Posted 29 November 2005 - 02:55 PM

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link for "SpySweeper" to download the program. NOTE: DO NOT click the Free Spyware Scan link.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Then reboot your computer - IMPORTANT
Then post a new HJT log

#3 ninjafencer

ninjafencer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 30 November 2005 - 01:36 AM

Thanks for the help, I did what you said, here are the updated logs:
SpySweeper:
********
3:15 PM: | Start of Session, Tuesday, November 29, 2005 |
3:15 PM: Spy Sweeper started
3:15 PM: Sweep initiated using definitions version 575
3:15 PM: Starting Memory Sweep
3:15 PM: Found Adware: virtumonde
3:15 PM: Detected running threat: C:\WINDOWS\system32\jkhhe.dll (ID = 77)
3:17 PM: Memory Sweep Complete, Elapsed Time: 00:02:17
3:17 PM: Starting Registry Sweep
3:17 PM: Found Adware: search fast communicator toolbar
3:17 PM: HKCR\communicator.communicator\ (3 subtraces) (ID = 140680)
3:17 PM: HKCR\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb429}\ (6 subtraces) (ID = 140682)
3:17 PM: HKCR\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb42a}\ (6 subtraces) (ID = 140683)
3:17 PM: HKCR\communicator.communicatormenu button\ (3 subtraces) (ID = 140684)
3:17 PM: HKCR\communicator.communicatortoggle button\ (3 subtraces) (ID = 140685)
3:17 PM: HKLM\software\classes\communicator.communicatormenu button\ (3 subtraces) (ID = 140686)
3:17 PM: HKLM\software\classes\communicator.communicatortoggle button\ (3 subtraces) (ID = 140687)
3:17 PM: HKLM\software\classes\communicator.communicator\ (3 subtraces) (ID = 140691)
3:17 PM: HKLM\software\classes\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb429}\ (6 subtraces) (ID = 140693)
3:17 PM: HKLM\software\classes\clsid\{4e7bd74f-2b8d-469e-8dbc-a42eb79cb42a}\ (6 subtraces) (ID = 140694)
3:17 PM: Found Adware: wildmedia
3:17 PM: HKCR\interface\{851f86c9-d3cc-4574-93f5-40e2d65159e4}\ (8 subtraces) (ID = 146695)
3:17 PM: HKLM\software\classes\interface\{851f86c9-d3cc-4574-93f5-40e2d65159e4}\ (8 subtraces) (ID = 146709)
3:17 PM: Found Adware: quicklink search toolbar
3:17 PM: HKLM\software\microsoft\windows\currentversion\uninstall\quick links\ (2 subtraces) (ID = 359457)
3:17 PM: Found Trojan Horse: trojan-downloader-ruin
3:17 PM: HKLM\software\microsoft\windows\currentversion\urls\ (9 subtraces) (ID = 605127)
3:17 PM: HKLM\software\microsoft\windows\currentversion\ruins\ (82 subtraces) (ID = 605128)
3:17 PM: Found Adware: shopathomeselect
3:17 PM: HKCR\clsid\{e9670165-86fe-4c34-8c4b-d3158ddc5d92}\ (4 subtraces) (ID = 860940)
3:17 PM: HKLM\software\classes\clsid\{e9670165-86fe-4c34-8c4b-d3158ddc5d92}\ (4 subtraces) (ID = 860969)
3:17 PM: Found Adware: weirdontheweb
3:17 PM: HKCR\accessmedia.tinyinstaller\ (5 subtraces) (ID = 870585)
3:17 PM: HKCR\clsid\{2f003d51-39fd-4d18-9016-95cf70b92abe}\ (9 subtraces) (ID = 870591)
3:17 PM: HKCR\typelib\{d9415dd2-fef7-4550-8b03-d47d146e6787}\ (9 subtraces) (ID = 870601)
3:17 PM: HKLM\software\classes\clsid\{2f003d51-39fd-4d18-9016-95cf70b92abe}\inprocserver32\ || threadingmodel (ID = 870619)
3:17 PM: HKLM\software\classes\clsid\{2f003d51-39fd-4d18-9016-95cf70b92abe}\progid\ (1 subtraces) (ID = 870620)
3:17 PM: HKLM\software\classes\clsid\{2f003d51-39fd-4d18-9016-95cf70b92abe}\programmable\ (ID = 870622)
3:17 PM: HKLM\software\classes\clsid\{2f003d51-39fd-4d18-9016-95cf70b92abe}\typelib\ (1 subtraces) (ID = 870623)
3:17 PM: HKLM\software\classes\typelib\{d9415dd2-fef7-4550-8b03-d47d146e6787}\ (9 subtraces) (ID = 870625)
3:17 PM: HKLM\software\classes\accessmedia.tinyinstaller\ (5 subtraces) (ID = 870641)
3:17 PM: HKLM\software\classes\clsid\{2f003d51-39fd-4d18-9016-95cf70b92abe}\ (9 subtraces) (ID = 870647)
3:17 PM: Found Adware: ie driver
3:17 PM: HKU\WRSS_Profile_S-1-5-21-3007268792-1019377702-4293090762-500\software\microsoft\internet explorer\extensions\cmdmapping\ || {120e090d-9136-4b78-8258-f0b44b4bd2ac} (ID = 127930)
3:17 PM: HKU\S-1-5-21-3007268792-1019377702-4293090762-1003\software\communicator toolbar\ (9 subtraces) (ID = 140688)
3:17 PM: HKU\S-1-5-21-3007268792-1019377702-4293090762-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {4e7bd74f-2b8d-469e-8dbc-a42eb79cb428} (ID = 140689)
3:17 PM: Found Adware: searchtoolbar
3:17 PM: HKU\S-1-5-21-3007268792-1019377702-4293090762-1003\software\searchtoolbar\ (5 subtraces) (ID = 141343)
3:17 PM: Found Adware: trustyhound toolbar
3:17 PM: HKU\S-1-5-21-3007268792-1019377702-4293090762-1003\software\xbtb01786\ (1 subtraces) (ID = 145197)
3:17 PM: Registry Sweep Complete, Elapsed Time:00:00:15
3:17 PM: Starting Cookie Sweep
3:17 PM: Found Spy Cookie: 2o7.net cookie
3:17 PM: owner@2o7[2].txt (ID = 1957)
3:17 PM: Found Spy Cookie: websponsors cookie
3:17 PM: owner@a.websponsors[2].txt (ID = 3665)
3:17 PM: Found Spy Cookie: yieldmanager cookie
3:17 PM: owner@ad.yieldmanager[2].txt (ID = 3751)
3:17 PM: Found Spy Cookie: adrevolver cookie
3:17 PM: owner@adrevolver[2].txt (ID = 2088)
3:17 PM: owner@adrevolver[3].txt (ID = 2088)
3:17 PM: Found Spy Cookie: atwola cookie
3:17 PM: owner@ar.atwola[2].txt (ID = 2256)
3:17 PM: owner@atwola[1].txt (ID = 2255)
3:17 PM: Found Spy Cookie: casalemedia cookie
3:17 PM: owner@casalemedia[2].txt (ID = 2354)
3:17 PM: Found Spy Cookie: clickbank cookie
3:17 PM: owner@clickbank[1].txt (ID = 2398)
3:17 PM: Found Spy Cookie: realmedia cookie
3:17 PM: owner@realmedia[1].txt (ID = 3235)
3:17 PM: Found Spy Cookie: tribalfusion cookie
3:17 PM: owner@tribalfusion[1].txt (ID = 3589)
3:17 PM: Found Spy Cookie: adserver cookie
3:17 PM: owner@z1.adserver[1].txt (ID = 2142)
3:17 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
3:17 PM: Starting File Sweep
3:17 PM: Found Adware: 180search assistant/zango
3:17 PM: c:\windows\system32\fleok (ID = -2147480556)
3:17 PM: Found Adware: addestroyer
3:17 PM: inneradinstall.log (ID = 49035)
3:20 PM: apinstall_tiny.dll (ID = 162705)
3:22 PM: Found Trojan Horse: trojan-downloader-mype
3:22 PM: vt10.exe (ID = 80841)
3:23 PM: Found Adware: directrevenue-abetterinternet
3:23 PM: iconzz.exe (ID = 83131)
3:24 PM: Found Adware: elitemediagroup-mediamotor
3:24 PM: mm21.inf (ID = 74043)
3:28 PM: Found Adware: nvdialer
3:28 PM: games.exe (ID = 137596)
3:40 PM: backup-20051020-104219-460.dll (ID = 131321)
3:41 PM: Found Adware: keyhost hijacker - jraun
3:41 PM: setup_mdart.exe (ID = 65173)
3:46 PM: Found Adware: ipinsight
3:46 PM: conscorr.ini (ID = 64264)
3:46 PM: Found Adware: minigolf
3:46 PM: wildapp.inf (ID = 69911)
3:46 PM: belt.inf (ID = 83154)
3:46 PM: biini.inf (ID = 83199)
3:46 PM: Found Adware: mindset interactive - favoriteman
3:46 PM: atpartners.inf (ID = 69817)
3:46 PM: Found Adware: screensavers
3:46 PM: backup-20050403-152435-145.inf (ID = 74756)
3:46 PM: Found Adware: netpal
3:46 PM: big fish games.url (ID = 70885)
3:46 PM: flyordie games.url (ID = 70890)
3:46 PM: gamehouse games.url (ID = 70891)
3:47 PM: File Sweep Complete, Elapsed Time: 00:29:56
3:47 PM: Full Sweep has completed. Elapsed time 00:32:35
3:47 PM: Traces Found: 285
1:24 AM: Removal process initiated
1:25 AM: Quarantining All Traces: 180search assistant/zango
1:25 AM: Quarantining All Traces: directrevenue-abetterinternet
1:25 AM: Quarantining All Traces: ie driver
1:25 AM: Quarantining All Traces: trojan-downloader-ruin
1:25 AM: Quarantining All Traces: virtumonde
1:25 AM: virtumonde is in use. It will be removed on reboot.
1:25 AM: C:\WINDOWS\system32\jkhhe.dll is in use. It will be removed on reboot.
1:25 AM: Quarantining All Traces: wildmedia
1:25 AM: Quarantining All Traces: trojan-downloader-mype
1:25 AM: Quarantining All Traces: trustyhound toolbar
1:25 AM: Quarantining All Traces: addestroyer
1:25 AM: Quarantining All Traces: elitemediagroup-mediamotor
1:25 AM: Quarantining All Traces: ipinsight
1:25 AM: Quarantining All Traces: keyhost hijacker - jraun
1:25 AM: Quarantining All Traces: mindset interactive - favoriteman
1:25 AM: Quarantining All Traces: minigolf
1:26 AM: Quarantining All Traces: netpal
1:26 AM: Quarantining All Traces: nvdialer
1:26 AM: Quarantining All Traces: quicklink search toolbar
1:26 AM: Quarantining All Traces: screensavers
1:26 AM: Quarantining All Traces: search fast communicator toolbar
1:26 AM: Quarantining All Traces: searchtoolbar
1:26 AM: Quarantining All Traces: shopathomeselect
1:26 AM: Quarantining All Traces: weirdontheweb
1:26 AM: Quarantining All Traces: 2o7.net cookie
1:26 AM: Quarantining All Traces: adrevolver cookie
1:26 AM: Quarantining All Traces: adserver cookie
1:26 AM: Quarantining All Traces: atwola cookie
1:26 AM: Quarantining All Traces: casalemedia cookie
1:26 AM: Quarantining All Traces: clickbank cookie
1:26 AM: Quarantining All Traces: realmedia cookie
1:26 AM: Quarantining All Traces: tribalfusion cookie
1:26 AM: Quarantining All Traces: websponsors cookie
1:26 AM: Quarantining All Traces: yieldmanager cookie
1:26 AM: Removal process completed. Elapsed time 00:01:53
********
3:13 PM: | Start of Session, Tuesday, November 29, 2005 |
3:13 PM: Spy Sweeper started
3:13 PM: Your spyware definitions have been updated.
3:14 PM: Updating spyware definitions
3:14 PM: Your definitions are up to date.
3:15 PM: | End of Session, Tuesday, November 29, 2005 |

HiJackThis:
Logfile of HijackThis v1.99.1
Scan saved at 1:34:30 AM, on 11/30/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\Ad-Killing Programs\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mycat1.wcu.edu/cp/home/loginf
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mycat1.wcu.edu/cp/home/loginf
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open PDF in Word - res://C:\Program Files\ScanSoft\PDF Converter\IEShellExt.dll /100
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125459132017
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/apop/default/popcaploader_v6.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Once again, thanks for the help.
(Update: I ran SpySweeper again and it's still picking up virtumonde)

Edited by ninjafencer, 30 November 2005 - 02:35 AM.


#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:32 AM

Posted 30 November 2005 - 02:41 PM

Fix this entry with HijackThis:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

How's everything running?

David

#5 ninjafencer

ninjafencer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 30 November 2005 - 03:56 PM

Thanks,
Everything is running much better, I deleted the item as requested.
-WT

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:32 AM

Posted 30 November 2005 - 03:58 PM

Ok! Glad i was able to help you! :thumbsup:

The log is clean! :flowers:

If i have helped you please consider making a donation using the "make a donation" button in my signature. My help is free, but please consider it to keep me fighting spyware for you and others! :trumpet: :inlove:

Now turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

David

#7 ninjafencer

ninjafencer
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:32 AM

Posted 30 November 2005 - 10:31 PM

Done! Thanks much.

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:06:32 AM

Posted 01 December 2005 - 01:23 PM

:thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users