Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop Up In Firefox - Hijackthis Log - Help Please!


  • This topic is locked This topic is locked
13 replies to this topic

#1 grynch

grynch

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 31 May 2006 - 12:17 PM

Hi folks. I all of a sudden am getting a pop up in Firefox - http://ad.firstadsolution.com

I have run a bunch of anti spyware programs with no results.

Here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:03:39 AM, on 5/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\GlobalSCAPE\CuteFTP Server\cftpstes.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PVSW\Bin\W3DBSMGR.EXE
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Aaron Penton\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {049C741E-07A5-AE1A-4F95-2E2CB24A06CF} - C:\DOCUME~1\AARONP~1\APPLIC~1\ANTESL~1\bibace.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [movechindownloadbarb] C:\Documents and Settings\All Users\Application Data\Lite inside move chin\ante surf.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ChicFour] C:\DOCUME~1\AARONP~1\APPLIC~1\AMOKIN~1\mailface.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Engineering.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\W3DBSMGR.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://abmls.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://abmls.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://abmls.mlxchange.com/Control/IRCSharc.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} - http://www.livemetallica.com/nugster/dlControl.CAB
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} - file://C:\Program Files\Autodesk Architectural Desktop 3\AcPreview.ocx
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: GlobalSCAPE CuteFTP Server Home - GlobalSCAPE Texas, LP - C:\Program Files\GlobalSCAPE\CuteFTP Server\cftpstes.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Any help to get rid of this nasty would be so much appreciated. Thank you!


Mod Edit: Topic moved to a more appropriate forum - QM7

Edited by quietman7, 31 May 2006 - 12:23 PM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:17 PM

Posted 01 June 2006 - 08:11 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:


We need to see a little more information.

Download FindLop. Unzip the file. It will create a folder. From the extracted files, locate findlop.bat and double click on it. It will generate a log file - C:\findlop.txt

Find that file and copy the content into your next post along with a new HijackThis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 grynch

grynch
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 01 June 2006 - 11:38 AM

Thank you. Here you go:

[TRACE] Enumerating jobs and queues
[TRACE] Activating job '8392935B8DCD093F.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\aaronp~1\applic~1\amokin~1\link camp regs.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Aaron Penton'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 06/01/2006 10:00:00
NextRun: 06/01/2006 11:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 10/02/1996
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job 'ISP signup reminder 2.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\WINDOWS\System32\OOBE\OOBEBALN.EXE'
Parameters: '/sys /i /n:2'
WorkingDirectory: ''
Comment: ''
Creator: 'SYSTEM'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 00/00/0000 0:00:00
NextRun: 00/00/0000 0:00:00
StartError: SCHED_S_TASK_HAS_NOT_RUN
ExitCode: 0
Status: SCHED_S_TASK_HAS_NOT_RUN
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 0
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Once
StartDate: 07/27/2002
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 15
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job 'ISP signup reminder 3.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\WINDOWS\System32\OOBE\OOBEBALN.EXE'
Parameters: '/sys /i /n:3'
WorkingDirectory: ''
Comment: ''
Creator: 'SYSTEM'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 00/00/0000 0:00:00
NextRun: 00/00/0000 0:00:00
StartError: SCHED_S_TASK_HAS_NOT_RUN
ExitCode: 0
Status: SCHED_S_TASK_HAS_NOT_RUN
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 0
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Once
StartDate: 07/28/2002
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 15
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job 'Symantec NetDetect.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE'
Parameters: ''
WorkingDirectory: 'C:\Program Files\Symantec\LiveUpdate'
Comment: 'Symantec NetDetect'
Creator: 'Aaron Penton'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 06/01/2006 8:11:00
NextRun: 06/01/2006 12:11:00
StartError: S_OK
ExitCode: 0x65
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 06/01/2006
EndDate: 00/00/0000
StartTime: 12:11
MinutesDuration: 1440
MinutesInterval: 5
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


__________________________________________

Hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 10:36:24 AM, on 6/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\GlobalSCAPE\CuteFTP Server\cftpstes.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PVSW\Bin\W3DBSMGR.EXE
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\wisptis.exe
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Aaron Penton\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {049C741E-07A5-AE1A-4F95-2E2CB24A06CF} - C:\DOCUME~1\AARONP~1\APPLIC~1\ANTESL~1\bibace.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [movechindownloadbarb] C:\Documents and Settings\All Users\Application Data\Lite inside move chin\ante surf.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ChicFour] C:\DOCUME~1\AARONP~1\APPLIC~1\AMOKIN~1\mailface.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Engineering.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\W3DBSMGR.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://abmls.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://abmls.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://abmls.mlxchange.com/Control/IRCSharc.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} - http://www.livemetallica.com/nugster/dlControl.CAB
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} - file://C:\Program Files\Autodesk Architectural Desktop 3\AcPreview.ocx
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: GlobalSCAPE CuteFTP Server Home - GlobalSCAPE Texas, LP - C:\Program Files\GlobalSCAPE\CuteFTP Server\cftpstes.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:17 PM

Posted 01 June 2006 - 03:29 PM

Open notepad and copy and paste this text in it:
%systemdrive%
cd C:\WINDOWS\Tasks
attrib -r -s -h 8392935B8DCD093F.job
del 8392935B8DCD093F.job
deltree /y c:\docume~1\aaronp~1\applic~1\amokin~1
deltree /y C:\Documents and Settings\All Users\Application Data\Lite inside move chin
deltree /y C:\DOCUME~1\AARONP~1\APPLIC~1\ANTESL~1

Save this as remjob.bat , choose to save it as *all files and place it on your desktop.
Doubleclick on remjob.bat. A doswindow will open and close again, this is normal.


=============


Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O2 - BHO: (no name) - {049C741E-07A5-AE1A-4F95-2E2CB24A06CF} - C:\DOCUME~1\AARONP~1\APPLIC~1\ANTESL~1\bibace.exe
O4 - HKLM\..\Run: [movechindownloadbarb] C:\Documents and Settings\All Users\Application Data\Lite inside move chin\ante surf.exe
O4 - HKCU\..\Run: [ChicFour] C:\DOCUME~1\AARONP~1\APPLIC~1\AMOKIN~1\mailface.exe



=============


Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 grynch

grynch
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 02 June 2006 - 10:19 AM

Thank you.

Here you go:


Incident Status Location

Adware:Adware/Lop Not disinfected c:\docume~1\aaronp~1\applic~1\amokin~1\mailface.exe
Adware:Adware/Lop Not disinfected C:\DOCUME~1\AARONP~1\APPLIC~1\ANTESL~1\bibace.exe
Adware:adware/keenvalue Not disinfected c:\windows\browserxtras\pn\remove.exe
Adware:adware/gator Not disinfected c:\windows\GatorPatch.log
Spyware:spyware/new.net Not disinfected c:\windows\NDNuninstall5_48.exe
Potentially unwanted tool:application/myway Not disinfected c:\program files\MyWay
Adware:adware/navhelper Not disinfected Windows Registry
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Aaron Penton\Application Data\Amok Internet Barb\epvfbhmx.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Aaron Penton\Application Data\Amok Internet Barb\hxoguhyj.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Aaron Penton\Application Data\Amok Internet Barb\link camp regs.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Aaron Penton\Application Data\Amok Internet Barb\mailface.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Aaron Penton\Application Data\Amok Internet Barb\mlvgjesy.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Aaron Penton\Application Data\Amok Internet Barb\pagfvreq.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Aaron Penton\Application Data\anteslowdefault\bibace.exe
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Aaron Penton\Application Data\Mozilla\Firefox\Profiles\2fdzedcj.default\cookies.txt[.revenue.net/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Aaron Penton\Application Data\Mozilla\Firefox\Profiles\2fdzedcj.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Aaron Penton\Application Data\Mozilla\Firefox\Profiles\2fdzedcj.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Aaron Penton\Application Data\Mozilla\Firefox\Profiles\2fdzedcj.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Aaron Penton\Application Data\Mozilla\Firefox\Profiles\2fdzedcj.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Aaron Penton\Application Data\Mozilla\Firefox\Profiles\2fdzedcj.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Aaron Penton\Application Data\Mozilla\Firefox\Profiles\2fdzedcj.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Aaron Penton\Application Data\Mozilla\Firefox\Profiles\2fdzedcj.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Aaron Penton\Application Data\Mozilla\Firefox\Profiles\2fdzedcj.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Aaron Penton\Application Data\Mozilla\Firefox\Profiles\2fdzedcj.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Aaron Penton\Application Data\Mozilla\Firefox\Profiles\2fdzedcj.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Aaron Penton\Application Data\Mozilla\Firefox\Profiles\2fdzedcj.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Aaron Penton\Application Data\Mozilla\Firefox\Profiles\2fdzedcj.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Aaron Penton\Application Data\Mozilla\Firefox\Profiles\2fdzedcj.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Aaron Penton\Application Data\Mozilla\Firefox\Profiles\2fdzedcj.default\cookies.txt[.targetnet.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Aaron Penton\Application Data\Mozilla\Firefox\Profiles\2fdzedcj.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Aaron Penton\Application Data\Mozilla\Firefox\Profiles\2fdzedcj.default\cookies.txt[.microsofteup.112.2o7.net/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Aaron Penton\Application Data\Mozilla\Firefox\Profiles\2fdzedcj.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Aaron Penton\Application Data\Mozilla\Firefox\Profiles\2fdzedcj.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Aaron Penton\Application Data\Mozilla\Firefox\Profiles\2fdzedcj.default\cookies.txt[.com.com/]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Aaron Penton\Application Data\Mozilla\Firefox\Profiles\2fdzedcj.default\cookies.txt[.clickbank.net/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Aaron Penton\Application Data\Mozilla\Firefox\Profiles\2fdzedcj.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Aaron Penton\Application Data\Mozilla\Firefox\Profiles\2fdzedcj.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Aaron Penton\Cookies\aaron penton@2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Aaron Penton\Cookies\aaron penton@ad.yieldmanager[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Aaron Penton\Cookies\aaron penton@adultfriendfinder[2].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Aaron Penton\Cookies\aaron penton@cassava[1].txt
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Aaron Penton\Cookies\aaron penton@findwhat[1].txt
Spyware:Cookie/Lop Not disinfected C:\Documents and Settings\Aaron Penton\Cookies\aaron penton@images.lop[1].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Aaron Penton\Cookies\aaron penton@offeroptimizer[1].txt
Spyware:Cookie/AspinallsOnlineCasino Not disinfected C:\Documents and Settings\Aaron Penton\Cookies\aaron penton@pacificpoker[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Aaron Penton\Cookies\aaron penton@perf.overture[1].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Aaron Penton\Cookies\aaron penton@revenue[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Aaron Penton\Cookies\aaron penton@stats1.reliablestats[2].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Aaron Penton\Cookies\aaron penton@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Aaron Penton\Cookies\aaron penton@zedo[1].txt
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Aaron Penton\Desktop\backups\backup-20060601-162443-462.dll
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Aaron Penton\Local Settings\Temp\b85f12a7.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Aaron Penton\Local Settings\Temp\bd32b08d.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Aaron Penton\Local Settings\Temp\bis84.exe
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Aaron Penton\Local Settings\Temp\Cookies\aaron penton@ad.yieldmanager[1].txt
Spyware:Spyware/New.net Not disinfected C:\Documents and Settings\Aaron Penton\Local Settings\Temp\New85.tmp\upg_dll.dll
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Aaron Penton\Local Settings\Temp\sta1756.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Aaron Penton\Local Settings\Temp\sta1A2E.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Aaron Penton\Local Settings\Temp\sta212A.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Aaron Penton\Local Settings\Temp\sta35C9.exe


___________________________________________________


Logfile of HijackThis v1.99.1
Scan saved at 8:36:46 AM, on 6/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\GlobalSCAPE\CuteFTP Server\cftpstes.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PVSW\Bin\W3DBSMGR.EXE
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wisptis.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Aaron Penton\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ChicFour] C:\DOCUME~1\AARONP~1\APPLIC~1\AMOKIN~1\mailface.exe
O4 - Startup: Engineering.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\W3DBSMGR.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://abmls.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://abmls.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://abmls.mlxchange.com/Control/IRCSharc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} - http://www.livemetallica.com/nugster/dlControl.CAB
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} - file://C:\Program Files\Autodesk Architectural Desktop 3\AcPreview.ocx
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: GlobalSCAPE CuteFTP Server Home - GlobalSCAPE Texas, LP - C:\Program Files\GlobalSCAPE\CuteFTP Server\cftpstes.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:17 PM

Posted 02 June 2006 - 09:53 PM

Print out these directions as much of this step will be done in Safe mode and you won't be able to access the Internet.


Fix this line with Hijackthis.

O4 - HKCU\..\Run: [ChicFour] C:\DOCUME~1\AARONP~1\APPLIC~1\AMOKIN~1\mailface.exe


Please make sure that you can View Hidden Files
  • Click Start -> My Computer
  • Select Tools -> Folder options
  • Select the View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.
  • Also make sure that 'Display the contents of system folders' is checked.
  • Make sure "Hide extensions for known file types" is unchecked
  • Make sure "Hide protected operating system files (recommended)" is unchecked
  • For more info on how to show hidden files click here.
Please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
  • If you have trouble getting into Safe mode go here for more info.
Delete these files.

c:\windows\browserxtras\pn\remove.exe
c:\windows\GatorPatch.log
c:\windows\NDNuninstall5_48.exe



Delete these folders.

c:\program files\MyWay
C:\Documents and Settings\Aaron Penton\Application Data\Amok Internet Barb
C:\Documents and Settings\Aaron Penton\Application Data\anteslowdefault




Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Reboot back into normal mode and post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 grynch

grynch
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 06 June 2006 - 10:49 AM

Thanks again, and here you go:

Logfile of HijackThis v1.99.1
Scan saved at 9:44:42 AM, on 6/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\GlobalSCAPE\CuteFTP Server\cftpstes.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PVSW\Bin\W3DBSMGR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Aaron Penton\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {049C741E-07A5-AE1A-4F95-2E2CB24A06CF} - C:\DOCUME~1\AARONP~1\APPLIC~1\ANTESL~1\bibace.exe (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [movechindownloadbarb] C:\Documents and Settings\All Users\Application Data\Lite inside move chin\RegsLoad.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ChicFour] C:\DOCUME~1\AARONP~1\APPLIC~1\AMOKIN~1\mailface.exe
O4 - Startup: Engineering.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\W3DBSMGR.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://abmls.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://abmls.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://abmls.mlxchange.com/Control/IRCSharc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} - http://www.livemetallica.com/nugster/dlControl.CAB
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} - file://C:\Program Files\Autodesk Architectural Desktop 3\AcPreview.ocx
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: GlobalSCAPE CuteFTP Server Home - GlobalSCAPE Texas, LP - C:\Program Files\GlobalSCAPE\CuteFTP Server\cftpstes.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

____________________________

I'm still getting that pop up.

Cheers

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:17 PM

Posted 06 June 2006 - 11:00 AM

Open notepad and copy and paste this text in it:

if exist %systemdrive%\look.txt del %systemdrive%\look.txt
cd\
cd %appdata%
dir /x >> %systemdrive%\look.txt
cd %allusersprofile%\Application Data
dir /x >> %systemdrive%\look.txt
cd C:\Program Files
dir /x >> %systemdrive%\look.txt
dir %Windir%\tasks /a:h >> C:\look.txt
start notepad %systemdrive%\look.txt

Save this as look.bat , choose to save it as *all files and place it on your desktop.
Doubleclick look.bat and post the content of the txtfile you get in your next reply.


=============


I also need to see a different type of log from Hijackthis
  • Run Hijackthis.
  • Click on "Open the Misc Tools section".
  • Next click on "Open uninstall manager".
  • Press the button 'save list'. It will open a Notepad file.
  • Place the content of that file here in your in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 grynch

grynch
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 06 June 2006 - 12:20 PM

Volume in drive C has no label.
Volume Serial Number is E482-92D5

Directory of C:\Documents and Settings\Aaron Penton\Application Data

01/19/2006 09:43 AM <DIR> Adobe
06/05/2006 08:58 AM <DIR> AdobeUM
05/04/2006 02:56 PM <DIR> Ahead
11/02/2005 09:39 AM <DIR> APPLEC~1 Apple Computer
10/31/2002 10:10 AM <DIR> Autodesk
10/08/2004 09:01 AM <DIR> CYBERL~1 CyberLink
09/26/2005 03:45 PM <DIR> dvdcss
12/02/2005 02:52 PM 131,264 GDIPFO~1.DAT GDIPFONTCACHEV1.DAT
12/13/2005 09:49 AM <DIR> Google
07/25/2002 01:22 PM <DIR> Help
02/16/2006 12:13 PM <DIR> HP
07/16/2002 04:28 PM <DIR> IDENTI~1 Identities
08/09/2002 07:37 AM <DIR> INTERT~1 InterTrust
02/17/2006 09:31 AM <DIR> Lavasoft
12/16/2004 12:40 PM <DIR> LEADER~1 Leadertech
10/12/2004 03:24 PM <DIR> MACROM~1 Macromedia
06/01/2006 10:55 AM <DIR> MEDIAP~1 Media Player Classic
02/17/2006 12:12 PM <DIR> Mozilla
02/17/2006 10:51 AM <DIR> mshy
12/12/2005 06:00 PM <DIR> Real
12/12/2005 09:33 AM <DIR> Roxio
09/06/2005 10:35 AM <DIR> Shareaza
02/02/2006 02:30 PM <DIR> Sun
07/16/2002 05:04 PM <DIR> Symantec
02/17/2006 10:51 AM <DIR> sysns
03/09/2004 05:31 PM <DIR> winks
01/04/2005 07:07 PM <DIR> {27ABE~1 {27ABEAD9-B7C4-4994-891F-48F5F48861FA}
1 File(s) 131,264 bytes
26 Dir(s) 2,954,985,472 bytes free
Volume in drive C has no label.
Volume Serial Number is E482-92D5

Directory of C:\Documents and Settings\All Users\Application Data

03/16/2004 10:23 AM <DIR> Adobe
11/02/2005 09:30 AM <DIR> APPLEC~1 Apple Computer
08/12/2001 10:15 AM 12 DIRECT~1.TXT DirectCDUserNameE.txt
03/20/2006 11:11 AM 12 DRAGTO~2.TXT DragToDiscUserNameD.txt
10/03/2005 01:31 PM 12 DRAGTO~1.TXT DragToDiscUserNameE.txt
12/16/2004 12:26 PM 12 DRAGTO~3.TXT DragToDiscUserNameF.txt
11/09/2005 05:10 PM 12 DRAGTO~4.TXT DragToDiscUserNameI.txt
02/06/2006 05:03 PM <DIR> HP
02/06/2006 05:04 PM 1,133 HPZINS~1.LOG hpzinstall.log
06/03/2006 09:03 AM <DIR> LITEIN~1 Lite inside move chin
10/12/2004 03:25 PM <DIR> MACROM~1 Macromedia
06/16/2004 10:24 AM <DIR> MACROV~1 Macrovision
02/16/2006 12:27 PM <DIR> Napster
12/22/2005 10:50 AM 2,917 QTSBAN~1 QTSBandwidthCache
05/13/2004 03:07 PM <DIR> QUICKT~1 QuickTime
09/22/2004 07:18 PM <DIR> Roxio
07/16/2002 04:59 PM <DIR> SBSI
11/10/2005 10:21 AM <DIR> Sonic
05/31/2006 10:46 AM <DIR> SPYBOT~1 Spybot - Search & Destroy
04/19/2004 07:05 PM <DIR> Symantec
06/16/2005 11:24 AM <DIR> VIEWPO~1 Viewpoint
09/06/2005 11:40 AM <DIR> WINDOW~1 Windows Genuine Advantage
04/05/2006 08:57 AM <DIR> YAHOO!~1 Yahoo! Companion
7 File(s) 4,110 bytes
16 Dir(s) 2,954,985,472 bytes free
Volume in drive C has no label.
Volume Serial Number is E482-92D5

Directory of C:\Program Files

06/06/2006 09:30 AM <DIR> .
06/06/2006 09:30 AM <DIR> ..
09/13/2002 07:09 AM 280 acad.err
09/13/2002 07:09 AM 2,603 acadstk.dmp
01/06/2005 01:32 PM <DIR> ACCPAC
10/22/2004 09:36 AM <DIR> Adobe
09/20/2004 10:54 AM <DIR> Ahead
01/04/2005 07:37 PM <DIR> ALTOMP~1 AltoMP3 Maker
06/03/2006 09:03 AM <DIR> AMOKIN~1 Amok Internet Barb
09/22/2003 10:45 AM <DIR> aod
10/15/2004 04:23 PM <DIR> AOEV
08/25/2004 01:35 PM <DIR> APDFPRP
01/04/2005 07:29 PM <DIR> AUDIOM~1 Audio MP3 Maker
11/09/2004 02:34 PM <DIR> AUTOCA~1 AutoCAD 2002
10/15/2004 08:19 AM <DIR> AUTODE~1 Autodesk Architectural Desktop 3
10/18/2004 09:39 AM <DIR> BITTOR~1 BitTorrent
03/01/2004 09:04 AM <DIR> CASIO
11/16/2005 04:33 PM <DIR> CDTOMP~1 CD to MP3 Ripper
09/23/2005 04:18 PM <DIR> CD-DAX~1 CD-DA X-Tractor
02/16/2006 12:27 PM <DIR> COMMON~1 Common Files
07/16/2002 04:29 PM <DIR> COMPLU~1 ComPlus Applications
09/22/2004 07:51 PM <DIR> CYBERL~1 CyberLink
01/04/2005 07:23 PM <DIR> Dell
01/04/2005 07:24 PM <DIR> DELLCO~1 Dell Computer
04/20/2004 09:36 AM <DIR> DIMAGE~1 DiMAGE Viewer
02/11/2003 02:25 PM <DIR> DivX
12/16/2004 09:45 AM <DIR> DVD-RAM
12/16/2004 12:30 PM <DIR> DVDCAM
06/02/2006 08:44 AM <DIR> EASYRE~1 Easy Real Converter
09/20/2004 10:51 AM <DIR> eMule
06/01/2006 09:15 AM <DIR> FILEZI~1 FileZilla
10/18/2004 09:39 AM <DIR> FLAC
11/18/2004 09:48 AM <DIR> FREEDO~1 Free Download Manager
09/03/2004 04:03 PM <DIR> GLOBAL~1 GlobalSCAPE
06/02/2006 08:43 AM <DIR> Google
09/13/2002 07:11 AM <DIR> Help
11/10/2005 10:15 AM <DIR> HEWLET~1 Hewlett-Packard
05/04/2004 08:25 PM <DIR> HIGHMA~1 HighMAT CD Writing Wizard
02/06/2006 04:58 PM <DIR> HP
09/23/2001 02:11 PM <DIR> HPPHOT~1 HP Photosmart 11
10/18/2004 04:25 PM <DIR> iMesh
11/18/2004 09:24 AM <DIR> IntelCAD
06/02/2006 08:43 AM <DIR> INTERN~1 Internet Explorer
12/16/2004 12:30 PM <DIR> INTERV~1 InterVideo
09/25/2003 11:19 AM <DIR> INVOIC~1.1 Invoice Sheet Manager V4.1
06/06/2006 09:30 AM <DIR> iPhox
11/02/2005 09:31 AM <DIR> iPod
06/02/2006 08:43 AM <DIR> iTunes
01/05/2006 04:18 PM <DIR> Java
07/26/2002 12:52 PM <DIR> JavaSoft
02/17/2006 11:59 AM <DIR> KaZaA
02/17/2006 09:30 AM <DIR> Lavasoft
09/29/2003 02:18 PM <DIR> LimeWire
09/16/2004 03:49 PM <DIR> LIME_S~1 Lime_Shop
10/12/2004 03:20 PM <DIR> MACROM~1 Macromedia
10/18/2004 09:39 AM <DIR> MEDIAF~1 MediaFACE II
02/10/2005 04:11 AM <DIR> MESSEN~1 Messenger
07/16/2002 05:01 PM <DIR> MICROS~4 Microsoft ActiveSync
07/16/2002 04:29 PM <DIR> MICROS~1 microsoft frontpage
07/25/2002 02:48 PM <DIR> MICROS~2 Microsoft Office
07/16/2002 05:00 PM <DIR> MICROS~3 Microsoft Visual Studio
05/29/2006 11:05 AM <DIR> Morpher
10/18/2004 09:39 AM <DIR> Morpheus
10/18/2004 09:39 AM <DIR> MOVIEM~1 Movie Maker
06/06/2006 10:55 AM <DIR> MOZILL~1 Mozilla Firefox
03/26/2004 10:31 AM <DIR> MSN
07/16/2002 04:28 PM <DIR> MSNGAM~1 MSN Gaming Zone
07/16/2002 05:02 PM <DIR> MSPress
10/18/2004 09:39 AM <DIR> MUSICM~1 MUSICMATCH
02/16/2006 12:28 PM <DIR> Napster
09/14/2004 06:09 PM <DIR> NETMEE~1 NetMeeting
08/23/2005 06:03 PM <DIR> NewSoft
09/06/2005 11:38 AM <DIR> OFFICE~1 OfficeUpdate11
07/16/2002 04:29 PM <DIR> ONLINE~1 Online Services
01/02/2004 02:02 PM <DIR> ORIONS~1 OrionStudiosX
09/16/2004 11:17 AM <DIR> OSS
04/14/2006 03:01 AM <DIR> OUTLOO~1 Outlook Express
12/16/2004 12:30 PM <DIR> PANASO~1 Panasonic
09/13/2002 07:11 AM <DIR> PLOTST~1 Plot Styles
09/13/2002 07:11 AM <DIR> Plotters
09/26/2005 02:48 PM <DIR> ProDVD
03/16/2006 09:19 AM <DIR> QUICKT~1 QuickTime
07/29/2005 01:51 PM <DIR> Real
07/16/2002 04:59 PM <DIR> REALTE~1 Realtek Semiconductor Corp
07/29/2005 01:51 PM 774,144 RNGINT~1.DLL RngInterstitial.dll
09/22/2004 07:18 PM <DIR> Roxio
03/29/2006 04:07 PM <DIR> Shareaza
01/04/2005 07:12 PM <DIR> Sonic
06/02/2006 08:43 AM <DIR> SPYBOT~1 Spybot - Search & Destroy
07/25/2005 09:09 AM <DIR> STOREF~1.COM Storefront.com
11/16/2005 02:56 PM <DIR> SUPERD~1 Super DVD Ripper
06/02/2006 08:44 AM <DIR> SUPERM~1 Super Mp3 Wav Converter
09/13/2002 07:11 AM <DIR> Support
12/01/2004 04:57 PM <DIR> SURETH~1 SureThing
04/19/2004 07:05 PM <DIR> Symantec
04/19/2004 07:04 PM <DIR> SYMANT~1 Symantec_Client_Security
01/04/2005 07:07 PM <DIR> TORREN~1 TorrentStorm
10/18/2004 09:39 AM <DIR> VECTOR~1 VectorEye
07/16/2002 05:06 PM <DIR> VIEWPO~1 Viewpoint
01/04/2005 07:09 PM <DIR> Virtuosa
09/11/2001 03:48 PM <DIR> VOLOVI~1 Volo View Express
07/25/2002 02:51 PM <DIR> WexTech
01/13/2005 08:05 PM <DIR> WINDOW~4 Windows Journal Viewer
01/07/2006 05:36 PM <DIR> WI88B7~1 Windows Media Connect
05/29/2006 11:05 AM <DIR> WI4DF6~1 Windows Media Connect 2
02/15/2006 04:03 AM <DIR> WINDOW~3 Windows Media Player
09/14/2004 06:09 PM <DIR> WINDOW~1 Windows NT
06/02/2006 08:44 AM <DIR> WinRAR
03/12/2004 03:54 PM <DIR> Winsim
06/02/2006 08:44 AM <DIR> WinZip
07/16/2002 04:29 PM <DIR> XEROX
09/26/2005 02:04 PM <DIR> Xilisoft
05/31/2006 10:50 AM <DIR> XoftSpy
10/18/2004 09:39 AM <DIR> XviD
04/05/2006 08:56 AM <DIR> Yahoo!
3 File(s) 777,027 bytes
112 Dir(s) 2,954,973,184 bytes free
Volume in drive C has no label.
Volume Serial Number is E482-92D5

Directory of C:\WINDOWS\tasks

06/06/2006 11:00 AM 284 39D9EEE49EBEE540.job
08/18/2001 06:00 AM 65 DESKTOP.INI
06/06/2006 09:41 AM 6 SA.DAT
3 File(s) 355 bytes
0 Dir(s) 2,954,977,280 bytes free



________________________________

A
ACCPAC Accounts Payable 5.1A
ACCPAC Accounts Receivable 5.1A
ACCPAC General Ledger 5.1A
ACCPAC Inventory Control 5.1A
ACCPAC Order Entry 5.1A
ACCPAC Purchase Orders 5.1A
ACCPAC System Manager 5.1A
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe GoLive 5.0
Adobe GoLive 6.0
Adobe Illustrator 10.0.3
Adobe InDesign 2.0
Adobe Photoshop 7.0
Adobe Reader 6.0.1
Adobe SVG Viewer 3.0
Advanced Outlook Express Recovery v1.1
Advanced PDF Password Recovery Pro
AnswerWorks Runtime
ATI Display Driver
AutoCAD 2002
Autodesk Architectural Desktop 3.3
BitTorrent 3.4.2
BizCard
CD to MP3 Ripper
CD Viewer
CD-DA X-Tractor v0.24
CoreVorbis Audio Decoder (remove only)
CuteFTP Server HOME 2
DiMAGE Viewer
DirectDVD 5.2 ES Shareware
DivX 5.0.3 Pro Bundle
DVD to DVD Copy
DVD-MovieAlbumSE 3 for DVDCAM
DVD-RAM Driver
DwfIn 3.3.0.0
DwfIn 6.0.1.3
Easy Real Converter V1.41
FileZilla (remove only)
FLAC Installer 1.1.0m (remove only)
Google Toolbar for Internet Explorer
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB896344)
hp deskjet 5600
hp deskjet 5600 series
HP Document Viewer 5.3
HP Extended Capabilities 5.3
HP Image Zone 5.3
HP Imaging Device Functions 5.3
HP Photosmart 330,380,420,470,7800,8000,8200 Series
HP Scanjet 4800 series
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
Invoice Sheet Manager V4.1
iPod Updater 2004-11-15
iTunes
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_08
LAN-Fax Utilities
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia Flash MX 2004
Macromedia Flash Player 8
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Data Access Components KB870669
Microsoft Interactive Training
Microsoft Office XP Media Content
Microsoft Office XP Professional with FrontPage
Microsoft Office XP Small Business
Microsoft Windows Journal Viewer
Morpher
Morpheus 1.9
Mozilla Firefox (1.5.0.4)
OSS Audio Converter 6.0.0.2
Panda ActiveScan
Pervasive.SQL 2000i Workgroup
Pervasive.SQL 2000i Workgroup (SP4)
Photo Loader 2.1E
PowerDVD 5.1
Presto! BizCard 4.0
Presto! BizCard 4.0 Component for Windows CE
RealPlayer
Realtek RTL8139 Diagnostics Program
Roxio Easy Media Creator 7
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Shareaza version 2.2.1.0
Shockwave
Spybot - Search & Destroy 1.4
Super DVD Ripper (remove only)
Super Mp3 Wav Converter V1.6
SureThing CD Labeler Deluxe 4
SureThing Photo
Symantec AntiVirus Client
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB910437)
Vector Eye
Viewpoint Media Player (Remove Only)
Volo View Express
Vstascan
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Connect
Windows Media Format Runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Related
Windows XP Service Pack 2
WinRAR archiver
WinZip
XoftSpy
XviD Video Codec 15012003-1 (Koepi's developer build)
Yahoo! Toolbar

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:17 PM

Posted 06 June 2006 - 02:31 PM

Click Start -> Control Panel -> Add/Remove Programs and uninstall this program.

Viewpoint Media Player (Remove Only)


Please make sure that you can View Hidden Files
  • Click Start -> My Computer
  • Select Tools -> Folder options
  • Select the View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.
  • Also make sure that 'Display the contents of system folders' is checked.
  • Make sure "Hide extensions for known file types" is unchecked
  • Make sure "Hide protected operating system files (recommended)" is unchecked
  • For more info on how to show hidden files click here.
Please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
  • If you have trouble getting into Safe mode go here for more info.
Delete these folders.

C:\Documents and Settings\All Users\Application Data\Lite inside move chin
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Program Files\Viewpoint
C:\Program Files\Amok Internet Barb
C:\Program Files\Lime_Shop
C:\Program Files\LimeWire



===========


Open notepad and copy and paste this text in it:
%systemdrive%
cd C:\WINDOWS\Tasks
attrib -r -s -h 39D9EEE49EBEE540.job
del 39D9EEE49EBEE540.job

Save this as remjob.bat , choose to save it as *all files and place it on your desktop.
This file can replace the one you made earlier if get that prompt.
Doubleclick on remjob.bat. A doswindow will open and close again, this is normal.


===========


Reboot back to normal mode.
Post a new hijackthis log and a new log from look.bat
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 grynch

grynch
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 08 June 2006 - 09:35 AM

Logfile of HijackThis v1.99.1
Scan saved at 8:31:41 AM, on 6/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\GlobalSCAPE\CuteFTP Server\cftpstes.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PVSW\Bin\W3DBSMGR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Aaron Penton\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {049C741E-07A5-AE1A-4F95-2E2CB24A06CF} - C:\DOCUME~1\AARONP~1\APPLIC~1\ANTESL~1\bibace.exe (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPHUPD08] C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [movechindownloadbarb] C:\Documents and Settings\All Users\Application Data\Lite inside move chin\RegsLoad.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: Engineering.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Pervasive.SQL Workgroup Engine.lnk = C:\PVSW\Bin\W3DBSMGR.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://abmls.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://abmls.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://abmls.mlxchange.com/Control/IRCSharc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} - http://www.livemetallica.com/nugster/dlControl.CAB
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} - file://C:\Program Files\Autodesk Architectural Desktop 3\AcPreview.ocx
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: GlobalSCAPE CuteFTP Server Home - GlobalSCAPE Texas, LP - C:\Program Files\GlobalSCAPE\CuteFTP Server\cftpstes.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

________________________________________


Volume in drive C has no label.
Volume Serial Number is E482-92D5

Directory of C:\Documents and Settings\Aaron Penton\Application Data

01/19/2006 09:43 AM <DIR> Adobe
06/05/2006 08:58 AM <DIR> AdobeUM
05/04/2006 02:56 PM <DIR> Ahead
11/02/2005 09:39 AM <DIR> APPLEC~1 Apple Computer
10/31/2002 10:10 AM <DIR> Autodesk
10/08/2004 09:01 AM <DIR> CYBERL~1 CyberLink
09/26/2005 03:45 PM <DIR> dvdcss
12/02/2005 02:52 PM 131,264 GDIPFO~1.DAT GDIPFONTCACHEV1.DAT
12/13/2005 09:49 AM <DIR> Google
07/25/2002 01:22 PM <DIR> Help
02/16/2006 12:13 PM <DIR> HP
07/16/2002 04:28 PM <DIR> IDENTI~1 Identities
08/09/2002 07:37 AM <DIR> INTERT~1 InterTrust
02/17/2006 09:31 AM <DIR> Lavasoft
12/16/2004 12:40 PM <DIR> LEADER~1 Leadertech
10/12/2004 03:24 PM <DIR> MACROM~1 Macromedia
06/01/2006 10:55 AM <DIR> MEDIAP~1 Media Player Classic
02/17/2006 12:12 PM <DIR> Mozilla
02/17/2006 10:51 AM <DIR> mshy
12/12/2005 06:00 PM <DIR> Real
12/12/2005 09:33 AM <DIR> Roxio
09/06/2005 10:35 AM <DIR> Shareaza
02/02/2006 02:30 PM <DIR> Sun
07/16/2002 05:04 PM <DIR> Symantec
02/17/2006 10:51 AM <DIR> sysns
03/09/2004 05:31 PM <DIR> winks
01/04/2005 07:07 PM <DIR> {27ABE~1 {27ABEAD9-B7C4-4994-891F-48F5F48861FA}
1 File(s) 131,264 bytes
26 Dir(s) 2,947,747,840 bytes free
Volume in drive C has no label.
Volume Serial Number is E482-92D5

Directory of C:\Documents and Settings\All Users\Application Data

03/16/2004 10:23 AM <DIR> Adobe
11/02/2005 09:30 AM <DIR> APPLEC~1 Apple Computer
08/12/2001 10:15 AM 12 DIRECT~1.TXT DirectCDUserNameE.txt
03/20/2006 11:11 AM 12 DRAGTO~2.TXT DragToDiscUserNameD.txt
10/03/2005 01:31 PM 12 DRAGTO~1.TXT DragToDiscUserNameE.txt
12/16/2004 12:26 PM 12 DRAGTO~3.TXT DragToDiscUserNameF.txt
11/09/2005 05:10 PM 12 DRAGTO~4.TXT DragToDiscUserNameI.txt
02/06/2006 05:03 PM <DIR> HP
02/06/2006 05:04 PM 1,133 HPZINS~1.LOG hpzinstall.log
10/12/2004 03:25 PM <DIR> MACROM~1 Macromedia
06/16/2004 10:24 AM <DIR> MACROV~1 Macrovision
02/16/2006 12:27 PM <DIR> Napster
12/22/2005 10:50 AM 2,917 QTSBAN~1 QTSBandwidthCache
05/13/2004 03:07 PM <DIR> QUICKT~1 QuickTime
09/22/2004 07:18 PM <DIR> Roxio
07/16/2002 04:59 PM <DIR> SBSI
11/10/2005 10:21 AM <DIR> Sonic
05/31/2006 10:46 AM <DIR> SPYBOT~1 Spybot - Search & Destroy
04/19/2004 07:05 PM <DIR> Symantec
09/06/2005 11:40 AM <DIR> WINDOW~1 Windows Genuine Advantage
04/05/2006 08:57 AM <DIR> YAHOO!~1 Yahoo! Companion
7 File(s) 4,110 bytes
14 Dir(s) 2,947,747,840 bytes free
Volume in drive C has no label.
Volume Serial Number is E482-92D5

Directory of C:\Program Files

06/08/2006 08:23 AM <DIR> .
06/08/2006 08:23 AM <DIR> ..
09/13/2002 07:09 AM 280 acad.err
09/13/2002 07:09 AM 2,603 acadstk.dmp
01/06/2005 01:32 PM <DIR> ACCPAC
10/22/2004 09:36 AM <DIR> Adobe
09/20/2004 10:54 AM <DIR> Ahead
01/04/2005 07:37 PM <DIR> ALTOMP~1 AltoMP3 Maker
09/22/2003 10:45 AM <DIR> aod
10/15/2004 04:23 PM <DIR> AOEV
08/25/2004 01:35 PM <DIR> APDFPRP
01/04/2005 07:29 PM <DIR> AUDIOM~1 Audio MP3 Maker
06/07/2006 03:42 PM <DIR> AUTOCA~1 AutoCAD 2002
10/15/2004 08:19 AM <DIR> AUTODE~1 Autodesk Architectural Desktop 3
10/18/2004 09:39 AM <DIR> BITTOR~1 BitTorrent
03/01/2004 09:04 AM <DIR> CASIO
11/16/2005 04:33 PM <DIR> CDTOMP~1 CD to MP3 Ripper
09/23/2005 04:18 PM <DIR> CD-DAX~1 CD-DA X-Tractor
02/16/2006 12:27 PM <DIR> COMMON~1 Common Files
07/16/2002 04:29 PM <DIR> COMPLU~1 ComPlus Applications
09/22/2004 07:51 PM <DIR> CYBERL~1 CyberLink
01/04/2005 07:23 PM <DIR> Dell
01/04/2005 07:24 PM <DIR> DELLCO~1 Dell Computer
04/20/2004 09:36 AM <DIR> DIMAGE~1 DiMAGE Viewer
02/11/2003 02:25 PM <DIR> DivX
12/16/2004 09:45 AM <DIR> DVD-RAM
12/16/2004 12:30 PM <DIR> DVDCAM
06/02/2006 08:44 AM <DIR> EASYRE~1 Easy Real Converter
09/20/2004 10:51 AM <DIR> eMule
06/01/2006 09:15 AM <DIR> FILEZI~1 FileZilla
10/18/2004 09:39 AM <DIR> FLAC
11/18/2004 09:48 AM <DIR> FREEDO~1 Free Download Manager
09/03/2004 04:03 PM <DIR> GLOBAL~1 GlobalSCAPE
06/02/2006 08:43 AM <DIR> Google
09/13/2002 07:11 AM <DIR> Help
11/10/2005 10:15 AM <DIR> HEWLET~1 Hewlett-Packard
05/04/2004 08:25 PM <DIR> HIGHMA~1 HighMAT CD Writing Wizard
02/06/2006 04:58 PM <DIR> HP
09/23/2001 02:11 PM <DIR> HPPHOT~1 HP Photosmart 11
10/18/2004 04:25 PM <DIR> iMesh
11/18/2004 09:24 AM <DIR> IntelCAD
06/02/2006 08:43 AM <DIR> INTERN~1 Internet Explorer
12/16/2004 12:30 PM <DIR> INTERV~1 InterVideo
09/25/2003 11:19 AM <DIR> INVOIC~1.1 Invoice Sheet Manager V4.1
06/06/2006 09:30 AM <DIR> iPhox
11/02/2005 09:31 AM <DIR> iPod
06/02/2006 08:43 AM <DIR> iTunes
01/05/2006 04:18 PM <DIR> Java
07/26/2002 12:52 PM <DIR> JavaSoft
02/17/2006 11:59 AM <DIR> KaZaA
02/17/2006 09:30 AM <DIR> Lavasoft
10/12/2004 03:20 PM <DIR> MACROM~1 Macromedia
10/18/2004 09:39 AM <DIR> MEDIAF~1 MediaFACE II
02/10/2005 04:11 AM <DIR> MESSEN~1 Messenger
07/16/2002 05:01 PM <DIR> MICROS~4 Microsoft ActiveSync
07/16/2002 04:29 PM <DIR> MICROS~1 microsoft frontpage
07/25/2002 02:48 PM <DIR> MICROS~2 Microsoft Office
07/16/2002 05:00 PM <DIR> MICROS~3 Microsoft Visual Studio
05/29/2006 11:05 AM <DIR> Morpher
10/18/2004 09:39 AM <DIR> Morpheus
10/18/2004 09:39 AM <DIR> MOVIEM~1 Movie Maker
06/08/2006 08:31 AM <DIR> MOZILL~1 Mozilla Firefox
03/26/2004 10:31 AM <DIR> MSN
07/16/2002 04:28 PM <DIR> MSNGAM~1 MSN Gaming Zone
07/16/2002 05:02 PM <DIR> MSPress
10/18/2004 09:39 AM <DIR> MUSICM~1 MUSICMATCH
02/16/2006 12:28 PM <DIR> Napster
09/14/2004 06:09 PM <DIR> NETMEE~1 NetMeeting
08/23/2005 06:03 PM <DIR> NewSoft
09/06/2005 11:38 AM <DIR> OFFICE~1 OfficeUpdate11
07/16/2002 04:29 PM <DIR> ONLINE~1 Online Services
01/02/2004 02:02 PM <DIR> ORIONS~1 OrionStudiosX
09/16/2004 11:17 AM <DIR> OSS
04/14/2006 03:01 AM <DIR> OUTLOO~1 Outlook Express
12/16/2004 12:30 PM <DIR> PANASO~1 Panasonic
09/13/2002 07:11 AM <DIR> PLOTST~1 Plot Styles
09/13/2002 07:11 AM <DIR> Plotters
09/26/2005 02:48 PM <DIR> ProDVD
03/16/2006 09:19 AM <DIR> QUICKT~1 QuickTime
07/29/2005 01:51 PM <DIR> Real
07/16/2002 04:59 PM <DIR> REALTE~1 Realtek Semiconductor Corp
07/29/2005 01:51 PM 774,144 RNGINT~1.DLL RngInterstitial.dll
09/22/2004 07:18 PM <DIR> Roxio
03/29/2006 04:07 PM <DIR> Shareaza
01/04/2005 07:12 PM <DIR> Sonic
06/02/2006 08:43 AM <DIR> SPYBOT~1 Spybot - Search & Destroy
07/25/2005 09:09 AM <DIR> STOREF~1.COM Storefront.com
11/16/2005 02:56 PM <DIR> SUPERD~1 Super DVD Ripper
06/02/2006 08:44 AM <DIR> SUPERM~1 Super Mp3 Wav Converter
09/13/2002 07:11 AM <DIR> Support
12/01/2004 04:57 PM <DIR> SURETH~1 SureThing
04/19/2004 07:05 PM <DIR> Symantec
04/19/2004 07:04 PM <DIR> SYMANT~1 Symantec_Client_Security
01/04/2005 07:07 PM <DIR> TORREN~1 TorrentStorm
10/18/2004 09:39 AM <DIR> VECTOR~1 VectorEye
01/04/2005 07:09 PM <DIR> Virtuosa
09/11/2001 03:48 PM <DIR> VOLOVI~1 Volo View Express
07/25/2002 02:51 PM <DIR> WexTech
01/13/2005 08:05 PM <DIR> WINDOW~4 Windows Journal Viewer
01/07/2006 05:36 PM <DIR> WI88B7~1 Windows Media Connect
05/29/2006 11:05 AM <DIR> WI4DF6~1 Windows Media Connect 2
02/15/2006 04:03 AM <DIR> WINDOW~3 Windows Media Player
09/14/2004 06:09 PM <DIR> WINDOW~1 Windows NT
06/02/2006 08:44 AM <DIR> WinRAR
03/12/2004 03:54 PM <DIR> Winsim
06/02/2006 08:44 AM <DIR> WinZip
07/16/2002 04:29 PM <DIR> XEROX
09/26/2005 02:04 PM <DIR> Xilisoft
05/31/2006 10:50 AM <DIR> XoftSpy
10/18/2004 09:39 AM <DIR> XviD
04/05/2006 08:56 AM <DIR> Yahoo!
3 File(s) 777,027 bytes
108 Dir(s) 2,947,735,552 bytes free
Volume in drive C has no label.
Volume Serial Number is E482-92D5

Directory of C:\WINDOWS\tasks

08/18/2001 06:00 AM 65 DESKTOP.INI
06/08/2006 08:26 AM 6 SA.DAT
2 File(s) 71 bytes
0 Dir(s) 2,947,739,648 bytes free
_________________________________________


Sam - the pop up has disappeared! Does it look clean?


Thank you!

Aaron

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:17 PM

Posted 08 June 2006 - 02:11 PM

Fix these lines with Hijackthis.

O2 - BHO: (no name) - {049C741E-07A5-AE1A-4F95-2E2CB24A06CF} - C:\DOCUME~1\AARONP~1\APPLIC~1\ANTESL~1\bibace.exe (file missing)
O4 - HKLM\..\Run: [movechindownloadbarb] C:\Documents and Settings\All Users\Application Data\Lite inside move chin\RegsLoad.exe



Otherwise your log looks clean to me! :thumbsup:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:flowers: :huh:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 grynch

grynch
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:17 AM

Posted 08 June 2006 - 05:20 PM

Awesome! Thank you Sam.

Warm regards,

Aaron

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:11:17 PM

Posted 08 June 2006 - 08:12 PM

Glad to help! :thumbsup:

As your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users