Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Oinadserver


  • This topic is locked This topic is locked
10 replies to this topic

#1 slickshott

slickshott

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 21 September 2006 - 02:02 AM

Hi,

I keep getting popups from oinadserver. Although I've searched your sight and seen a few different postings about this malware, it seems that everyone's situation or method for correcting this is slightly different. I could really use some help. I've tried everything I know and followed the directions on this sight to prepare to post a hijackthis log. Thanks in advance for any help you can provide me.

slickshott


Logfile of HijackThis v1.99.1
Scan saved at 11:48:27 PM, on 9/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\PROGRA~1\MBOLS~1\regedit.exe
C:\WINDOWS\system32\n?pdb.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - URLSearchHook: (no name) - {F08ACD8E-566D-5CCB-4105-2DF07ACA3B96} - C:\WINDOWS\system32\mva.dll (file missing)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F08ACD8E-566D-5CCB-4105-2DF07ACA3B96} - C:\WINDOWS\system32\mva.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [hkiVlM.exe] C:\windows\system32\hkiVlM.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB006" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [Usrr] "C:\PROGRA~1\MBOLS~1\regedit.exe" -vt cs_o
O4 - HKCU\..\Run: [Wjjjqgl] C:\WINDOWS\system32\n?pdb.exe
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1131504594218
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1131816414128
O20 - AppInit_DLLs: wuaclt.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:37 PM

Posted 21 September 2006 - 02:23 PM

Hello,

Go to start > controlpanel > software > add/remove programs and uninstall next if present:

Oin
Yazzle by Oin
YazzleActiveX By OIN
Purityscan by Oin
Snowballwars by Oin
Cowabanga by OIN
or anything similar with Oin in it.


If OIN not listed, download and run this uninstaller.

Reboot when done! Really important!

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - URLSearchHook: (no name) - {F08ACD8E-566D-5CCB-4105-2DF07ACA3B96} - C:\WINDOWS\system32\mva.dll (file missing)
O2 - BHO: (no name) - {F08ACD8E-566D-5CCB-4105-2DF07ACA3B96} - C:\WINDOWS\system32\mva.dll (file missing)
O4 - HKLM\..\Run: [hkiVlM.exe] C:\windows\system32\hkiVlM.exe
O4 - HKCU\..\Run: [Usrr] "C:\PROGRA~1\MBOLS~1\regedit.exe" -vt cs_o
O4 - HKCU\..\Run: [Wjjjqgl] C:\WINDOWS\system32\n?pdb.exe
O20 - AppInit_DLLs: wuaclt.dll


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!
Don't worry about the error you will receive in hijackthis. Just click ok there.

* Download Combofix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot, it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 slickshott

slickshott
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 27 September 2006 - 12:00 AM

Thank you miekiemoes,

Your help has made a significant improvement to my system. I apologize for such a long delay in my response. I work out of town a lot and this is my home desktop.

Here are the logs you requested.

Logfile of HijackThis v1.99.1
Scan saved at 9:55:54 PM, on 9/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\lexpps.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB006" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1131504594218
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1131816414128
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


Adrienne Kelley - 06-09-26 21:34:41.84 Service Pack 2
ComboFix 06.09.20 - Running from: "C:\Documents and Settings\Adrienne Kelley\Desktop\Robs Weapons"
Command switches used ::

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Adrienne Kelley\Application Data\CROSOF~1
C:\QooBox\Purity\Documents and Settings\Adrienne Kelley\Application Data\CROSOF~1.NET
C:\QooBox\Purity\Documents and Settings\Adrienne Kelley\My Documents\ASEMBL~1
C:\QooBox\Purity\Documents and Settings\Adrienne Kelley\My Documents\CROSOF~1
C:\QooBox\Purity\Documents and Settings\Adrienne Kelley\My Documents\DOBE~2
C:\QooBox\Purity\Documents and Settings\Adrienne Kelley\My Documents\FNTS~1
C:\QooBox\Purity\Program Files\MBOLS~1
C:\QooBox\Purity\Program Files\MCROSO~1
C:\QooBox\Purity\Program Files\MCROSO~1.NET
C:\QooBox\Purity\Program Files\Common Files\SCURIT~1
C:\QooBox\Purity\Program Files\Common Files\SMBOLS~1
C:\QooBox\Purity\Program Files\MBOLS~1\MBOLS~1
C:\QooBox\Purity\WINDOWS\APPATC~1
C:\QooBox\Purity\WINDOWS\WNSXS~1
C:\QooBox\Purity\WINDOWS\system32\FNTS~1
C:\QooBox\Purity\WINDOWS\system32\ICROSO~1.NET
C:\QooBox\Purity\WINDOWS\system32\TSKS~1
C:\QooBox\Purity\WINDOWS\system32\YSTEM~1


((((((((((((((((((((((((((((((( Files Created from 2006-08-26 to 2006-09-26 ))))))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-26 21:32 -------- d-------- C:\Program Files\HijackThis
2006-09-21 02:16 -------- d-------- C:\Documents and Settings\Adrienne Kelley\Application Data\WeatherBug
2006-09-21 02:13 -------- d-------- C:\Program Files\MyWebSearchWB
2006-09-21 02:13 -------- d-------- C:\Program Files\AWS
2006-09-21 01:16 -------- d-------- C:\Program Files\Common Files
2006-09-21 01:04 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-09-21 01:02 -------- d-------- C:\Program Files\Symantec
2006-09-21 00:25 -------- d-------- C:\Program Files\Shareaza
2006-09-20 22:23 -------- d-------- C:\Program Files\Internet Explorer
2006-09-20 22:22 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-09-20 22:20 -------- d-------- C:\Documents and Settings\Adrienne Kelley\Application Data\Sun
2006-09-20 22:08 -------- d-------- C:\Program Files\Java
2006-09-20 22:06 -------- d-------- C:\Program Files\Common Files\Java
2006-09-20 21:20 -------- d-------- C:\Program Files\EPSON Print CD
2006-09-20 15:05 -------- d-------- C:\Program Files\Common Files\OE
2006-09-20 15:05 -------- d-------- C:\Program Files\Aprps
2006-09-19 18:16 475 ---hs---- C:\WINDOWS\system32\hkivlm.dll
2006-09-15 19:29 -------- d-------- C:\Program Files\Norton AntiVirus
2006-09-13 13:06 -------- d-------- C:\Program Files\EPSON
2006-09-05 13:47 -------- d-------- C:\Program Files\BearShare
2006-09-03 21:08 -------- d-------- C:\Program Files\Eidos Interactive
2006-09-02 16:22 -------- d-------- C:\Program Files\The Learning Company
2006-08-21 05:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 02:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 02:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-20 21:05 26 --a--c--- C:\WINDOWS\winstart.bat
2006-08-20 21:05 124 --a--c--- C:\WINDOWS\tmpcpyis.bat
2006-08-20 21:05 122 --a--c--- C:\WINDOWS\tmpdelis.bat
2006-08-20 21:02 -------- d-------- C:\Program Files\Maxis
2006-08-14 15:32 -------- d-------- C:\Program Files\Common Files\Ódobe
2006-07-30 22:07 12464 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2006-07-30 21:36 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-07-27 06:24 679424 --a--c--- C:\WINDOWS\system32\inetcomm.dll
2006-07-21 01:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\\PROGRA~1\\AWS\\WEATHE~1\\Weather.exe 1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tgcmd"="\"C:\\Program Files\\Support.com\\bin\\tgcmd.exe\" /server /startmonitor /deaf"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"EPSON Stylus Photo R220 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAIA.EXE /P30 \"EPSON Stylus Photo R220 Series\" /O6 \"USB006\" /M \"Stylus Photo R220\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonceex]
@=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000002

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,60,00,00,00,00,00,00,00,20,04,00,00,3f,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,bc,00,00,00,00,00,00,00,84,05,00,00,92,04,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,bc,00,00,00,00,00,00,00,84,05,00,00,92,04,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-disabled]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Adrienne Kelley^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
"path"="C:\\Documents and Settings\\Adrienne Kelley\\Start Menu\\Programs\\Startup\\PowerReg Scheduler.exe"
"backup"="C:\\WINDOWS\\pss\\PowerReg Scheduler.exeStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Adrienne Kelley\\Start Menu\\Programs\\Startup\\PowerReg Scheduler.exe"
"item"="PowerReg Scheduler"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\BigFix.lnk"
"backup"="C:\\WINDOWS\\pss\\BigFix.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\Program Files\\BigFix\\BigFix.exe /atstartup"
"item"="BigFix"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Planner Reminders Tray Icon.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Event Planner Reminders Tray Icon.lnk"
"backup"="C:\\WINDOWS\\pss\\Event Planner Reminders Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\Sierra\\CardStudio\\PLNRnote.exe "
"item"="Event Planner Reminders Tray Icon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\16xvtjR]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="16xvtjR"
"hkey"="HKLM"
"command"="C:\\documents and settings\\adrienne kelley\\local settings\\temp\\16xvtjR.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\a03qRXapi]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dmrprep"
"hkey"="HKCU"
"command"="dmrprep.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\A6d]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="A6d"
"hkey"="HKLM"
"command"="C:\\documents and settings\\adrienne kelley\\local settings\\temp\\A6d.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AutoUpdater]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AutoUpdate"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\AutoUpdate\\AutoUpdate.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\b]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="b"
"hkey"="HKLM"
"command"="C:\\windows\\system32\\b.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\BearShare]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BearShare"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\BearShare\\BearShare.exe\" /pause"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ccApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccApp"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ccRegVfy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccRegVfy"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DM_Server]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dmserver"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\COMETS~1\\DM\\bin\\dmserver.exe /onreboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\hkiVlM.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkiVlM"
"hkey"="HKLM"
"command"="C:\\windows\\system32\\hkiVlM.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\I]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="I"
"hkey"="HKLM"
"command"="C:\\Documents and Settings\\Adrienne Kelley\\Local Settings\\Temp\\I.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\jjtcPC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jjtcPC"
"hkey"="HKLM"
"command"="C:\\documents and settings\\adrienne kelley\\local settings\\temp\\jjtcPC.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Jwlosshw]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="??rss"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\??rss.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LXSUPMON]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LXSUPMON"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\LXSUPMON.EXE RUN"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MyWebSearch Email Plugin]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mwsoemon"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\MYWEBS~1\\bar\\1.bin\\mwsoemon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\OrbitUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="update"
"hkey"="HKLM"
"command"="C:\\Program Files\\Orbit\\update.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\OrbitView]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="view"
"hkey"="HKLM"
"command"="C:\\Program Files\\Orbit\\view.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\r3sk37W]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dnsvideo"
"hkey"="HKLM"
"command"="dnsvideo.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Symantec NetDriver Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SNDMon"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\tgcmd]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tgcmd"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\support.com\\bin\\tgcmd.exe\" /server"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\u]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="u"
"hkey"="HKLM"
"command"="C:\\documents and settings\\adrienne kelley\\local settings\\temp\\u.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Usrr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="rpen"
"hkey"="HKCU"
"command"="C:\\Documents and Settings\\Adrienne Kelley\\Application Data\\rpen.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\uxCk]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="uxCk"
"hkey"="HKLM"
"command"="C:\\documents and settings\\adrienne kelley\\local settings\\temp\\uxCk.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\WFm]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WFm"
"hkey"="HKLM"
"command"="C:\\documents and settings\\adrienne kelley\\local settings\\temp\\WFm.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\YRlZzie0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YRlZzie0"
"hkey"="HKLM"
"command"="C:\\documents and settings\\adrienne kelley\\local settings\\temp\\YRlZzie0.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"SymWSC"=dword:00000002
"SNDSrvc"=dword:00000003
"ScsiAccess"=dword:00000002
"SBService"=dword:00000002
"navapsvc"=dword:00000002
"LexBceS"=dword:00000002
"ccPwdSvc"=dword:00000003
"ccEvtMgr"=dword:00000002


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Completion time: Tue 09/26/2006 21:35:23.42
ComboFix.txt
ComboFix2.txt

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:37 PM

Posted 27 September 2006 - 02:01 AM

Hello,

Some remarks first..

I see your Norton/symantec Antivirus startupentries and services are disabled. Did you disable this? And if so... why?
Without antivirus software enabled, you're wideopen to infection, because nothing is preventing malware.

So, go to start > run and type: msconfig
Choose the tab services and check next entries to enable your Antivirus again:

SymWMI Service
Symantec Password Validation Service
Norton AntiVirus Auto Protect Service
Symantec Network Drivers Service
Symantec Event Manager

Then choose the tab startup and check next entries to enable them:

Symantec NetDriver Monitor
ccRegVfy
ccApp

If there is any reason why you don't want to enable them again, let me know.

Some other remarks.. I see you installed AWS - Desktop weather. From your combofix log, I can see it installed some additional adware components. That's why I do not recommend AWS Weatherbug.
So, uninstall next programs via add/remove:

AWS Weatherbug
MyWebSearchWB

Also look if there is Apropos listed in add/remove programs and uninstall it.

And, I see you installed Bearshare..
In case you didn't pay for it, I strongly recommend you uninstall it -- because the free version is bundled with spyware.

Then Reboot.

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Please hide your hidden files and folders afterwards again, when we are done with this thread and your problems are solved, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.


After reboot, Delete next folders if you uninstalled AWS Weatherbug, Bearshare and MyWebsearchWB:

C:\Documents and Settings\Adrienne Kelley\Application Data\WeatherBug
C:\Program Files\MyWebSearchWB
C:\Program Files\AWS
C:\Program Files\Bearshare
C:\Program Files\Aprps

Can you tell me what Files are present in next folder?:

C:\Program Files\Common Files\OE

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^Adrienne Kelley^Start Menu^Programs^Startup^PowerReg Scheduler.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\16xvtjR]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\a03qRXapi]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\A6d]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AutoUpdater]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\b]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\BearShare]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DM_Server]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\hkiVlM.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\I]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\jjtcPC]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Jwlosshw]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MyWebSearch Email Plugin]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\r3sk37W]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\u]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Usrr]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\uxCk]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\WFm]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\YRlZzie0]

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Please download, install, and update Ewido anti-spyware
  • Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Then click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close Ewido and reboot!!
  • Post the contents of the Ewido log you saved in your next reply together with a new hijackthislog.
Extra addition..
Go to next site:
http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\system32\hkivlm.dll <== this is a hidden file, so make sure hidden files and folders are shown as I explained previously.

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply.

Edited by miekiemoes, 27 September 2006 - 02:02 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 slickshott

slickshott
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 30 September 2006 - 03:28 PM

I am going to use the McAfee product instead of the Norton. I will post the rest in my next reply.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:37 PM

Posted 30 September 2006 - 04:40 PM

I am going to use the McAfee product instead of the Norton. I will post the rest in my next reply.

In that case, you have to uninstall Norton. You can't have two Antivirus installed, because they are incompatible.
Did you purchase McAfee? In case you didn't.. are you planning to purchase it? Because when the trial has expired, it won't be able to update and protect your computer.
There are also good FREE antivirusscanners. You can find the ones I recommend in my signature.

Also, in case you are having problems with uninstalling Norton, read here:

To fully remove Norton AntiVirus, you should go here and download the files and print the instructions for removal, and follow them:
How to uninstall Norton AntiVirus 2004/2005/2006 (note: this removes ALL Norton 2004/2005/2006 products from your computer, and also uninstalls Norton Ghost 10.0/9.0/2003)
How to uninstall Norton AntiVirus 2003 or Norton AntiVirus 2003 Professional Edition
How to uninstall Norton AntiVirus 2000/2001/2002

Also read this article in case you're having problems with uninstalling Norton if above instructions didn't work, or noticed problems after uninstalling Norton:
http://basconotw.mvps.org/SymRem.htm
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 slickshott

slickshott
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 30 September 2006 - 06:54 PM

Hi,

I uninstalled Symantec products as best as I could according to your directions. I also uninstalled Weatherbug. I could not find MyWebSearchWB in the Add/Remove Programs window. I could not find Bearshare either in Add/Remove programs.

I installed McAfee virus scan plus the paid version.

Here are the logs you requested. I also included a new combofix log.

Logfile of HijackThis v1.99.1
Scan saved at 4:33:39 PM, on 9/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptsn.dll
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB006" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [0251321159658688mcinstcleanup] C:\DOCUME~1\ADRIEN~1\LOCALS~1\Temp\025132~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1131504594218
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1131816414128
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:58:57 PM 9/30/2006

+ Scan result:



C:\Program Files\Save -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Program Files\ClockSync -> Adware.WhenU : Cleaned with backup (quarantined).
C:\Documents and Settings\Chelsea\Cookies\chelsea@112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Chelsea\Cookies\chelsea@gateway.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Chelsea\Cookies\chelsea@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Johnathan\Cookies\johnathan@gateway.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Chelsea\Cookies\chelsea@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Documents and Settings\Chelsea\Cookies\chelsea@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Chelsea\Cookies\chelsea@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
C:\Documents and Settings\Chelsea\Cookies\chelsea@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Chelsea\Cookies\chelsea@ehg-dig.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Chelsea\Cookies\chelsea@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
C:\Documents and Settings\Chelsea\Cookies\chelsea@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\Chelsea\Cookies\chelsea@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
C:\Documents and Settings\Chelsea\Cookies\chelsea@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
C:\Documents and Settings\Chelsea\Cookies\chelsea@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Chelsea\Cookies\chelsea@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).


::Report end

STATUS: FINISHEDComplete scanning result of "hkivlm.dll", received in VirusTotal at 10.01.2006, 00:07:55 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.22 09.30.2006 no virus found
Authentium 4.93.8 09.29.2006 no virus found
Avast 4.7.892.0 09.29.2006 no virus found
AVG 386 09.29.2006 no virus found
BitDefender 7.2 09.30.2006 no virus found
CAT-QuickHeal 8.00 09.30.2006 no virus found
ClamAV devel-20060426 09.30.2006 no virus found
DrWeb 4.33 09.30.2006 no virus found
eTrust-InoculateIT 23.73.10 09.30.2006 no virus found
eTrust-Vet 30.3.3106 09.30.2006 no virus found
Ewido 4.0 09.30.2006 no virus found
Fortinet 2.82.0.0 09.30.2006 no virus found
F-Prot 3.16f 09.29.2006 no virus found
F-Prot4 4.2.1.29 09.29.2006 no virus found
Ikarus 0.2.65.0 09.29.2006 no virus found
Kaspersky 4.0.2.24 09.30.2006 no virus found
McAfee 4863 09.29.2006 no virus found
Microsoft 1.1603 09.30.2006 no virus found
NOD32v2 1.1784 09.29.2006 no virus found
Norman 5.90.23 09.29.2006 no virus found
Panda 9.0.0.4 09.30.2006 no virus found
Sophos 4.10.0 09.30.2006 no virus found
Symantec 8.0 10.01.2006 no virus found
TheHacker 6.0.1.088 09.30.2006 no virus found
UNA 1.83 09.29.2006 no virus found
VBA32 3.11.1 09.29.2006 no virus found
VirusBuster 4.3.7:9 09.30.2006 no virus found


Aditional Information
File size: 475 bytes
MD5: 8dd3bfa3244fa5890f827294eaf7c408
SHA1: 80c1d6ceba8ea0ece252a1f63e6bc7612ef02cef

Adrienne Kelley - 06-09-30 16:34:55.40 Service Pack 2
ComboFix 06.09.20 - Running from: "C:\Documents and Settings\Adrienne Kelley\Desktop\Robs Weapons"
Command switches used ::

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Adrienne Kelley\Application Data\CROSOF~1
C:\QooBox\Purity\Documents and Settings\Adrienne Kelley\Application Data\CROSOF~1.NET
C:\QooBox\Purity\Documents and Settings\Adrienne Kelley\My Documents\ASEMBL~1
C:\QooBox\Purity\Documents and Settings\Adrienne Kelley\My Documents\CROSOF~1
C:\QooBox\Purity\Documents and Settings\Adrienne Kelley\My Documents\DOBE~2
C:\QooBox\Purity\Documents and Settings\Adrienne Kelley\My Documents\FNTS~1
C:\QooBox\Purity\Program Files\MBOLS~1
C:\QooBox\Purity\Program Files\MCROSO~1
C:\QooBox\Purity\Program Files\MCROSO~1.NET
C:\QooBox\Purity\Program Files\Common Files\SCURIT~1
C:\QooBox\Purity\Program Files\Common Files\SMBOLS~1
C:\QooBox\Purity\Program Files\MBOLS~1\MBOLS~1
C:\QooBox\Purity\WINDOWS\APPATC~1
C:\QooBox\Purity\WINDOWS\WNSXS~1
C:\QooBox\Purity\WINDOWS\system32\FNTS~1
C:\QooBox\Purity\WINDOWS\system32\ICROSO~1.NET
C:\QooBox\Purity\WINDOWS\system32\TSKS~1
C:\QooBox\Purity\WINDOWS\system32\YSTEM~1


((((((((((((((((((((((((((((((( Files Created from 2006-08-30 to 2006-09-30 ))))))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-30 16:33 -------- d-------- C:\Program Files\HijackThis
2006-09-30 16:26 -------- d-------- C:\Program Files\McAfee
2006-09-30 16:25 -------- d-------- C:\Program Files\Common Files\McAfee
2006-09-30 16:24 -------- d-------- C:\Program Files\McAfee.com
2006-09-30 16:23 -------- d-------- C:\Program Files\Common Files
2006-09-30 15:46 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-09-30 15:42 -------- d-------- C:\Program Files\Symantec Technical Support
2006-09-30 14:04 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-09-27 02:03 -------- d-------- C:\Program Files\iTunes
2006-09-27 02:03 -------- d-------- C:\Documents and Settings\Adrienne Kelley\Application Data\Apple Computer
2006-09-27 02:02 -------- d-------- C:\Program Files\iPod
2006-09-27 02:01 -------- d-------- C:\Program Files\QuickTime
2006-09-27 02:00 -------- d-------- C:\Program Files\Apple Software Update
2006-09-21 00:25 -------- d-------- C:\Program Files\Shareaza
2006-09-20 22:23 -------- d-------- C:\Program Files\Internet Explorer
2006-09-20 22:22 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-09-20 22:20 -------- d-------- C:\Documents and Settings\Adrienne Kelley\Application Data\Sun
2006-09-20 22:08 -------- d-------- C:\Program Files\Java
2006-09-20 22:06 -------- d-------- C:\Program Files\Common Files\Java
2006-09-20 21:20 -------- d-------- C:\Program Files\EPSON Print CD
2006-09-19 18:16 475 ---hs---- C:\WINDOWS\system32\hkivlm.dll
2006-09-15 19:29 -------- d-------- C:\Program Files\Norton AntiVirus
2006-09-13 13:06 -------- d-------- C:\Program Files\EPSON
2006-09-03 21:08 -------- d-------- C:\Program Files\Eidos Interactive
2006-09-02 16:22 -------- d-------- C:\Program Files\The Learning Company
2006-08-21 05:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 02:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 02:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-20 21:05 26 --a--c--- C:\WINDOWS\winstart.bat
2006-08-20 21:05 124 --a--c--- C:\WINDOWS\tmpcpyis.bat
2006-08-20 21:05 122 --a--c--- C:\WINDOWS\tmpdelis.bat
2006-08-20 21:02 -------- d-------- C:\Program Files\Maxis
2006-08-14 16:26 37832 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2006-08-14 16:25 33928 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2006-08-14 16:25 31752 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2006-08-14 16:25 162504 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2006-08-14 15:32 -------- d-------- C:\Program Files\Common Files\Ódobe
2006-08-14 13:00 104536 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2006-07-30 22:07 12464 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2006-07-30 21:36 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-07-27 06:24 679424 --a--c--- C:\WINDOWS\system32\inetcomm.dll
2006-07-21 01:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tgcmd"="\"C:\\Program Files\\Support.com\\bin\\tgcmd.exe\" /server /startmonitor /deaf"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"EPSON Stylus Photo R220 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAIA.EXE /P30 \"EPSON Stylus Photo R220 Series\" /O6 \"USB006\" /M \"Stylus Photo R220\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"0251321159658688mcinstcleanup"="C:\\DOCUME~1\\ADRIEN~1\\LOCALS~1\\Temp\\025132~1.EXE C:\\PROGRA~1\\COMMON~1\\McAfee\\INSTAL~1\\cleanup.ini -cleanup -nolog"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonceex]
@=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000002

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,3f,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,bc,00,00,00,00,00,00,00,84,05,00,00,92,04,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,bc,00,00,00,00,00,00,00,84,05,00,00,92,04,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-disabled]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\BigFix.lnk"
"backup"="C:\\WINDOWS\\pss\\BigFix.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\Program Files\\BigFix\\BigFix.exe /atstartup"
"item"="BigFix"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Planner Reminders Tray Icon.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Event Planner Reminders Tray Icon.lnk"
"backup"="C:\\WINDOWS\\pss\\Event Planner Reminders Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\Sierra\\CardStudio\\PLNRnote.exe "
"item"="Event Planner Reminders Tray Icon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ccApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccApp"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ccRegVfy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccRegVfy"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\LXSUPMON]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LXSUPMON"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\LXSUPMON.EXE RUN"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\OrbitUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="update"
"hkey"="HKLM"
"command"="C:\\Program Files\\Orbit\\update.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\OrbitView]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="view"
"hkey"="HKLM"
"command"="C:\\Program Files\\Orbit\\view.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Symantec NetDriver Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SNDMon"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\tgcmd]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tgcmd"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\support.com\\bin\\tgcmd.exe\" /server"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"SymWSC"=dword:00000002
"SNDSrvc"=dword:00000003
"ScsiAccess"=dword:00000002
"SBService"=dword:00000002
"navapsvc"=dword:00000002
"LexBceS"=dword:00000002
"ccPwdSvc"=dword:00000003
"ccEvtMgr"=dword:00000002


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\MCODS

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\McDefragTask.job
C:\WINDOWS\tasks\McQcTask.job

Completion time: Sat 09/30/2006 16:36:54.53
ComboFix.txt
ComboFix2.txt
ComboFix3.txt

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:37 PM

Posted 30 September 2006 - 07:06 PM

Looking good..

Now since you uninstalled Norton/symantec, we still have to delete some related registry leftovers - the ones you disabled previously via msconfig, so perform next:

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\services]
"SymWSC"=-
"SNDSrvc"=-
"SBService"=-
"navapsvc"=-
"ccPwdSvc"=-
"ccEvtMgr"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Symantec NetDriver Monitor]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ccRegVfy]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ccApp]

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 slickshott

slickshott
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:08:37 AM

Posted 30 September 2006 - 08:35 PM

Miekiemoes,

Thank you very much for all of your help. Everything seems to running a lot better. I have no more pop ups and I don't even have the pop up blocker enabled!

How might I compensate you for your efforts?

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:37 PM

Posted 01 October 2006 - 01:37 AM

Glad I could help. :thumbsup:

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

Also visit this Free Online Scanner for PC Health and Safety and Microsoft Security At Home for tips to Protect your Pc, Protect yourself and Protect your Family.

More info on how to prevent malware you can also find here (By Tony Klein)
and here: http://wiki.castlecops.com/Malware_Prevent...nt_Re-infection

Also read: Simple and easy ways to keep your computer safe and secure on the Internet

Happy surfing again! :flowers:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:37 PM

Posted 02 October 2006 - 04:24 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users