Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Freewebs Is Ruining My Life


  • This topic is locked This topic is locked
12 replies to this topic

#1 alderamo

alderamo

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 17 September 2006 - 10:05 PM

I have had Freewebs pop up on my computer at every start and reboot for the past year or maybe even longer. I can't stand it anymore. I have tried every removal program out there. Please please please help me solve this. Thank you SO much. Here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 10:56:23 PM, on 9/17/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\yqpgfwvh.exe
C:\xa.exe
C:\Program Files\Rbqkc\Botka.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
C:\fa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\BTTNSERV.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\EAUSBKBD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Documents and Settings\aderamo\My Documents\Download\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://home.microsoft.com/search/lobby/search.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.umass.edu"); (C:\Documents and Settings\aderamo\Application Data\Mozilla\Profiles\default\v64n1dh7.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\aderamo\Application Data\Mozilla\Profiles\default\v64n1dh7.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Adware Remover] C:\WINDOWS\System32\yqpgfwvh.exe
O4 - HKLM\..\Run: [WinUpgrader] C:\xa.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [Pghicly] C:\Program Files\Rbqkc\Botka.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [Antivirus Installer] C:\fa.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Dialpad US Java Applet - http://www.dialpad.com/applet/src/vscp.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158384790876
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158384778227
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

BC AdBot (Login to Remove)

 


m

#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:37 PM

Posted 18 September 2006 - 08:31 AM

Hello and welcome :thumbsup:

Please post the following logs...
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Uninstall Manager"
  • Click on the button "Save list"
  • Copy and paste the List from the notebook onto your post.
----

Download Combofix to your desktop:
  • Double-click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply along with the Uninstall list.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Edited by Rawe, 18 September 2006 - 08:31 AM.

Hi there, stranger!

#3 alderamo

alderamo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 18 September 2006 - 02:32 PM

This is the uninstall list:

Ad-Aware SE Personal
Adobe Download Manager 1.2 (Remove Only)
Adobe Reader 7.0.8
AOL Instant Messenger
Carbon Copy 32
CardRd81
CC_ccProxyExt
ccCommon
CCHelp
ccPxyCore
CCScore
CheckIt Diagnostics
Compaq Automatic Updating for Windows
Compaq Digital Dashboard LED
Compaq Hardware Discovery
Compaq IE5 Custom US v1.0.0.4
Compaq IJ300 Electronic Registration
Compaq Knowledge Center
Compaq Wizard Host Online
CR2
Easy Access Button Support
ESSAdpt
ESSANUP
ESSBrwr
ESSCAM
ESSCDBK
ESScore
ESSCT
ESSEMAIL
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTUTOR
ESSvpaht
ESSvpot
FoodWorks College Edition
HijackThis 1.99.1
HLPCCTR
HLPIndex
HLPPDOCK
HLPSFO
HSP56 MicroModem Drivers
Instant Wireless USB Adapter
IPIX ActiveX Viewer
iPod for Windows 2005-06-26
iPod for Windows 2006-01-10
iTunes
Kodak EasyShare software
KSU
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Logitech iTouch Software
Macromedia Flash Player 8
Macromedia Shockwave Player
MGI PhotoSuite 8.1 (Remove Only)
Microsoft Data Access Components KB870669
Microsoft Office XP Professional with FrontPage
Microsoft Works 2000
Microsoft XML Parser and SDK
MSRedist
MSRedist
NCLEX-RN 3500 - Individual Version
Netscape (7.2)
Norton AntiSpam
Norton AntiSpam
Norton AntiVirus 2005
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security 2005 (Symantec Corporation)
Norton SystemWorks
Norton SystemWorks 2005 (Symantec Corporation)
Norton Utilities
Norton WMI Update
Norton WMI Update
Notifier
NSW_DRM_COLLECTION
NVIDIA Display Driver
OfotoXMI
OTtBP
OTtBPSDK
Outlook Express Q823353
PCDLNCH
QuickCam
QuickTime
Service Connection
SFR
SFR2
SoundMAXWDM
SPBBC
Spybot - Search & Destroy 1.4
Symantec Script Blocking Installer
SymNet
VCAMCEN
VPRINTOL
Winamp (remove only)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Hotfix [See wm828026 for more information]
Windows XP Application Compatibility Update[Q313484]
Windows XP Application Compatibility Update[Q319580]
Windows XP Hotfix - KB821253
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB823980
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839643
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP1) [See Q307869 for more information]
Windows XP Hotfix (SP1) [See Q308210 for more information]
Windows XP Hotfix (SP1) [See Q309521 for more information]
Windows XP Hotfix (SP1) [See Q309691 for more information]
Windows XP Hotfix (SP1) [See Q311542 for more information]
Windows XP Hotfix (SP1) [See Q311889 for more information]
Windows XP Hotfix (SP1) [See Q311967 for more information]
Windows XP Hotfix (SP1) [See Q313450 for more information]
Windows XP Hotfix (SP1) [See Q314147 for more information]
Windows XP Hotfix (SP1) [See Q314862 for more information]
Windows XP Hotfix (SP1) [See Q315000 for more information]
Windows XP Hotfix (SP1) [See Q315403 for more information]
Windows XP Hotfix (SP1) [See Q317277 for more information]
Windows XP Hotfix (SP1) [See Q318138 for more information]
Windows XP Hotfix (SP1) [See Q321856 for more information]
Windows XP Hotfix (SP1) [See Q323172 for more information]
Windows XP Hotfix (SP1) [See Q324096 for more information]
Windows XP Hotfix (SP1) [See Q324380 for more information]
Windows XP Hotfix (SP1) [See Q326830 for more information]
Windows XP Hotfix (SP1) [See Q328940 for more information]
Windows XP Hotfix (SP1) [See Q329048 for more information]
Windows XP Hotfix (SP1) [See Q329390 for more information]
Windows XP Hotfix (SP1) [See Q329441 for more information]
Windows XP Hotfix (SP1) [See Q329834 for more information]
Windows XP Hotfix (SP1) Q328310
Windows XP Hotfix (SP1) Q329170
Windows XP Hotfix (SP1) Q331953
Windows XP Hotfix (SP1) Q810577
Windows XP Hotfix (SP1) Q810833
Windows XP Hotfix (SP1) Q811493
Windows XP Hotfix (SP1) Q815021
Windows XP Hotfix (SP1) Q817606
Windows XP Hotfix (SP1) Q819696
Windows XP Hotfix (SP2) [See Q329115 for more information]
WMP7 Customizations
XoftSpy

And this is the log from Combofix:

ComboFix 06.09.14 - Running from: C:\Documents and Settings\aderamo\Desktop

((((((((((((((((((((((((((((((( Files Created from 2006-08-18 to 2006-09-18 ))))))))))))))))))))))))))))))))))


2006-09-16 10:27 977,920 --a------ C:\WINDOWS\SYSTEM32\msdtctm.dll
2006-09-16 10:27 97,280 --a------ C:\WINDOWS\SYSTEM32\txflog.dll
2006-09-16 10:27 82,432 --a------ C:\WINDOWS\SYSTEM32\mtxoci.dll
2006-09-16 10:27 64,512 --a------ C:\WINDOWS\SYSTEM32\mtxclu.dll
2006-09-16 10:27 64,512 --a------ C:\WINDOWS\SYSTEM32\colbact.dll
2006-09-16 10:27 596,480 --a------ C:\WINDOWS\SYSTEM32\catsrvut.dll
2006-09-16 10:27 499,200 --a------ C:\WINDOWS\SYSTEM32\comuid.dll
2006-09-16 10:27 442,880 --a------ C:\WINDOWS\SYSTEM32\rpcrt4.dll
2006-09-16 10:27 365,568 --a------ C:\WINDOWS\SYSTEM32\msdtcprx.dll
2006-09-16 10:27 226,816 --a------ C:\WINDOWS\SYSTEM32\es.dll
2006-09-16 10:27 225,280 --a------ C:\WINDOWS\SYSTEM32\catsrv.dll
2006-09-16 10:27 214,528 --a------ C:\WINDOWS\SYSTEM32\rpcss.dll
2006-09-16 10:27 150,528 --a------ C:\WINDOWS\SYSTEM32\msdtcuiu.dll
2006-09-16 10:27 110,080 --a------ C:\WINDOWS\SYSTEM32\clbcatex.dll
2006-09-16 10:27 1,177,088 --a------ C:\WINDOWS\SYSTEM32\comsvcs.dll
2006-09-16 10:27 1,105,408 --a------ C:\WINDOWS\SYSTEM32\ole32.dll
2006-09-16 10:26 593,408 --a------ C:\WINDOWS\SYSTEM32\h323msp.dll
2006-09-16 10:26 550,400 --a------ C:\WINDOWS\SYSTEM32\rtcdll.dll
2006-09-16 10:26 48,640 --a------ C:\WINDOWS\SYSTEM32\browser.dll
2006-09-16 10:26 454,656 --a------ C:\WINDOWS\SYSTEM32\ipnathlp.dll
2006-09-16 10:26 36,864 --a------ C:\WINDOWS\SYSTEM32\mf3216.dll
2006-09-16 10:22 947,472 --a------ C:\WINDOWS\SYSTEM32\msjava.dll
2006-09-16 10:22 63,248 --a------ C:\WINDOWS\SYSTEM32\javaprxy.dll
2006-09-16 10:22 49,424 --a------ C:\WINDOWS\SYSTEM32\clspack.exe
2006-09-16 10:22 46,352 --a------ C:\WINDOWS\setdebug.exe
2006-09-16 10:22 404,752 --a------ C:\WINDOWS\SYSTEM32\javart.dll
2006-09-16 10:22 313,856 --a------ C:\WINDOWS\SYSTEM32\dx3j.dll
2006-09-16 10:22 286,992 --a------ C:\WINDOWS\SYSTEM32\vmhelper.dll
2006-09-16 10:22 21,264 --a------ C:\WINDOWS\SYSTEM32\msjdbc10.dll
2006-09-16 10:22 187,152 --a------ C:\WINDOWS\SYSTEM32\javacypt.dll
2006-09-16 10:22 172,304 --a------ C:\WINDOWS\SYSTEM32\jview.exe
2006-09-16 10:22 171,792 --a------ C:\WINDOWS\SYSTEM32\wjview.exe
2006-09-16 10:22 171,280 --a------ C:\WINDOWS\SYSTEM32\jit.dll
2006-09-16 10:22 154,384 --a------ C:\WINDOWS\SYSTEM32\msawt.dll
2006-09-16 10:22 15,120 --a------ C:\WINDOWS\SYSTEM32\jdbgmgr.exe
2006-09-16 10:22 139,536 --a------ C:\WINDOWS\SYSTEM32\javaee.dll
2006-09-16 10:22 113 --a------ C:\WINDOWS\SYSTEM32\zonedon.reg
2006-09-16 10:22 113 --a------ C:\WINDOWS\SYSTEM32\zonedoff.reg
2006-09-16 10:19 218,624 --a------ C:\WINDOWS\SYSTEM32\srrstr.dll
2006-09-16 01:49 71,749 --a------ C:\WINDOWS\hcextoutput.dll
2006-09-16 01:47 331,776 --a------ C:\WINDOWS\SYSTEM32\winhttp.dll
2006-09-16 01:47 17,408 --a------ C:\WINDOWS\SYSTEM32\qmgrprxy.dll
2006-09-16 01:35 127,208 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-16 11:44 -------- d-------- C:\Program Files\XoftSpy
2006-09-16 01:49 86094 --a------ C:\WINDOWS\BPMNT.dll
2006-09-16 01:49 176709 --a------ C:\WINDOWS\tsc.exe
2006-09-16 01:49 1101904 --a------ C:\WINDOWS\vsapi32.dll
2006-09-16 01:47 69689 --a------ C:\WINDOWS\UNZIP.DLL
2006-09-16 01:47 507904 --a------ C:\WINDOWS\TMUPDATE.DLL
2006-09-16 01:47 286720 --a------ C:\WINDOWS\PATCH.EXE
2006-07-08 15:17 74296 --a------ C:\Documents and Settings\aderamo\Application Data\GDIPFONTCACHEV1.DAT


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WebCamRT.exe"=""
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"Norton SystemWorks"="\"C:\\Program Files\\Norton SystemWorks\\cfgwiz.exe\" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adware Remover"="C:\\WINDOWS\\System32\\yqpgfwvh.exe"
"WinUpgrader"="C:\\xa.exe"
"SystemTray"="SysTray.Exe"
"POINTER"="C:\\Program Files\\Microsoft Hardware\\Mouse\\point32.exe"
"Pghicly"="C:\\Program Files\\Rbqkc\\Botka.exe"
"PCTVOICE"="pctspk.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"NeroCheck"="C:\\WINDOWS\\System32\\NeroCheck.exe"
"CPQEASYACC"="C:\\Program Files\\Compaq\\Easy Access Button Support\\cpqeadm.exe"
"Antivirus Installer"="C:\\fa.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonceex]
@=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://www.poster.net/monet-claude/monet-claude-crepuscolo-2402694.jpg"
"SubscribedURL"="http://www.poster.net/monet-claude/monet-claude-crepuscolo-2402694.jpg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,de,00,00,00,2b,00,00,00,9c,00,00,00,9c,00,00,00,e8,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,e3,ff,ff,ff,bf,00,00,00,00,04,00,00,ff,02,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,03,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="http://shim1.shutterfly.com/procsserv/F-ANGLFo5bt2rk8kF8Fs7ng"
"SubscribedURL"="http://shim1.shutterfly.com/procsserv/F-ANGLFo5bt2rk8kF8Fs7ng"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,fa,00,00,00,b8,00,00,00,f5,01,00,00,4a,01,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,16,02,00,00,2b,00,00,00,e0,01,00,00,41,01,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,fa,00,00,00,b8,00,00,00,f5,01,00,00,4a,01,\
00,00,01,00,00,40

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="http://shim1.shutterfly.com/procsserv/F-ANGLFo5bt2rkxCQXwWzubg"
"SubscribedURL"="http://shim1.shutterfly.com/procsserv/F-ANGLFo5bt2rkxCQXwWzubg"
"FriendlyName"=""
"Flags"=dword:00000001
"Position"=hex:2c,00,00,00,d6,00,00,00,ba,00,00,00,e0,01,00,00,41,01,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,00
"OriginalStateInfo"=hex:18,00,00,00,16,02,00,00,2b,01,00,00,e0,01,00,00,41,01,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,d6,00,00,00,ba,00,00,00,e0,01,00,00,41,01,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\3]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,40,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\Money Express.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=hex:00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"Service Connection"="c:\\cpqs\\bwtools\\sccenter.exe"
"zBrowser Launcher"="C:\\PROGRA~1\\LOGITECH\\ITOUCH\\iTouch.exe"
"Tray Temperature"="C:\\PROGRAM FILES\\AWS\\WEATHERBUG\\WEATHERBUG.EXE 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\disabledrunkeys]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"Hidserv"="Hidserv.exe run"
"CPQInet"="c:\\compaq\\CPQInet\\CpqInet.exe"
"Digital Dashboard"="C:\\Program Files\\Compaq\\Digital Dashboard\\DevGulp.exe"
"CountrySelection"="pctptt.exe"
"PCTVOICE"="pctvoice.exe"
"LexStart"="Lexstart.exe"
"LexmarkPrinTray"="PrinTray.exe"
"DXM6Patch_981116"="C:\\WINDOWS\\p_981116.exe /Q:A"
"LVComs"="C:\\WINDOWS\\SYSTEM32\\LVComS.exe"
"MotiveMonitor"="C:\\Program Files\\Motive\\motmon.exe"
"Tray Temperature"="C:\\PROGRAM FILES\\AWS\\WEATHERBUG\\WEATHERBUG.EXE 1"
"SVAPlayer"="C:\\Program Files\\SVA Player\\SVAPLAYER.EXE"
"Pop-Up Stopper"="\"C:\\PROGRAM FILES\\PANICWARE\\POP-UP STOPPER\\DPPS2.EXE\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices-]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Tune-up Application Start.job
C:\WINDOWS\tasks\Synchronize Time.job
C:\WINDOWS\tasks\PCHealth Scheduler for Data Collection.job
C:\WINDOWS\tasks\Maintenance-Defragment programs.job
C:\WINDOWS\tasks\Symantec Drmc.job
C:\WINDOWS\tasks\Maintenance-Disk cleanup.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - aderamo.job
C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job

Completion time: Mon 09/18/2006 15:34:02.53
ComboFix.txt

Edited by alderamo, 18 September 2006 - 02:46 PM.


#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:37 PM

Posted 19 September 2006 - 10:24 AM

Please run a scan with HijackThis and check the following objects for removal:

O4 - HKLM\..\Run: [Adware Remover] C:\WINDOWS\System32\yqpgfwvh.exe
O4 - HKLM\..\Run: [Pghicly] C:\Program Files\Rbqkc\Botka.exe


Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis and reboot.

----

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files - option.

Now, delete the following folder & file if present:

C:\WINDOWS\System32\yqpgfwvh.exe
C:\Program Files\Rbqkc


Empty recycle bin & rehide hidden files.

-----

Reboot normally.

Surf here: www.virustotal.com

Next to the "Browse" button, in the blank field paste the following: C:\fa.exe

Hit "Send". Then, wait until the scanners are done. Copy & paste the results here. Then do the same for this file: C:\xa.exe

Post those results too, along with a fresh HijackThis log :thumbsup:
Hi there, stranger!

#5 alderamo

alderamo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 19 September 2006 - 10:27 PM

HELLO. I HOPE I DID THIS RIGHT! YOU HAVE A LOT OF PATIENCE! THANK YOU SO MUCH FOR YOUR HELP. IT'S AMAZING THE STEPS INVOLVED TO SOLVE THIS.

Results for fa.exe:

STATUS: FINISHEDComplete scanning result of "fa.exe", received in VirusTotal at 09.20.2006, 05:17:42 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.16 09.19.2006 TR/Drop.Agent.MM.9
Authentium 4.93.8 09.19.2006 no virus found
Avast 4.7.844.0 09.19.2006 Win32:Trojan-gen. {Other}
AVG 386 09.19.2006 Dropper.Agent.BP
BitDefender 7.2 09.20.2006 Trojan.Dropper.Agent.MM
CAT-QuickHeal 8.00 09.18.2006 TrojanDropper.Agent.mm
ClamAV devel-20060426 09.20.2006 Trojan.Delf-48
DrWeb 4.33 09.20.2006 Trojan.DownLoader.2282
eTrust-InoculateIT 23.72.128 09.19.2006 Win32/SecDrop.179712!Trojan
eTrust-Vet 30.3.3086 09.19.2006 Win32/Secdrop.KB
Ewido 4.0 09.19.2006 Dropper.Agent.mm
Fortinet 2.82.0.0 09.20.2006 W32/Agent.MM!tr
F-Prot 3.16f 09.19.2006 no virus found
F-Prot4 4.2.1.29 09.19.2006 no virus found
Ikarus 0.2.65.0 09.19.2006 Trojan-Dropper.Win32.Agent.MM
Kaspersky 4.0.2.24 09.20.2006 Trojan-Dropper.Win32.Agent.mm
McAfee 4855 09.19.2006 QLowZones-21
Microsoft 1.1560 09.19.2006 TrojanDropper:Win32/Agent!3280
NOD32v2 1.1763 09.19.2006 Win32/TrojanDropper.Agent.MM
Norman 5.90.23 09.19.2006 W32/Agent.ENZ
Panda 9.0.0.4 09.19.2006 Adware/MediaTickets
Sophos 4.09.0 09.20.2006 Troj/Badgent-A
Symantec 8.0 09.20.2006 no virus found
TheHacker 6.0.1.073 09.19.2006 Trojan/Dropper.Agent.mm
UNA 1.83 09.19.2006 TrojanDropper.Win32.Agent.EC98
VBA32 3.11.1 09.19.2006 Trojan-Dropper.Win32.Agent.mm
VirusBuster 4.3.7:9 09.19.2006 no virus found


Aditional Information
File size: 179712 bytes
MD5: 48bb940b1ca8616edae8f6282fd6e468
SHA1: 02af7665640a34542ed403a56e02455d29a49e27
packers: Aspack



RESULTS FOR XA.EXE:

STATUS: FINISHEDComplete scanning result of "xa.exe", received in VirusTotal at 09.20.2006, 05:21:07 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.16 09.19.2006 TR/Drop.Agent.MM.10
Authentium 4.93.8 09.19.2006 W32/Dropper.BAJ
Avast 4.7.844.0 09.19.2006 Win32:Trojan-gen. {Other}
AVG 386 09.19.2006 Downloader.Agent.GL
BitDefender 7.2 09.20.2006 Trojan.Dropper.Agent.MM
CAT-QuickHeal 8.00 09.18.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 09.20.2006 Trojan.Delf-48
DrWeb 4.33 09.20.2006 Trojan.MulDrop.2324
eTrust-InoculateIT 23.72.128 09.19.2006 Win32/QLowZones.178688!Trojan
eTrust-Vet 30.3.3086 09.19.2006 Win32/Secdrop.JY
Ewido 4.0 09.19.2006 Dropper.Agent.mm
Fortinet 2.82.0.0 09.20.2006 W32/Agent.MM!tr
F-Prot 3.16f 09.19.2006 security risk named W32/Dropper.BAJ
F-Prot4 4.2.1.29 09.19.2006 W32/Dropper.BAJ
Ikarus 0.2.65.0 09.19.2006 Trojan-Dropper.Win32.Agent.MM
Kaspersky 4.0.2.24 09.20.2006 Trojan-Dropper.Win32.Agent.mm
McAfee 4855 09.19.2006 QLowZones-21
Microsoft 1.1560 09.19.2006 TrojanDropper:Win32/Agent!D268
NOD32v2 1.1763 09.19.2006 probably unknown NewHeur_PE virus
Norman 5.90.23 09.19.2006 W32/Agent.ENY
Panda 9.0.0.4 09.19.2006 Adware/MediaTickets
Sophos 4.09.0 09.20.2006 Troj/Agent-DZ
Symantec 8.0 09.20.2006 no virus found
TheHacker 6.0.1.073 09.19.2006 Trojan/Dropper.Agent.mm
UNA 1.83 09.19.2006 TrojanDropper.Win32.Agent.5C65
VBA32 3.11.1 09.19.2006 Trojan-Dropper.Win32.Agent.mm
VirusBuster 4.3.7:9 09.19.2006 no virus found


Aditional Information
File size: 178688 bytes
MD5: 8be68ca8f81010c203b8b68be5a015ad
SHA1: 88ceaa845ec8f9b41f8325a4bff74c81511cf992



FRESH HIJACK LOG:

Logfile of HijackThis v1.99.1
Scan saved at 11:28:31 PM, on 9/19/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\xa.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
C:\fa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\BTTNSERV.EXE
C:\PROGRA~1\COMPAQ\EASYAC~1\EAUSBKBD.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\aderamo\My Documents\Download\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://home.microsoft.com/search/lobby/search.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.umass.edu"); (C:\Documents and Settings\aderamo\Application Data\Mozilla\Profiles\default\v64n1dh7.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\aderamo\Application Data\Mozilla\Profiles\default\v64n1dh7.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WinUpgrader] C:\xa.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [Antivirus Installer] C:\fa.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Dialpad US Java Applet - http://www.dialpad.com/applet/src/vscp.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158384790876
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158384778227
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Edited by alderamo, 19 September 2006 - 10:30 PM.


#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:37 PM

Posted 20 September 2006 - 12:35 AM

Please run a scan with HijackThis and check the following objects for removal:

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [WinUpgrader] C:\xa.exe
O4 - HKLM\..\Run: [Antivirus Installer] C:\fa.exe


Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis and reboot.

----

Open up Task Manager by CTRL + ALT +DEL

Go to the Processes tab and kill the following processes:

C:\xa.exe
C:\fa.exe


Then, delete the following files after killing processes::

C:\xa.exe
C:\fa.exe


Empty recycle bin. (If you still can't delete them, reboot into Safe Mode and do it there)

----

Not sure why I didn't notice....

Please apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft.com/downloads/details...;DisplayLang=en

Do NOT install Service Pack 2 yet!!

Apply the update, reboot, and post back with a fresh HijackThis log. :thumbsup:

Edited by Rawe, 20 September 2006 - 12:37 AM.

Hi there, stranger!

#7 alderamo

alderamo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 20 September 2006 - 06:37 PM

On a side note, I will be purchasing a new Windows XP because a pirated version is currently installed on my computer from many years ago. I have never been able to follow through with updates because my computer does not recognize a pass key. I will be doing that tomorrow. Here is the most up to date HJL. Thank you. On another side note, when I booted my computer the annoying freewebs did not pop up. :thumbsup: So whatever we are doing seems to be working!

Logfile of HijackThis v1.99.1
Scan saved at 7:32:43 PM, on 9/20/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\BTTNSERV.EXE
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\EAUSBKBD.EXE
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\aderamo\My Documents\Download\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://home.microsoft.com/search/lobby/search.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.microsoft.com/search/lobby/search.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.microsoft.com/isapi/redir.dll?
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.umass.edu"); (C:\Documents and Settings\aderamo\Application Data\Mozilla\Profiles\default\v64n1dh7.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\aderamo\Application Data\Mozilla\Profiles\default\v64n1dh7.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presario.net/scripts/redirec...c00&LC=0409 (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Dialpad US Java Applet - http://www.dialpad.com/applet/src/vscp.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158384790876
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1158384778227
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005111...all/xscan53.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:37 PM

Posted 21 September 2006 - 06:07 AM

Ok. You should take the computer out of internet until you get the legit Windows CD's. With pirated OS, you can't get the updates and you'll be reinfected in no time again....

Please download Dr.Web CureIt to the desktop:
  • Double-click the drweb-cureit.exe file and allow to run the Express scan.
  • This will scan the files currently running in memory and when something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. :thumbsup:

Hi there, stranger!

#9 alderamo

alderamo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 21 September 2006 - 02:11 PM

Hi. Here is the Dr. Web log:

MiniBugTransporter.dll;C:\WINDOWS\Downloaded Program Files;Adware.Minibug;Incurable.Moved.;
CDWSOCK.DLL;C:\Program Files\Carbon Copy Support;Probably BACKDOOR.Trojan;Incurable.Moved.;
WxBug.EXE;C:\Program Files\AIM95\Sysfiles;Adware.Aws;Incurable.Moved.;
MiniBugTransporter.dll;C:\Program Files\AWS\WeatherBug;Adware.Aws;Incurable.Moved.;
C58899B0-2546-47C1-B5E3-6B71CD;C:\Program Files\Microsoft AntiSpyware\Quarantine\8BEC69D7-4F31-471B-AA0F-1B4BE0;Trojan.PurityAd;Deleted.;
180SAPack.exe;C:\TEMP;Adware.nCase;Incurable.Moved.;
regUsers.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups;Probably MACRO.SCRIPT.IRC.WORM.Virus;Incurable.Moved.;
A0204775.exe;C:\System Volume Information\_restore{9A471D38-CF55-4C68-8AAC-5C3CE3164E96}\RP1368;Trojan.DownLoader.2282;Deleted.;
A0205718.exe;C:\System Volume Information\_restore{9A471D38-CF55-4C68-8AAC-5C3CE3164E96}\RP1384;Trojan.MulDrop.2234;Deleted.;
A0205719.exe;C:\System Volume Information\_restore{9A471D38-CF55-4C68-8AAC-5C3CE3164E96}\RP1384;Trojan.DownLoader.1389;Deleted.;
A0205745.exe;C:\System Volume Information\_restore{9A471D38-CF55-4C68-8AAC-5C3CE3164E96}\RP1385;Trojan.MulDrop.2324;Deleted.;
A0205746.exe;C:\System Volume Information\_restore{9A471D38-CF55-4C68-8AAC-5C3CE3164E96}\RP1385;Trojan.DownLoader.2282;Deleted.;
A0205804.DLL;C:\System Volume Information\_restore{9A471D38-CF55-4C68-8AAC-5C3CE3164E96}\RP1385;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0205805.EXE;C:\System Volume Information\_restore{9A471D38-CF55-4C68-8AAC-5C3CE3164E96}\RP1385;Adware.Aws;Incurable.Moved.;
A0205806.dll;C:\System Volume Information\_restore{9A471D38-CF55-4C68-8AAC-5C3CE3164E96}\RP1385;Adware.Aws;Incurable.Moved.;

#10 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:37 PM

Posted 22 September 2006 - 06:37 AM

Hows the system running now? :thumbsup:
Hi there, stranger!

#11 alderamo

alderamo
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:37 AM

Posted 22 September 2006 - 07:53 AM

The system is running awesome now. No signs of freewebs for 2 days!!!!!!!! :thumbsup:

#12 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:37 PM

Posted 22 September 2006 - 09:09 AM

You're welcome :thumbsup:

First priority: Install Service Pack 2 by visiting Microsoft Update. After you have installed it, reboot, download & install ALL the available critical updates. This when you get a legit copy of Windows.

Please read here how to clear old restore points and create a new one.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware;

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed. (My favourite)
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Other necessary Programs:
  • AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kaspersky, this is a must have. (Note to only use 1 at-the-time)
  • Firewall <= A firewall is definatley a must have. Two good free versions are Kerio Personal Firewall and ZoneLabs. (Note to only use 1 at-the-time)
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice;
So how did I get infected in the first place?
Hi there, stranger!

#13 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:01:37 PM

Posted 25 September 2006 - 10:07 AM

Since this issue appears to be resolved, this Topic has been closed. Should you need this Topic reopened, please PM a Staff member with the address of this thread. :thumbsup:
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users