Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Lots Of Help Please


  • This topic is locked This topic is locked
70 replies to this topic

#1 pcdome

pcdome

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:03:47 AM

Posted 03 July 2006 - 11:13 PM

Hello,

I'm far from being an expert, and I've tried to ask some of my more knowlegeable friends but I'm not getting anywhere with them. My original problem was that I have a BF Ghost (is that correct) running on my computer called conime.exe. I found a way to get rid of it on this forum once before but stupidly I closed that page without saving it as a favorite.

Anyhow, I'm glad I did lose that page because I have found several other problems thanks to your pinned topic on what I have to do before posting an HJT log. Now, I don't know how to fix those problems either, and I haven't noticed them come up in my HJT log, so I'm going to type those problems in first and then list my HJT log. (I will title each new problem in red and italicized. Please don't think I'm rude, I just thought it easier that way. Okay? Thanks. I'm sorry that this is going to be such a long post. :thumbsup:

First Problem:

This is the report from the Trend Micro page, after cleaning:

Detected grayware/spyware

Note: Complete removal of the grayware listed below failed! If you require general hints and tips to solve the problem please click here. (My personal side note: I tried this and was told they have no solution for this problem. Back to Trend Micro report.) Grayware specific information is available from the relevant grayware section.

TSPY_CLICKER.CP 1 infections

There is no more information available for this grayware/spyware...
General information about this type of grayware/spyware.

Some of this grayware/spyware could not be removed automatically! Click here to receive instructions on how to remove this infection manually. (My personal side note: I tried this and received a message box that says: There is currently no information available on how to remove this malware/grayware manually. Please contact HouseCall Support (via the "Support" link) and describe your problem. (My personal side note: I'll do this, if the problem can't be solved here.))

Cleanup Options
(radio button) Clean all detected infections automatically (My personal side note: This doesn't work.)
(radio button) Select an individual action for each detected infection
(Checkbox with no logo above) Checked (Checkbox with broom above) Checking Not Allowed (Checkbox with a red "x"a above) Can be checked (Reason box) The current platform does not support cleanup (Files infected by this grayware/spyware) Files infected by this grayware/spyware

Second Problem:

From Stinger:

Scan initiated on Tue Jul 04 01:33:40 2006
C:\Documents and Settings\Robb\MyDocuments\h0ya\CDmage.exe
Found the W32/Pate.dam virus !!!
C:\Documents and Settings\Robb\MyDocuments\h0ya\CDmage.exe could not be repaired.
Number of Clean Files: 239106
Number of infected Files: 1

Third Problem:

ZoneLabs ZoneAlarm Firewall Download

According to the File Download Box the whole file is finished but the File Download box won't stop downloading and close the dialog box. I have it set to automatically close when finished but it won't close, I only have an option to cancel. I also don't see the file in my save location. Actually, I just recevied a message box that said the operation timed out.

Anyhow, I don't know if this is a problem for this forum or not, but I thought I would tell you, just in case.

Fourth & Last Problem: (at least that I'm aware of :flowers: )

This is my original problem conime.exe

Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:10:44 PM, on 7/4/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\SIGMA\TV\sigmatv.exe
C:\Program Files\Sigma\common\SMBM.EXE
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\CFusionMX7\runtime\bin\jrunsvc.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
C:\CFusionMX7\runtime\bin\jrun.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2server.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2index.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\conime.exe
C:\Program Files\HijackThis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ADSpider] C:\Program Files\ADSPider\ADSpider.exe /start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TV_Path] C:\Program Files\SIGMA\TV\sigmatv.exe /t
O4 - HKLM\..\Run: [SMBM] C:\Program Files\Sigma\common\SMBM.EXE /D
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\RunOnce: [NAVNT 2005Seq] C:\DOCUME~1\Robb\LOCALS~1\Temp\LUProdRg.exe /f:C:\DOCUME~1\Robb\LOCALS~1\Temp\2005LU~1.INI /s:SPW_Set_Sequence
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: 799BB2EC-572A-42A9-84AD-112806F4F551 -
O16 - DPF: DCD7F1D9-8E57-45F8-8C0C-4400CD84C8BF -
O16 - DPF: {091CDD73-1401-4643-9B9C-65B091C88685} (MyLinker Control) - http://kherald.contents.mylinker.co.kr/module/MyLinker.cab
O16 - DPF: {18D63578-EA2F-4A59-A49A-7F62E6B3DF3E} (ImP3 Control) - http://activexdown.paran.com/paranactivex/data/ImP3.cab
O16 - DPF: {240F0899-15BB-49AE-B820-62CEB9116C0F} (SkyCom Control) - http://www.skylove.com/connect/skycom.cab
O16 - DPF: {247D3068-ABDA-4A56-A48A-112183AC08B5} (GK_YH_Launcher Control) - http://kr.wbgames.yahoo.com/GK_YH_Launcher.cab
O16 - DPF: {27E4B2A9-D554-40DE-B6CD-F11E9B44FBD0} (SimFileControl Control) - http://simfile.chol.com/down/SimFileControl.cab
O16 - DPF: {286A75C3-11FB-4FB4-AC4A-4DD1B0750050} (INISAFEWeb6 V6 Class) - http://www.hanabank.com/plugin/INIS60.cab
O16 - DPF: {2882C368-D508-11D4-A2AB-000102598CE4} (LProtect Control) - http://www.livecall.co.kr/pds/module/livecall.cab
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
O16 - DPF: {36F46B1E-11B7-4221-B4F7-F1FC9687E7F6} (MBox Control) - http://kr.music.yahoo.com/m_box/component/mbox.cab
O16 - DPF: {3E59D482-6ABF-4560-A0C7-F90ACC0DC6BC} (MOHAAStarterX Control) - http://www.mohonline.co.kr/up/cab/MOHAAStarterX.cab
O16 - DPF: {4A55BA7E-0379-4DB5-BDEF-70454A548AB2} (AgentReal Control) - http://kr.baduk.yahoo.com/cab/YahooBaduk.cab
O16 - DPF: {4B48CEDD-EB09-4FD3-AA22-5BDE98EDEF90} (EZXSActiveX Control) - http://www.buykorea.org/buykorea/front/ezx...ezxsactivex.cab
O16 - DPF: {4BF107D8-CFB8-4BC8-B54D-375CA564A33B} (EAJamDn Control) - http://www.mohonline.co.kr/up/cab/EADownloader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {52A5D8F2-7C23-42AB-B6BF-5E7840CB1F27} (BxPopHandler Control) - http://www.netian.com/lib/BxPopHandler.cab
O16 - DPF: {5CBED04F-42E6-4BEC-A087-C20012B6308B} (SCLiveUp Class) - http://www.metlife.co.kr/cs/scCab/scLiveUp.cab
O16 - DPF: {6359EFB8-A988-4572-976B-3BA42C3A6177} (PMViewerX Control) - http://www.wholsee.com/Web/Scripts/Common/Map/PMapX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1106110171734
O16 - DPF: {6FE760D3-7851-4879-8838-62D9881D7177} (IniMasHandler Class) - http://emailimg.sktelecom.com/inimas/autoc...niMasPlugin.cab
O16 - DPF: {70EE0AA4-5A3A-4052-8FFA-2EEDA43F7942} (Innotive Cibrowser Control 1.1) - http://www.myipq.com/hosting/cibrowser/cib...r_1_1_1_119.cab
O16 - DPF: {799BB2EC-572A-42A9-84AD-112806F4F551} (Imweb Control) - http://activexdown.paran.com/paranactivex/data/imweb.cab
O16 - DPF: {79C871A6-F9C8-44DA-B2C9-CD9438D9642C} (EZXSInstaller Control) - http://www.buykorea.org/buykorea/front/ezx...xsinstaller.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://download.softforum.co.kr/Published/.../xw_install.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.vrboard.co.kr/bin/cortvrml.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9/dmcc2.cab
O16 - DPF: {93F79C47-F414-4EEE-95C5-A0F0ACE59A0E} (ALDx Class) - http://www.altools.co.kr/ALDX.cab
O16 - DPF: {97745861-F1A6-45B2-8AD1-0C17334550E6} (YahooCabinet Control) - http://img.yahoo.co.kr/ycabinet/cab/YahooCabinet.cab
O16 - DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} (SysMonOCX Control) - http://ahnlabdownload.nefficient.co.kr/plu...yfirewall20.cab
O16 - DPF: {9DD4E0E8-2CED-4064-BF11-DDB2196CEC40} (SOLWeB4SIB Class) - http://www.solomonbank.com/cab/SOLWeB4SIB.cab
O16 - DPF: {A099920B-630C-426B-91EC-737685CEEE17} (AxCrossCert Class) - http://www.solomonbank.com/cab/AxCrossCert_2.5.0.1.cab
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymusic/package/skcbgmset.cab
O16 - DPF: {B0A75875-3622-48BA-B5FF-45AD77AC2D0E} (BankPayEFTCtrl Control) - http://download.auction.co.kr/activexpay/BankPayEFT.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://cdn.hangame.com/hangame/hansetup/HanSetup1008.cab
O16 - DPF: {D572CD64-9310-4712-8FFC-A4F9DC9D4AC1} (QbicUpdate Control) - http://qbic.hanafos.com/component/QbicUpdate.CAB
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://update.nprotect.net/nprotect/keb/check_new/npkcx.cab
O16 - DPF: {D95F5F60-5BB7-4655-BACE-FC5371EFC3E0} (Npx2 Control) - http://update.nprotect.net/nprotect/keb/check_new/npx2.cab
O16 - DPF: {D96D2F74-0B74-47D2-964F-B67E9F69F1CD} (CongnamulMap4Asp Control) - http://asp.congnamul.com/AspActiveX/CongnamulMap4Asp_V23.cab
O16 - DPF: {D9701E87-A34D-11D4-BE29-000102598CE4} (VrUpdate Control) - http://download.hauri.net/Kor/online_up/vrupdate.cab
O16 - DPF: {DA76E8AE-2E7F-49A8-B5F2-D1C4FF70ECD5} (SamsungMap Control) - http://mapsvc.samsung.co.kr/ActiveX/SamsungMap_V25.cab
O16 - DPF: {DCD7F1D9-8E57-45F8-8C0C-4400CD84C8BF} (Imhtml Control) - http://activexdown.paran.com/paranactivex/data/imhtml.cab
O16 - DPF: {DDE6FED7-88AB-405B-9D77-FD4CDA8B9EB5} (Qbic Control) - http://qbic.hanafos.com/component/Qbic.CAB
O16 - DPF: {E0BF7A2B-2F7C-497A-B50F-292D3F317965} (CongnamulMap Control) - http://www.congnamul.com/ActiveX/Release/C...amulMap_V17.cab
O16 - DPF: {E40DEFEA-9133-4374-BB1B-E138DEFFF247} (SOLWeBLiveUpdate Class) - http://www.solomonbank.com/cab/SOLWeBLiveUpdate.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - https://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
O16 - DPF: {F1F07506-6CB4-44AC-8615-66D1234EFD05} - http://image.shinhan.com/initech/plugin/ve...NISafeWeb50.cab
O20 - Winlogon Notify: asnt3 - C:\WINDOWS\SYSTEM32\AsntDll.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ColdFusion MX 7 Application Server - Macromedia Inc. - C:\CFusionMX7\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX 7 Search Server - Unknown owner - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe" -cfg "C:\CFusionMX7\verity\k2\common\verity.cfg" -ntstart 1 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thank you so much for your help.

Edited by pcdome, 03 July 2006 - 11:15 PM.


BC AdBot (Login to Remove)

 


#2 Whisperer

Whisperer

  • Members
  • 405 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 09 July 2006 - 02:16 PM

Hi pcdome and welcome to the Bleeping Computer forums. My name is Whisperer and I will be helping you with your problem. Although I am experienced with computers, I am currently a Trainee in Malware removal and, as such, ALL of my replies will be vetted by malware experts.

If you have not done so already, please do the initial cleanup steps in the following instructions and then post a new log: Preparation Guide For Use Before Posting a HijackThis Log

I would like you to produce a list of installed programs to assist me in any cleanup.
  • To do this open your HijackThis
    • Click on Open the Misc Tools section or Config… button, depending on how you are set up.
    • If you used the Config... option then click the Misc Tools tab
    • Select Open Uninstall Manager , a list of your installed programs will be displayed.
    • Select the Save List… button and save the file to your desktop.
  • Please post a copy of this list and an up-to-date HijackThis log in your next reply
GT :thumbsup:

#3 pcdome

pcdome
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:03:47 AM

Posted 10 July 2006 - 06:37 PM

Hi Whisperer,

Thanks for your help. Just to let you know I did follow all the steps that I was suppossed to do before posting a HJT log. However, I ran into some problems in the virus scans and firewall download process that I posted in my original topic. (Please see the top of the original topic for details of these problems that could not be solved.)

Anyhow, here is the HJT uninstall_list (below this is a current HJT log):

Ad-Aware SE Personal
Adobe Download Manager 2.0(¼³A¡ A|°A¸¸ CØ´c)
Adobe Flash Player 9 ActiveX
Adobe Illustrator CS
Adobe Photoshop CS
Adobe Reader 7.0.7
Adobe SVG Viewer 3.0
AeCOAUμ|(Unified Codec Pack) 8.0.0.5 ≫eA|
Alcohol 120% (Trial Version)
BitComet 0.56
Canon MP Drivers 7.0
Canon ScanGear Starter
CASHFLOW?202 THE E-GAME
CASHFLOW?THE E-GAME
ccCommon
CN°OAO
CN°OAO AUμ¿ AI½ºAc·?
CN¹æ¿¡~ V2.15
Codec 7.8i
Democracy Player 0.8.4.1
Desktop Weather by The Weather Channel
GOM Player
Google Earth
Google SketchUp
Google Toolbar for Internet Explorer
HijackThis 1.99.1
IKEA Home Planner Kitchen
Internet Explorer Q903235
Internet Worm Protection
iPod for Windows 2005-10-12
iTunes
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Juice 2.2
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Macromedia ColdFusion MX 7
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Fireworks 8
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8
Macromedia Flash Player 8 Plugin
Macromedia Shockwave Player
Microsoft .NET Framework 2.0
Microsoft Data Access Components KB870669
Microsoft Office Professional Edition 2003
MSN Messenger 7.5
Nero 6 Ultra Edition
Norton AntiVirus 2005
Norton AntiVirus 2005 (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton WMI Update
nProtect KeyCrypt
nProtect Netizen Ver.3(remove only)
NVIDIA Drivers
PDF reDirect (remove only)
PeerGuardian 2.0
PowerISO
QuickTime
Real Alternative 1.46
Realtek AC'97 Audio
REALTEK Gigabit and Fast Ethernet NIC Driver
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896426)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Serif DrawPlus 4.0
Slim TV Driver
SnoopFree Privacy Shield
SoftCamp Secure KeyStroke 4.0
SPBBC
Spybot - Search & Destroy 1.4
Symantec
Symantec Script Blocking Installer
SymNet
The Rosetta Stone
TV Card
TV Card Driver
TV Driver
TVAnts 1.0
TVUPlayer 1.5.12
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
VideoLAN VLC media player 0.8.4a
VobSub v2.23 (Remove Only)
Weather Services
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix [See Q828026 for more information]
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833407
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB883939
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889293
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891711
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Hotfix - KB896688
Windows XP Hotfix - KB896727
Windows XP Hotfix - KB897715
Windows XP Hotfix - KB905915
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB912812
Windows XP Hotfix - KB916281
Windows XP Hotfix - KB918439
WinISO 5.3
WinRAR archiver
XecureWeb Control
Yahoo! Messenger

Here is the current HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:34:08 AM, on 7/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\SIGMA\TV\sigmatv.exe
C:\Program Files\Sigma\common\SMBM.EXE
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\rundll32.exe
C:\CFusionMX7\runtime\bin\jrunsvc.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\CFusionMX7\runtime\bin\jrun.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2server.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2index.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\conime.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ADSpider] C:\Program Files\ADSPider\ADSpider.exe /start
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TV_Path] C:\Program Files\SIGMA\TV\sigmatv.exe /t
O4 - HKLM\..\Run: [SMBM] C:\Program Files\Sigma\common\SMBM.EXE /D
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\RunOnce: [NAVNT 2005Seq] C:\DOCUME~1\Robb\LOCALS~1\Temp\LUProdRg.exe /f:C:\DOCUME~1\Robb\LOCALS~1\Temp\2005LU~1.INI /s:SPW_Set_Sequence
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: 799BB2EC-572A-42A9-84AD-112806F4F551 -
O16 - DPF: DCD7F1D9-8E57-45F8-8C0C-4400CD84C8BF -
O16 - DPF: {091CDD73-1401-4643-9B9C-65B091C88685} (MyLinker Control) - http://kherald.contents.mylinker.co.kr/module/MyLinker.cab
O16 - DPF: {18D63578-EA2F-4A59-A49A-7F62E6B3DF3E} (ImP3 Control) - http://activexdown.paran.com/paranactivex/data/ImP3.cab
O16 - DPF: {240F0899-15BB-49AE-B820-62CEB9116C0F} (SkyCom Control) - http://www.skylove.com/connect/skycom.cab
O16 - DPF: {247D3068-ABDA-4A56-A48A-112183AC08B5} (GK_YH_Launcher Control) - http://kr.wbgames.yahoo.com/GK_YH_Launcher.cab
O16 - DPF: {27E4B2A9-D554-40DE-B6CD-F11E9B44FBD0} (SimFileControl Control) - http://simfile.chol.com/down/SimFileControl.cab
O16 - DPF: {286A75C3-11FB-4FB4-AC4A-4DD1B0750050} (INISAFEWeb6 V6 Class) - http://www.hanabank.com/plugin/INIS60.cab
O16 - DPF: {2882C368-D508-11D4-A2AB-000102598CE4} (LProtect Control) - http://www.livecall.co.kr/pds/module/livecall.cab
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://file.nx.com/activex/public_new/nxpm.cab
O16 - DPF: {36F46B1E-11B7-4221-B4F7-F1FC9687E7F6} (MBox Control) - http://kr.music.yahoo.com/m_box/component/mbox.cab
O16 - DPF: {3E59D482-6ABF-4560-A0C7-F90ACC0DC6BC} (MOHAAStarterX Control) - http://www.mohonline.co.kr/up/cab/MOHAAStarterX.cab
O16 - DPF: {4A55BA7E-0379-4DB5-BDEF-70454A548AB2} (AgentReal Control) - http://kr.baduk.yahoo.com/cab/YahooBaduk.cab
O16 - DPF: {4B48CEDD-EB09-4FD3-AA22-5BDE98EDEF90} (EZXSActiveX Control) - http://www.buykorea.org/buykorea/front/ezx...ezxsactivex.cab
O16 - DPF: {4BF107D8-CFB8-4BC8-B54D-375CA564A33B} (EAJamDn Control) - http://www.mohonline.co.kr/up/cab/EADownloader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {52A5D8F2-7C23-42AB-B6BF-5E7840CB1F27} (BxPopHandler Control) - http://www.netian.com/lib/BxPopHandler.cab
O16 - DPF: {5CBED04F-42E6-4BEC-A087-C20012B6308B} (SCLiveUp Class) - http://www.metlife.co.kr/cs/scCab/scLiveUp.cab
O16 - DPF: {6359EFB8-A988-4572-976B-3BA42C3A6177} (PMViewerX Control) - http://www.wholsee.com/Web/Scripts/Common/Map/PMapX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1106110171734
O16 - DPF: {6FE760D3-7851-4879-8838-62D9881D7177} (IniMasHandler Class) - http://emailimg.sktelecom.com/inimas/autoc...niMasPlugin.cab
O16 - DPF: {70EE0AA4-5A3A-4052-8FFA-2EEDA43F7942} (Innotive Cibrowser Control 1.1) - http://www.myipq.com/hosting/cibrowser/cib...r_1_1_1_119.cab
O16 - DPF: {799BB2EC-572A-42A9-84AD-112806F4F551} (Imweb Control) - http://activexdown.paran.com/paranactivex/data/imweb.cab
O16 - DPF: {79C871A6-F9C8-44DA-B2C9-CD9438D9642C} (EZXSInstaller Control) - http://www.buykorea.org/buykorea/front/ezx...xsinstaller.cab
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://download.softforum.co.kr/Published/.../xw_install.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.vrboard.co.kr/bin/cortvrml.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9/dmcc2.cab
O16 - DPF: {93F79C47-F414-4EEE-95C5-A0F0ACE59A0E} (ALDx Class) - http://www.altools.co.kr/ALDX.cab
O16 - DPF: {97745861-F1A6-45B2-8AD1-0C17334550E6} (YahooCabinet Control) - http://img.yahoo.co.kr/ycabinet/cab/YahooCabinet.cab
O16 - DPF: {9BDBC41E-C335-4263-83C0-ECE78EE28A33} (SysMonOCX Control) - http://ahnlabdownload.nefficient.co.kr/plu...yfirewall20.cab
O16 - DPF: {9DD4E0E8-2CED-4064-BF11-DDB2196CEC40} (SOLWeB4SIB Class) - http://www.solomonbank.com/cab/SOLWeB4SIB.cab
O16 - DPF: {A099920B-630C-426B-91EC-737685CEEE17} (AxCrossCert Class) - http://www.solomonbank.com/cab/AxCrossCert_2.5.0.1.cab
O16 - DPF: {A671DC03-71D0-4CF0-895C-7D4A248FC1F1} (skcbgmset Class) - http://cyimg7.cyworld.nate.com/cymusic/package/skcbgmset.cab
O16 - DPF: {B0A75875-3622-48BA-B5FF-45AD77AC2D0E} (BankPayEFTCtrl Control) - http://download.auction.co.kr/activexpay/BankPayEFT.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://cdn.hangame.com/hangame/hansetup/HanSetup1008.cab
O16 - DPF: {D572CD64-9310-4712-8FFC-A4F9DC9D4AC1} (QbicUpdate Control) - http://qbic.hanafos.com/component/QbicUpdate.CAB
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://update.nprotect.net/nprotect/keb/check_new/npkcx.cab
O16 - DPF: {D95F5F60-5BB7-4655-BACE-FC5371EFC3E0} (Npx2 Control) - http://update.nprotect.net/nprotect/keb/check_new/npx2.cab
O16 - DPF: {D96D2F74-0B74-47D2-964F-B67E9F69F1CD} (CongnamulMap4Asp Control) - http://asp.congnamul.com/AspActiveX/CongnamulMap4Asp_V23.cab
O16 - DPF: {D9701E87-A34D-11D4-BE29-000102598CE4} (VrUpdate Control) - http://download.hauri.net/Kor/online_up/vrupdate.cab
O16 - DPF: {DA76E8AE-2E7F-49A8-B5F2-D1C4FF70ECD5} (SamsungMap Control) - http://mapsvc.samsung.co.kr/ActiveX/SamsungMap_V25.cab
O16 - DPF: {DCD7F1D9-8E57-45F8-8C0C-4400CD84C8BF} (Imhtml Control) - http://activexdown.paran.com/paranactivex/data/imhtml.cab
O16 - DPF: {DDE6FED7-88AB-405B-9D77-FD4CDA8B9EB5} (Qbic Control) - http://qbic.hanafos.com/component/Qbic.CAB
O16 - DPF: {E0BF7A2B-2F7C-497A-B50F-292D3F317965} (CongnamulMap Control) - http://www.congnamul.com/ActiveX/Release/C...amulMap_V17.cab
O16 - DPF: {E40DEFEA-9133-4374-BB1B-E138DEFFF247} (SOLWeBLiveUpdate Class) - http://www.solomonbank.com/cab/SOLWeBLiveUpdate.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - https://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
O16 - DPF: {F1F07506-6CB4-44AC-8615-66D1234EFD05} - http://image.shinhan.com/initech/plugin/ve...NISafeWeb50.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: asnt3 - C:\WINDOWS\SYSTEM32\AsntDll.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ColdFusion MX 7 Application Server - Macromedia Inc. - C:\CFusionMX7\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX 7 Search Server - Unknown owner - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe" -cfg "C:\CFusionMX7\verity\k2\common\verity.cfg" -ntstart 1 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks again!

pcdome

#4 Whisperer

Whisperer

  • Members
  • 405 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 11 July 2006 - 05:06 AM

Back again,
  • I want to classify the conime.exe entry first.
    • Please navigate to the C:\WINDOWS\System32\ directory
    • Locate the conime.exe file.
    • Right-click the file and select Properties
    • Click the Version tab and make a note of the
      • File Version
      • Description
      • Copyright
    • Finally please make a note of the information in Other version information
    • Because it could either be Microsoft's 'console ime' or BFGhost, please upload conime.exe to the following agencies for detailed analysis.
    • First I would like you to upload the file to the Jotti web site.
      • Click on the Browse button and navigate to the C:\WINDOWS\System32\ directory
      • Locate the conime.exe file and click to select
      • Click the Submit button
      • You may have to try more than once if the service load is close to 100% but you will get an online answer
      • Please copy the response and post in your next reply
    • Now repeat the upload to the VirusTotal site.
      • Click the Browse button, navigate to the conime.exe and click to select.
      • Click the Send icon
      • This time you will receive an email response
      • Please copy the contents and place in your next reply
  • Please forward the information about the file and any other amplifying comments
GT :thumbsup:

#5 pcdome

pcdome
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:03:47 AM

Posted 12 July 2006 - 07:46 AM

Hey Whisperer,

Alright as I said before I don't really know much about things going on in my computer, but the virus scan's look okay. :thumbsup: I'll post all info below, maybe I jumped the gun but all the info I found on conime.exe was that it was a BF Ghost from some Korean software, and I figued I live in Korea & my wife is Korean so I could maybe have easily stumbled across it. Anyhow, from running the previous scans & my HJT log, I think I still have some problems going on, so I look forward to your help.

Property info on Conime.exe:

File Version: 5.1.2600.1106

Description: Console IME

Copyright: Microsoft Corp.

Other Version Information:

Company: Microsoft

File Version: 5.1.2600.1106 (xpsp1.020828-1920)

Internal Name: Console

Language: English (U.S.)

Original File Name: Conime.exe

Product Name: Microsoft Windows Operating System

Product Version: 5.1.2600.1106


Jotti.org Scan Results:

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: conime.exe
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 4ccf9182fe0be9cc2992f8a9e361cc49
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing

VirusTotal Scan Results:

Antivirus Version Update Result
AntiVir 6.35.0.21 07.12.2006 no virus found
Authentium 4.93.8 07.11.2006 no virus found
Avast 4.7.844.0 07.12.2006 no virus found
AVG 386 07.12.2006 no virus found
BitDefender 7.2 07.12.2006 no virus found
CAT-QuickHeal 8.00 07.12.2006 no virus found
ClamAV devel-20060426 07.11.2006 no virus found
DrWeb 4.33 07.12.2006 no virus found
eTrust-InoculateIT 23.72.66 07.11.2006 no virus found
eTrust-Vet 12.6.2295 07.12.2006 no virus found
Ewido 4.0 07.12.2006 no virus found
Fortinet 2.77.0.0 07.12.2006 no virus found
F-Prot 3.16f 07.11.2006 no virus found
F-Prot4 4.2.1.29 07.11.2006 no virus found
Ikarus 0.2.65.0 07.11.2006 no virus found
Kaspersky 4.0.2.24 07.12.2006 no virus found
McAfee 4804 07.11.2006 no virus found
Microsoft 1.1481 07.10.2006 no virus found
NOD32v2 1.1655 07.12.2006 no virus found
Norman 5.90.23 07.12.2006 no virus found
Panda 9.0.0.4 07.12.2006 no virus found
Sophos 4.07.0 07.12.2006 no virus found
Symantec 8.0 07.12.2006 no virus found
TheHacker 5.9.8.173 07.11.2006 no virus found
UNA 1.83 07.11.2006 no virus found
VBA32 3.11.0 07.11.2006 no virus found
VirusBuster 4.3.7:9 07.11.2006 no virus found

Thank you again. I'm really hoping there is nothing majorly bad in here.

PcDome

#6 Whisperer

Whisperer

  • Members
  • 405 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 12 July 2006 - 03:56 PM

Hi pcdome,

Thanks for the file information, I am pleased to say that your version of conime is indeed the Microsoft Console IME so we can move on to the rest of the log, and there is not much wrong with that, one undesirable program, a couple of resource hogs and an out-of-date Java installation.
  • Your Java installation is out of date as the current release is Update 7.Next we will remove a couple of old Java installations – not 7!
  • Click Start and open Control Panel
    • Select Add or Remove programs
    • Locate each of the following programs in turn, select and then click Remove
      • J2SE Runtime Environment 5.0 Update 4
      • J2SE Runtime Environment 5.0 Update 6

        P2P programs are notorious for the malware that can be placed on a computer, mainly in the form of unwanted adverts but occasionally worse. Some of them come complete with Malware on installation but I am pleased to report that your P2P program – BitComet – is a clean one. You are still vulnerable to Malware from the programs that you download with it. If you can live without it then remove this program.
      • BitComet 0.56
    Now cleaning the HijackThis log
  • With all other windows closed, start your HijackThis and click on Scan
    • Click in the check-box to the left of each of the following entries, if found
      • R3 - Default URLSearchHook is missing
      • O4 - HKLM\..\RunOnce: [NAVNT 2005Seq] C:\DOCUME~1\Robb\LOCALS~1\Temp\LUProdRg.exe /f:C:\DOCUME~1\Robb\LOCALS~1\Temp\2005LU~1.INI /s:SPW_Set_Sequence
      • O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

        AdSpider started life as a rogue spyware solution in that it used to create false positives to induce you to purchase the program to clear the 'problems', once you had purchased it, it was an ineffective anti-spyware solution. It has now cleaned up its act but still is not a really effective anti-spyware solution. I recommend its removal, I will make recommendations later for a better solution. If you decided to remove AdSpider then include the next two entries
      • O4 - HKLM\..\Run: [ADSpider] C:\Program Files\ADSPider\ADSpider.exe /start
      • O20 - Winlogon Notify: asnt3 - C:\WINDOWS\SYSTEM32\AsntDll.dll

        If you have decided to remove BitComet then check this one
      • O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"

        You have a plethora of O16 entries, there are some bad ones and some good ones but as each of them takes more than a little time to investigate, you can give yourself a fresh start by checking ALL of the O16 entries. The next time that you visit the site a new O16 entry will be installed automatically.

        Finally you can remove these as they are resource hogs. Removing them just prevents them starting up with the computer but the program remains.
      • O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      • O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    • Select Fix Checked
  • That should be it so please post
    • A new HijackThis log to confirm
    • Comments on how the computer is behaving now
GT :thumbsup:

#7 pcdome

pcdome
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:03:47 AM

Posted 13 July 2006 - 10:03 AM

Alright Whisperer,

I've done everything you said, except get rid of BitComet. (It's something I can't live without, sorry.) :thumbsup:

Now, I don't have a report yet on how things are running yet, b/c I've just completed what you told me to do. I do have one item that I found when I came home tonight, and it's a problem I've seen before but I thought it was finally cleaned out when I completed the initial 5 steps before posting my HJT log, b/c I haven't seen this warning since then. Here's the warning:

Norton Anti Virus
High Risk
Norton AntiVirus has detected a virus on your computer.
Object Name: C:\Documents and ...\msc32.exe (Personal Note: The "..." is appears in the warning and I can't find out what the directory actually is.)
Virus Name: W32.HCCW.Gaobot.gen (Personal Note: Sorry I'm very tired and when I hand wrote the warning it was very messy, I didn't realize it at the time, so that could be W32.HLLW.Gaobot.gen or W32.HLCW.Gaobot.gen or W32.HCLW.Gaobot.gen)
Action taken: Unable to repair this file


I then click OK and the same message comes up 3 or 4 more times, and then the last one says in the "Action taken" field: "Access to file was denied."

Please update me if this is something I should be worried about, and if so how can I fix it. Thanks.

When I fixed the HJT problems, I folder was created called backups. I didn't instruct the program to do this it did it automatically. Should I keep or delete this folder? Otherwise all seems good. Here is my most recent HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:50:59 PM, on 7/13/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\SIGMA\TV\sigmatv.exe
C:\Program Files\Sigma\common\SMBM.EXE
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\CFusionMX7\runtime\bin\jrunsvc.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
C:\CFusionMX7\runtime\bin\jrun.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2server.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2index.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TV_Path] C:\Program Files\SIGMA\TV\sigmatv.exe /t
O4 - HKLM\..\Run: [SMBM] C:\Program Files\Sigma\common\SMBM.EXE /D
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ColdFusion MX 7 Application Server - Macromedia Inc. - C:\CFusionMX7\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX 7 Search Server - Unknown owner - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe" -cfg "C:\CFusionMX7\verity\k2\common\verity.cfg" -ntstart 1 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Thanks again your the best!!! :flowers:

pcdome

Edited by pcdome, 13 July 2006 - 10:05 AM.


#8 Whisperer

Whisperer

  • Members
  • 405 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 15 July 2006 - 06:53 AM

Hi pcdome,

Norton could be pulling that file from one of the backup files but you did have some peculiar early symptoms that you spelt out, so we will continue on the side of caution. I would like you to download and use a different cleaner and a scanner
  • Your current log is clean (excepting the P2P lol), but it is possible that something is hiding from HijackThis. To check this I would like you confirm your configuration settings.
    • Please click Start and select Run.
    • In the run box, type in MsConfig and from the dialogue box, select the General tab
    • Select the top radio button labelled Normal Startup – load all device drivers and services
    • If this was not already selected, please post a new HijackThis log and then carry on with the remaining cleaning.
  • Download CCleaner
    • Select the Download Latest Version link (top of green column) and save to your desktop
    • Right-click the ccsetup127.exe file on your desktop and select Open
    • Follow the on-screen instructions through to the Install Options page. I suggest you only retain the following 2 options
      • Add Desktop Shortcut
      • Automatically check for updates etc…
    • Click Install
      To setup CCleaner
    • Click on the CCleaner icon on your desktop.
    • From the menu on the left select Options
    • Now select Advanced. On the right remove the check against Only delete files in Windows Temp folders older than 48 hours.
    • Select Cookies. When CCleaner is run it will remove all of the cookies in the left window; if there are cookies that you wish to retain then select them and transfer them to the right window. Multiple selections can be made by holding down the Ctrl key before selecting.
    • Select Cleaner from the left menu and the Windows tab
      • Under Internet Explorer place ticks in all but the last box
      • Under Windows Explorer tick the last two only
      • Under System tick all boxes
      • There is no need to tick anything under Advanced
    • From the menu on the left click on Analyze
    • When the analysis is complete, click on Run Cleaner and OK at the next screen.
    • Close CCleaner
  • Download the Ewido security suite here the suite is fully functional on a trial basis
    • Deselect the Run Ewido now option and close the installer
    • Launch ewido, there should be an orange Turks head icon on your desktop or in the Systray, double-click it.
    • Click the Update now button.
    • When the update has completed click on theScanner icon at the top menu
      • Click on Settings tab
      • Confirm that all check boxes are ticked on the left
      • Under Reports , select the first option to Automatically generate report after every scan and remove the check against Only if threats were found
      • Scan every file is selected
    • Exit Ewido for now.
    I suggest that you print out the following instructions or highlight the remainder and save to a WordPad file on your desktop as you will no longer have an internet connection until we have finished this phase of the clean up
  • Physically disconnect your computer from the internet by unplugging the lead.
  • Reboot the computer into safe mode using a clean boot sequence
    • Select the Start button and Turn Off Computer
    • Select the Turn Off option, when the computer has shut down switch off the power supply.
    • After 10 seconds, restore the power supply and switch on the computer
      • Some computers have a progress bar that refers to the word BIOS. Others may not let you know what is happening.
      • As soon as the BIOS loads, or a single Beep is heard then begin tapping the F8 key on your keyboard. Do so until the Windows Advanced Options menu appears.
      • If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. If this happens, restart the computer and try again.
      • Using the arrow keys on the keyboard, select Safe mode and then press Enter.
    • When in Safe mode you will have your desktop with the word ‘Safe’ in the 4 corners.
  • To reduce the chance of AntiSpyware interfering with the fixes, please stop all antispyware on your computer. If you right-click on the appropriate icon(s) in the systems tray you will find an option to ‘exit’. When you reboot, this will all return to normal.
  • I would now like you to run the Ewido program
    • Close all open windows/programs/folders. Have nothing else open while ewido performs its scan!
    • Open the programme by clicking on the orange Turks head
      • Click on the Scanner icon at the top
      • Select the Scan tab and then the Complete system scan option.
      • Let the program scan the machine, the progress is shown and could take a little time.
    • When the scan has finished:
      • Ensure that Set all elements to: is set to Quarantine if not click on the link and choose Quarantine from the popup menu.
      • At the bottom of the window click on the Apply all Actions button.
    • When done, click the Save Scan Report button.
      • Click theSave Report as button.
      • Save the report to your Desktop.
    • Right-click the Ewido Tray Icon and select Exit . Confirm by clicking Yes .
  • Reboot back to Normal
  • Please post
    • A second HijackThis log
    • The Ewido log
    • Updated comments on the computers behaviour
GT :thumbsup:

#9 pcdome

pcdome
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:03:47 AM

Posted 17 July 2006 - 06:48 AM

Hi Whisperer,

Okay I'm posting a new HJT log, b/c the radio button labelled Normal Startup was not selected, instead the Selective Startup button was. This HJT log was created before downloading CCcleaner as your posting suggessted. After posting this log I will download CCcleaner.

I hope this helps.

Thanks,

pcDome

Logfile of HijackThis v1.99.1
Scan saved at 8:44:42 PM, on 7/17/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\SIGMA\TV\sigmatv.exe
C:\Program Files\Sigma\common\SMBM.EXE
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\CFusionMX7\runtime\bin\jrunsvc.exe
C:\Program Files\BitComet\BitComet.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
C:\CFusionMX7\runtime\bin\jrun.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2server.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2index.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\WINDOWS\System32\conime.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TV_Path] C:\Program Files\SIGMA\TV\sigmatv.exe /t
O4 - HKLM\..\Run: [SMBM] C:\Program Files\Sigma\common\SMBM.EXE /D
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://id.hangame.com/common/HanSetup1008.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ColdFusion MX 7 Application Server - Macromedia Inc. - C:\CFusionMX7\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX 7 Search Server - Unknown owner - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe" -cfg "C:\CFusionMX7\verity\k2\common\verity.cfg" -ntstart 1 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#10 Whisperer

Whisperer

  • Members
  • 405 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 17 July 2006 - 07:54 AM

Thanks for the log, looking a it now. Looking forward to the ewido log etc.

GT :thumbsup:

Edited by Whisperer, 17 July 2006 - 07:55 AM.


#11 pcdome

pcdome
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:03:47 AM

Posted 17 July 2006 - 09:11 AM

Hi Whisperer,

It looks like I just missed you.

Okay first is the Ewido log, then the new HJT log, and finally comments on my computer's performance.

Ewido log:

ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:49:51 PM 7/17/2006

+ Scan result:



C:\Documents and Settings\Robb\Local Settings\Application Data\Microsoft\Internet Explorer\V0.26.dat -> Trojan.Dialer.fy : Cleaned with backup (quarantined).


::Report end

Latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 11:00:36 PM, on 7/17/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\SIGMA\TV\sigmatv.exe
C:\Program Files\Sigma\common\SMBM.EXE
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\CFusionMX7\runtime\bin\jrunsvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe
C:\CFusionMX7\runtime\bin\jrun.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Juice\Juice.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2server.exe
C:\CFusionMX7\verity\k2\_nti40\bin\k2index.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TV_Path] C:\Program Files\SIGMA\TV\sigmatv.exe /t
O4 - HKLM\..\Run: [SMBM] C:\Program Files\Sigma\common\SMBM.EXE /D
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - Startup: Juice.lnk = C:\Program Files\Juice\Juice.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {C044CD87-DFB0-4130-A5E4-49361106FBC8} (HanSetupCtrl1008 Class) - http://id.hangame.com/common/HanSetup1008.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ColdFusion MX 7 Application Server - Macromedia Inc. - C:\CFusionMX7\runtime\bin\jrunsvc.exe
O23 - Service: ColdFusion MX 7 Search Server - Unknown owner - C:\CFusionMX7\verity\k2\_nti40\bin\k2admin.exe" -cfg "C:\CFusionMX7\verity\k2\common\verity.cfg" -ntstart 1 (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Comments:

Okay since changing the MSConfig Startup (I'm not sure if that's what it was called, I didn't print that part of the post.) Anyhow, the part that I changed to Normal Startup, many programs that I no longer had launching at startup, are now launching at startup. Which in turn, has slowed my computer waaaayyyy down, of course. So any help on this would also be great.

Have a good day, I'm going to bed!

pcDome

#12 Whisperer

Whisperer

  • Members
  • 405 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 18 July 2006 - 11:41 AM

Hi pcdome

Ewido proved its worth again by finding that one! In this session I want to glean some more information, try and clear up a couple of loose ends and then go through 3 of your 4 points you made earlier as we have resolved conime.
  • I now need you to ensure that any hidden and system files are visible to the system.
  • Select the Start button and from the available options
  • Right-click the My Computer option.
  • Select Explore from the drop-down menu
  • Select the Tools menu and click Folder Options. from the new window
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders by clicking in the check-box to its left
  • Remove the check against Hide protected operating system files (recommended) option, again by clicking the check-box to its left.
  • Click Yes to confirm.
  • Click OK.
  • Windows does not search for hidden or system files by default so
  • Click the Start button and select Search choosing For Files or Folders
  • From the dialogue box select All files and folders and at the bottom select More Advanced Options
  • Place selection ticks in the check-boxes for
  • Search system folders
  • Search hidden files and folders
  • Search subfolders
[*]Close the search dialogue box
[/list][*]I would like to continue this session with a question. Stinger found an infected file called CDmage in the h0ya directory, what can you tell me about this directory, what it is, number of files and whether it is required for further use by you. The full path was C:\Documents and Settings\Robb\MyDocuments\h0ya . Please post the information when you are able. My expert advisor believes that this could be a false positive that Stinger has found but recommends a removal trial just in case.
  • Please download and run this tool to remove the W32/Pate virus
  • If you wish to run Stinger again then feel free to do so. I learned that the .dam extension on the file meant that it was damaged and therefore as a virus - dormant
[*]Next the question of a decent firewall. I assume that in the absence of a successful ZoneAlarm installation that you reverted to or retained the Microsoft firewall – half a firewall is better than none. I would like you to try again to install a better firewall.
  • It would appear that version 6.5 of ZoneAlarm is a bit buggy therefore we will try 6.1 and, if successful, then refuse any update offers to 6.5 for a while :thumbsup:
  • Please download ZoneAlarm 6.1 from this link , and save it to your desktop.
  • Disconnect physically from the internet whilst we effect the changeover
  • Shut down the windows firewall
  • Now install the 6.1 version that you downloaded, let me know if you continue to have problems
[*]Your Java installation is out of date as the current release is Update 7.
  • Please go to this link to update your Java.
  • Click Start and open the Control Panel . Select Add or Remove programs
  • From the populated list select the following programs and then Remove
  • J2SE Runtime Environment 5.0 Update 4
  • J2SE Runtime Environment 5.0 Update 6
[*]I can find very little information about the TSPY_CLICKER that was reported by Trend Micro, but all antivirus solutions have different names for different virii – very confusing. Ewido did find a dialler and successfully quarantined it so…
  • Open ewido and select the Infections icon
  • Click the Select All button and then the Remove finally button
  • Now please run the online scanner at Trend Micro again to see whether the file has now gone. If it is still there then take as much detail as you can about its whereabouts on your computer and we will try a different tack.
[/list]GT :flowers:

#13 pcdome

pcdome
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:03:47 AM

Posted 18 July 2006 - 06:02 PM

Hi Whisperer,

I don't have the time right now to do everything you asked, because I have to get ready to go to work. :thumbsup: But, I wanted to post a comment real quick to your reply, because I think it is strange. You asked me before to install the new java 7 and remove the old java programs, which I did. But now your posting is saying that I still have the out of date java programs, and not the new ones.

Any thoughts on why this happened?

Thanks,

pcDome

#14 pcdome

pcdome
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:03:47 AM

Posted 18 July 2006 - 08:32 PM

Hello again,

My a.m. classes have been cancelled. :thumbsup: So, now I can finish going through your posting.

I have set the computer to look for all hidden files and folders, etc.

I looked into the CDmage file in h0ya directory. I see no reason why this can't be removed it was something that my "computer expert" friend put on my computer when I first bought this. I never use this program, so I can get rid of it. Please instruct me how to do so.

I tried to run your tool for removing the W32/Pate virus, however, your link did not work.

I installed ZoneAlarm 6.1, no problem. I just would like to know about setting it up in the future. I'm currently using a single pc and have set ZoneAlarm to "Keep in Internet Zone". In October, I will be getting married and at that point I will be setting up a network with my wife's computer & possibly one more we might get as a gift. Wahoo! 3 computers!!! :flowers: Anyhow, could you please tell me how I can change ZoneAlarm to operate on the network after I establish one. Thanks.

Regarding Java 7, when I went to the site I accidentally clicked the verify installation link, and it told me that I already have Java 7. I then proceeded to remove the old Java software, and could not find it in the Add/Remove Programs option. So, if it's being reported then I guess this is still a problem that needs to be resolved. Sorry. :huh:

Lastly, after removing finally the infection from ewido, I returned to the Trend Micro scanner. While Trend Micro was about 20 minutes into the scan my computer shut down/crashed on it's own and restarted. I don't know if this was because of a conflict or not from Trend Micro, or what happened exactly. I am currently running Trend Micro again. I am posting this reply before Trend Micro finishes just in case the pc crashes again. I will post the results after Trend Micro finishes.

Thanks again.

pcDome

#15 pcdome

pcdome
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:03:47 AM

Posted 18 July 2006 - 09:24 PM

Good news!

Trend Micro did not find the Tspy_clicker anymore. My computer also did not crash the second time Trend Micro was run.

Look forward to your post.

pcDome




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users