Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Clickspring.purityscan And Popupwithcast


  • Please log in to reply
18 replies to this topic

#1 boofie75

boofie75

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 24 November 2006 - 04:56 PM

I can't seem to get rid of ClickSpring.PuritySCAN and PopupWithCAst, can anyone help, please?


Logfile of HijackThis v1.99.1
Scan saved at 3:48:41 PM, on 11/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ADOBE\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\ADOBE\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,aaroedn.exe,C:\WINDOWS\system32\ntos.exe,
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\ADOBE\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {74DD705D-6834-439C-A735-A6DBE2677452} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AdobeVersionCue] C:\ADOBE\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\ADOBE\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163871020625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163871013421
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - (no file)
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346F99} - (no file)
O20 - AppInit_DLLs: BattyRun2.dll dpmomspr.dll dminupnp.dll,ajchkfin.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: xAzlwIIKOM - {CC0D208A-66A7-8A20-E7E1-C534AF9C9317} - (no file)
O21 - SSODL: CDRecorder019 - {A3BC5E20-0235-1ABF-9CE1-00AA00512019} - (no file)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\ADOBE\Adobe Version Cue\service\VersionCue.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: dmocx.exe - Unknown owner - C:\WINDOWS\system32\dmocx.exe (file missing)
O23 - Service: dmscript.exe - Unknown owner - C:\WINDOWS\system32\dmscript.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 24 November 2006 - 05:10 PM

1. Download this file :

http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

Note:
Do not mouseclick combofix's window while its running. That may cause it to stall
===================

SpySweeper http://www.webroot.com/consumer/products/s...4129&ac=tsg

(It's a 2 week trial.)

* Click the Try Spy Sweeper for FreeDownload the trial link.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.

Also post a new Hijack This log.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 boofie75

boofie75
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 25 November 2006 - 12:21 AM

Thanks for the quick response! I am amazed!

Combofix did not give me a log file of any kind, but it came up with a message while it ran, saying that I had been infected, and it gave me two names:

Look2Me Orphaned Entries
SurfSidekick

I don't know if they mean anything to you, but that's all it gave me.

SPYSWEEPER SESSION:
------------------------------------
23:12: Removal process completed. Elapsed time 00:00:03
23:12: Quarantining All Traces: tribalfusion cookie
23:12: Quarantining All Traces: reliablestats cookie
23:12: Quarantining All Traces: serving-sys cookie
23:12: Quarantining All Traces: questionmarket cookie
23:12: Quarantining All Traces: mygeek cookie
23:12: Quarantining All Traces: mediaplex cookie
23:12: Quarantining All Traces: webtrends cookie
23:12: Quarantining All Traces: gamespy cookie
23:12: Quarantining All Traces: ru4 cookie
23:12: Quarantining All Traces: atlas dmt cookie
23:12: Quarantining All Traces: pointroll cookie
23:12: Quarantining All Traces: 2o7.net cookie
23:12: Quarantining All Traces: sogou toolbar
23:12: Quarantining All Traces: vs toolbar
23:12: Quarantining All Traces: highport smtp relayer
23:12: Quarantining All Traces: deluxecommunications
23:12: Quarantining All Traces: trojan-backdoor-rustock
23:12: Quarantining All Traces: trojan-downloader-pscastor
23:12: Quarantining All Traces: trojan-downloader-traffic-acc.com
23:12: Quarantining All Traces: elitemediagroup-mediamotor
23:12: Quarantining All Traces: trojan-foop
23:12: Quarantining All Traces: trojan looksy
23:12: Quarantining All Traces: fullcontext
23:12: Quarantining All Traces: trojan-downloader-nurech
23:12: Quarantining All Traces: trojan-backdoor-progdav
23:12: Quarantining All Traces: enbrowser
23:12: Quarantining All Traces: trojan-backdoor-haxdoor
23:12: Removal process initiated
22:40: Traces Found: 50
22:40: Custom Sweep has completed. Elapsed time 01:05:47
22:40: File Sweep Complete, Elapsed Time: 01:04:19
22:40: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\webnexus.zip]
22:40: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudc7.zip]
22:40: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\seachtoolbarcorptoolbarvision4.zip]
22:40: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\networkmonitor1.zip]
22:40: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\locksky1.zip]
22:40: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\coolwwwsearch.zip]
22:40: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\casclient.zip]
22:40: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\seachtoolbarcorptoolbarvision5.zip]
22:40: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\seachtoolbarcorptoolbarvision14.zip]
22:40: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\seachtoolbarcorptoolbarvision15.zip]
22:34: Warning: Access violation at address 005A97FC in module 'SpySweeper.exe'. Read of address 0000038C
22:34: Warning: Access violation at address 005A97FC in module 'SpySweeper.exe'. Read of address 0000038C
22:34: Warning: Access violation at address 005A97FC in module 'SpySweeper.exe'. Read of address 0000038C
22:34: Warning: Access violation at address 005A97FC in module 'SpySweeper.exe'. Read of address 0000038C
22:34: Warning: Access violation at address 005A97FC in module 'SpySweeper.exe'. Read of address 0000038C
22:34: Warning: Access violation at address 005A97FC in module 'SpySweeper.exe'. Read of address 0000038C
22:34: Warning: Access violation at address 005A97FC in module 'SpySweeper.exe'. Read of address 0000038C
22:34: Warning: Access violation at address 005A97FC in module 'SpySweeper.exe'. Read of address 0000038C
22:34: Warning: Access violation at address 005A97FC in module 'SpySweeper.exe'. Read of address 0000038C
22:34: Warning: Access violation at address 005A97FC in module 'SpySweeper.exe'. Read of address 0000038C
22:33: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\casclient1.zip]
22:32: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudc6.zip]
22:32: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudc5.zip]
22:32: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudc4.zip]
22:32: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\seachtoolbarcorptoolbarvision16.zip]
22:32: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\seachtoolbarcorptoolbarvision13.zip]
22:32: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\seachtoolbarcorptoolbarvision12.zip]
22:32: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\casclient8.zip]
22:32: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\spysheriff.zip]
22:32: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudctoolbar2.zip]
22:32: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\casclient7.zip]
22:32: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\casclient6.zip]
22:32: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\seachtoolbarcorptoolbarvision11.zip]
22:32: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\locksky.zip]
22:32: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudc2.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudctoolbar1.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudctoolbar.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudc23.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudc22.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudc21.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudc20.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudc19.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudc18.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudc17.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudc16.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudc15.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudc24.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudc14.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudc1.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\torpig1.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\axfibula.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudc13.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudc12.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudc11.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudc10.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudc9.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudc8.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudc3.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\seachtoolbarcorptoolbarvision10.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\seachtoolbarcorptoolbarvision9.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\seachtoolbarcorptoolbarvision8.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\seachtoolbarcorptoolbarvision7.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\seachtoolbarcorptoolbarvision6.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\networkmonitor5.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\seachtoolbarcorptoolbarvision2.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\seachtoolbarcorptoolbarvision1.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\seachtoolbarcorptoolbarvision.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\networkmonitor4.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\smitfraudc.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\vcodec.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\webnexus1.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\windowsadtools.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\zenosearchsearch.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\zlobdownloader.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\seachtoolbarcorptoolbarvision3.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\networkmonitor3.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\networkmonitor2.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\networkmonitor.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\microsoftwindowssecuritycenterantivirusoverride.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\mediamotor.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\dyfuca1.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\dyfuca.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\downloadertsupdatel1.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\downloadertsupdatel.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\commandservice.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\casclient5.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\casclient4.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\casclient3.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\casclient2.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\astakiller2.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\astakiller1.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\astakiller.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\torpig.zip]
22:31: Warning: AntiVirus engine returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\sexlist.zip]
22:31: Warning: Failed to access drive E:
22:31: Warning: Failed to access drive D:
22:31: C:\WINDOWS\system32\ws386.ini (ID = 372746)
22:31: Found Trojan Horse: highport smtp relayer
22:26: Warning: AntiVirus engine returned [File Corrupted] on [c:\documents and settings\brad hofbauer\desktop\windowsxp-kb886185-x86-enu.exe]
22:26: Warning: AntiVirus engine returned [Access Denied] on [c:\pagefile.sys]
22:17: C:\WINDOWS\system32\bkd.exe (ID = 361293)
22:17: Found Adware: deluxecommunications
22:06: Warning: AntiVirus engine returned [File Encrypted] on [c:\xbox hack\slayers\slayers_evox_auto-installer_v2.6_final.exe]
22:00: C:\Program Files\Total Video Converter\RealMediaSplitter.ax (ID = 385620)
22:00: Found Adware: sogou toolbar
21:57: c:\windows\system32:lzx32.sys (ID = 350068)
21:57: Found Trojan Horse: trojan-backdoor-rustock
21:55: Warning: AntiVirus engine returned [File Encrypted] on [c:\program files\adobe\acrobat 6.0\reader\messages\enu\rdrmsgenu.pdf]
21:49: C:\WINDOWS\uni_e6h.exe (ID = 360453)
21:42: C:\Program Files\PSCastor\Uninstall.exe (ID = 391287)
21:42: C:\WINDOWS\system32\svchostx.exe (ID = 378496)
21:42: C:\WINDOWS\system32\svchostp.exe (ID = 378494)
21:42: Found Trojan Horse: trojan looksy
21:40: Warning: AntiVirus engine returned [File Encrypted] on [c:\program files\lavasoft\ad-aware se personal\skins\ad-aware se default.ask]
21:36: C:\Program Files\PSCastor (1 subtraces) (ID = 2147535153)
21:36: C:\Program Files\PSDream (ID = 2147531244)
21:36: C:\Program Files\VSAdd-in (ID = 2147536105)
21:36: C:\Program Files\VSToolbar (ID = 2147531659)
21:36: Starting File Sweep
21:36: Warning: Failed to access drive A:
21:36: Cookie Sweep Complete, Elapsed Time: 00:00:00
21:36: c:\documents and settings\brad hofbauer\cookies\brad hofbauer@wii.gamespy[2].txt (ID = 2719)
21:36: c:\documents and settings\brad hofbauer\cookies\brad hofbauer@tribalfusion[2].txt (ID = 3589)
21:36: Found Spy Cookie: tribalfusion cookie
21:36: c:\documents and settings\brad hofbauer\cookies\brad hofbauer@stats1.reliablestats[2].txt (ID = 3254)
21:36: Found Spy Cookie: reliablestats cookie
21:36: c:\documents and settings\brad hofbauer\cookies\brad hofbauer@serving-sys[1].txt (ID = 3343)
21:36: Found Spy Cookie: serving-sys cookie
21:36: c:\documents and settings\brad hofbauer\cookies\brad hofbauer@questionmarket[1].txt (ID = 3217)
21:36: Found Spy Cookie: questionmarket cookie
21:36: c:\documents and settings\brad hofbauer\cookies\brad hofbauer@mygeek[1].txt (ID = 3041)
21:36: Found Spy Cookie: mygeek cookie
21:36: c:\documents and settings\brad hofbauer\cookies\brad hofbauer@msnservices.112.2o7[1].txt (ID = 1958)
21:36: c:\documents and settings\brad hofbauer\cookies\brad hofbauer@msnportal.112.2o7[1].txt (ID = 1958)
21:36: c:\documents and settings\brad hofbauer\cookies\brad hofbauer@mediaplex[1].txt (ID = 6442)
21:36: Found Spy Cookie: mediaplex cookie
21:36: c:\documents and settings\brad hofbauer\cookies\brad hofbauer@m.webtrends[2].txt (ID = 3669)
21:36: Found Spy Cookie: webtrends cookie
21:36: c:\documents and settings\brad hofbauer\cookies\brad hofbauer@gamespy[1].txt (ID = 2719)
21:36: Found Spy Cookie: gamespy cookie
21:36: c:\documents and settings\brad hofbauer\cookies\brad hofbauer@edge.ru4[1].txt (ID = 3269)
21:36: Found Spy Cookie: ru4 cookie
21:36: c:\documents and settings\brad hofbauer\cookies\brad hofbauer@atdmt[2].txt (ID = 2253)
21:36: Found Spy Cookie: atlas dmt cookie
21:36: c:\documents and settings\brad hofbauer\cookies\brad hofbauer@ads.pointroll[2].txt (ID = 3148)
21:36: Found Spy Cookie: pointroll cookie
21:36: c:\documents and settings\brad hofbauer\cookies\brad hofbauer@2o7[2].txt (ID = 1957)
21:36: Found Spy Cookie: 2o7.net cookie
21:36: Starting Cookie Sweep
21:36: Registry Sweep Complete, Elapsed Time:00:00:09
21:36: HKU\S-1-5-21-1202660629-287218729-682003330-1004\software\microsoft\windows\currentversion\ext\stats\{f18f04b0-9cf1-4b93-b004-77a288bee28b}\ (ID = 1847524)
21:36: HKU\S-1-5-21-1202660629-287218729-682003330-1004\software\microsoft\internet explorer\toolbar\webbrowser\ || {74dd705d-6834-439c-a735-a6dbe2677452} (ID = 1846670)
21:36: HKU\S-1-5-21-1202660629-287218729-682003330-1004\software\pscastor\ (ID = 1822676)
21:36: Found Trojan Horse: trojan-downloader-pscastor
21:36: HKU\S-1-5-21-1202660629-287218729-682003330-1004\software\psdream\ (ID = 1681362)
21:36: HKU\S-1-5-21-1202660629-287218729-682003330-1004\software\pscloner\ (ID = 1656417)
21:36: Found Adware: fullcontext
21:36: HKU\S-1-5-21-1202660629-287218729-682003330-1004\software\unker\ (ID = 1630527)
21:36: Found Trojan Horse: trojan-downloader-nurech
21:36: HKU\S-1-5-21-1202660629-287218729-682003330-1004\software\system\sysuid\ (ID = 731748)
21:36: HKLM\software\microsoft\internet explorer\toolbar\ || {74dd705d-6834-439c-a735-a6dbe2677452} (ID = 1846689)
21:36: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{46a4e9d9-b30e-452a-8157-dbbec8573b03}\ (ID = 1827647)
21:36: Found Adware: vs toolbar
21:36: HKLM\software\microsoft\windows nt\currentversion\winlogon\ || userinit (ID = 1778082)
21:36: Found Trojan Horse: trojan-backdoor-progdav
21:36: HKLM\system\currentcontrolset\enum\root\legacy_ntio256\ (ID = 1701678)
21:36: HKLM\system\currentcontrolset\services\ntio256\ (ID = 1697742)
21:36: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\pasksa\ (ID = 1662279)
21:36: HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler\ || {855875b5-93f3-429d-ff34-660b206d897c} (ID = 1577891)
21:36: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{855875b5-93f3-429d-ff34-660b206d897c}\ (ID = 1577890)
21:36: Found Trojan Horse: trojan-downloader-traffic-acc.com
21:36: HKLM\software\classes\interface\{7682c1a6-c500-4c78-93b9-5a76a91520f8}\ (ID = 1502055)
21:36: HKLM\software\classes\interface\{597aa130-f00b-40b8-adaf-529d4da9be52}\ (ID = 1502046)
21:36: HKCR\interface\{7682c1a6-c500-4c78-93b9-5a76a91520f8}\ (ID = 1497902)
21:36: HKCR\interface\{597aa130-f00b-40b8-adaf-529d4da9be52}\ (ID = 1497893)
21:36: Found Adware: elitemediagroup-mediamotor
21:36: HKLM\software\system\sysold\ (ID = 926808)
21:36: Found Adware: enbrowser
21:35: Starting Registry Sweep
21:35: Memory Sweep Complete, Elapsed Time: 00:01:14
21:34: Starting Memory Sweep
21:34: HKLM\system\currentcontrolset\services\ntio256\ || imagepath (ID = 1702505)
21:34: Found Trojan Horse: trojan-foop
21:34: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\pasksa\ || dllname (ID = 1662281)
21:34: Found Trojan Horse: trojan-backdoor-haxdoor
21:34: Start Custom Sweep
21:34: Sweep initiated using definitions version 808
21:34: Spy Sweeper 5.2.3.2125 started
21:34: | Start of Session, 06-11-24 |
********

AND MY HIJACK THIS LOG:
---------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 23:17, on 06-11-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ADOBE\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\ADOBE\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe,
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\ADOBE\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [AdobeVersionCue] "C:\ADOBE\Adobe Version Cue\ControlPanel\VersionCueTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\ADOBE\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163871020625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163871013421
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - (no file)
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346F99} - (no file)
O20 - AppInit_DLLs: BattyRun2.dll dpmomspr.dll dminupnp.dll,ajchkfin.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: xAzlwIIKOM - {CC0D208A-66A7-8A20-E7E1-C534AF9C9317} - (no file)
O21 - SSODL: CDRecorder019 - {A3BC5E20-0235-1ABF-9CE1-00AA00512019} - (no file)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\ADOBE\Adobe Version Cue\service\VersionCue.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: dmocx.exe - Unknown owner - C:\WINDOWS\system32\dmocx.exe (file missing)
O23 - Service: dmscript.exe - Unknown owner - C:\WINDOWS\system32\dmscript.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

#4 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 25 November 2006 - 10:05 AM

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HiJackThis – mark them, close IE, click fix checked

O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab

O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346F99} - (no file)

O20 - AppInit_DLLs: BattyRun2.dll dpmomspr.dll dminupnp.dll,ajchkfin.dll

O21 - SSODL: xAzlwIIKOM - {CC0D208A-66A7-8A20-E7E1-C534AF9C9317} - (no file)

O21 - SSODL: CDRecorder019 - {A3BC5E20-0235-1ABF-9CE1-00AA00512019} - (no file)

O23 - Service: dmocx.exe - Unknown owner - C:\WINDOWS\system32\dmocx.exe (file missing)

O23 - Service: dmscript.exe - Unknown owner - C:\WINDOWS\system32\dmscript.exe (file missing)
=======================
Click Start > Run > and type in:

services.msc

Click OK.

In the services window find this exact name

dmocx.exe

Rightclick and choose "Properties". Beside "Startup Type" in the dropdown menu select "Disabled". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Click Apply then OK. File-Exit the Services utility.

Repeat for - dmscript.exe
==============================
DownLoad http://www.downloads.subratam.org/KillBox.zip or
http://www.thespykiller.co.uk/files/killbox.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\system32\BattyRun2.dll
C:\WINDOWS\system32\dpmomspr.dll
C:\WINDOWS\system32\dminupnp.dll
C:\WINDOWS\system32\ajchkfin.dll

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#5 boofie75

boofie75
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 25 November 2006 - 01:57 PM

Thank you again! All four files came up as not existing in KillBox, but nothing out of the ordinary happened and everything went well.


-------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:52:09 PM, on 11/25/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ADOBE\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\ADOBE\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\HijackThis\HijackThis.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe,
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\ADOBE\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [AdobeVersionCue] "C:\ADOBE\Adobe Version Cue\ControlPanel\VersionCueTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\ADOBE\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163871020625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163871013421
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - (no file)
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\ADOBE\Adobe Version Cue\service\VersionCue.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

#6 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 25 November 2006 - 03:52 PM

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HiJackThis – mark them, close IE, click fix checked

O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/inst...leanerstart.cab


O18 - Filter: text/html - {994D478A-45D0-4DB4-AE27-738B1E346F99} - (no file)
O20 - AppInit_DLLs: BattyRun2.dll dpmomspr.dll dminupnp.dll,ajchkfin.dll

O21 - SSODL: xAzlwIIKOM - {CC0D208A-66A7-8A20-E7E1-C534AF9C9317} - (no file)

O21 - SSODL: CDRecorder019 - {A3BC5E20-0235-1ABF-9CE1-00AA00512019} - (no file)

O23 - Service: dmocx.exe - Unknown owner - C:\WINDOWS\system32\dmocx.exe (file missing)

O23 - Service: dmscript.exe - Unknown owner - C:\WINDOWS\system32\dmscript.exe (file missing)
======================
Click Start > Run > and type in:

services.msc

Click OK.

In the services window find this exact name

dmocx.exe

Rightclick and choose "Properties". Beside "Startup Type" in the dropdown menu select "Disabled". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Click Apply then OK. File-Exit the Services utility.

Repeat for - dmscript.exe
============
DownLoad http://www.downloads.subratam.org/KillBox.zip or
http://www.thespykiller.co.uk/files/killbox.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\system32\BattyRun2.dll
C:\WINDOWS\system32\dpmomspr.dll
C:\WINDOWS\system32\dminupnp.dll
C:\WINDOWS\system32\ajchkfin.dll

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#7 boofie75

boofie75
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 25 November 2006 - 05:49 PM

? I already did this the last time...these instances are no longer in my HijackThis. I did clean out the temp folder, as that was the only thing that had changed.

#8 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 25 November 2006 - 06:13 PM

Sorry I looked at the wrong place

How is the system

Turn off restore points, boot, turn them back on – here’s how

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#9 boofie75

boofie75
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 25 November 2006 - 08:31 PM

Sorry I looked at the wrong place

How is the system

Turn off restore points, boot, turn them back on – here’s how

http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam



I still get a SystemDoctor pop up every so often, but that's it. Should I just follow the instructions in the virus/spyware forum to remove it?

Thank you so much for all of your help, you guys are a Godsend.

#10 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 26 November 2006 - 12:05 PM

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new hijack log.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning: running option #2 on a non infected computer will remove your Desktop background.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#11 boofie75

boofie75
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 26 November 2006 - 03:31 PM

Thanks again. I did what you said, and not long after booting to normal mode a dialog box popped up telling me about how my registry may be infected, and if I wanted to download and run SystemDoctor, just like before. I said no, and it popped up anyway, so I closed out of it.

Here is the log after I ran SmitFraud:

SmitFraudFix v2.124

Scan done at 14:19:40.20, 11/26/06
Run from C:\Documents and Settings\Brad Hofbauer\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End








And my HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 2:27:15 PM, on 11/26/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ADOBE\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\ADOBE\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe,
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\ADOBE\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [AdobeVersionCue] "C:\ADOBE\Adobe Version Cue\ControlPanel\VersionCueTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\ADOBE\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163871020625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163871013421
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - (no file)
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\ADOBE\Adobe Version Cue\service\VersionCue.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Edited by boofie75, 26 November 2006 - 03:32 PM.


#12 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 26 November 2006 - 04:08 PM

Kill Windows Messenger - http://vlaurie.com/computers2/Articles/messenger.htm

right click hijackthis,exe and rename it to bleep.exe

Edited by MFDnSC, 26 November 2006 - 04:09 PM.

"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#13 boofie75

boofie75
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 26 November 2006 - 05:13 PM

Done. If I may ask, what does renaming HijackThis.exe to bleep.exe do?
I don't seem to be getting the popup anymore, either. Am I ok now?

#14 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:04:36 PM

Posted 26 November 2006 - 05:15 PM

some things hide from hijack - post a new log
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#15 boofie75

boofie75
  • Topic Starter

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Local time:05:36 PM

Posted 26 November 2006 - 05:55 PM

Logfile of HijackThis v1.99.1
Scan saved at 4:52:15 PM, on 11/26/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ADOBE\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\ADOBE\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\bleep.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\system32\polfjwvk.dll
O2 - BHO: (no name) - {4BF6BACE-D38E-4DEE-A7F1-4B6EBAA9BA28} - C:\WINDOWS\system32\ddcyv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {A89F2291-C95A-9981-2D70-C989192F699D} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\ADOBE\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [AdobeVersionCue] "C:\ADOBE\Adobe Version Cue\ControlPanel\VersionCueTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\ADOBE\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/d...lscbase8460.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163871020625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163871013421
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: CDS300 - {AD43AA67-6860-4531-AC8A-0E68F9CF023E} - (no file)
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: ddcyv - C:\WINDOWS\system32\ddcyv.dll
O20 - Winlogon Notify: Setup - C:\WINDOWS\
O20 - Winlogon Notify: swprodte - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winxwp32 - winxwp32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\ADOBE\Adobe Version Cue\service\VersionCue.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users