Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Me Remove Clickspring.purityscan


  • This topic is locked This topic is locked
10 replies to this topic

#1 nkrypted

nkrypted

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 20 May 2007 - 01:09 PM

I need some help with removing this annoying clickspring.purityscan malware/adware. I don't know how I got it but I don't want it.

here's my hijacklog:

Logfile of HijackThis v1.99.1
Scan saved at 1:01:28 PM, on 5/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\outlook\outlook.exe
C:\WINDOWS\system32\SBO\SG1084.exe
C:\Program Files\Web Buying\v1.6.8\webbuying.exe
C:\WINDOWS\system32\PPPATC~1\services.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\s?mbols\arpa.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Documents and Settings\Connor\Desktop\HiJackThis_v2.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Documents and Settings\Connor\Desktop\hijackthis\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4AE0AF49-6F80-4D05-F64E-6EE34FE3AAC6} - C:\WINDOWS\system32\iufvqj.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Plugin - {C318CD44-E327-4377-A28E-6EC16A921AE8} - C:\Program Files\Web Buying\v1.6.8\webbuying.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000137.exe 61A847B5BBF72813329B385771FE01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.6.8\webbuying.exe
O4 - HKCU\..\Run: [Eaht] "C:\WINDOWS\system32\PPPATC~1\services.exe" -vt yazb
O4 - HKCU\..\Run: [Qdhv] C:\WINDOWS\system32\s?mbols\arpa.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1146541398578
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146541594078
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:07 PM

Posted 20 May 2007 - 04:11 PM

Hello,

You are dealing with A LOT more malware than only purityscan.

When a system is infected, the first thing you should do is to perform a scan with your Antivirus and let it remove anything it is finding. Unfortunately I don't see you performed a scan - because I don't even see an Antivirus and Firewall installed.
This is somewhat suicidal in today's digital world.
That's why I want you to install them first!!

Avira, AVG OR Active Virus Shield (uncheck the Security Toolbar during install) are good FREE antivirus.
Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decrease the reliability of it seriously!
Comodo OR Kerio are FREE firewalls.

Understanding and using firewalls

Perform a full scan with your Antivirus and let it remove anything it is finding.
Then reboot.
After reboot, post a new HijackThislog in your next reply. Then we'll start from there.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 nkrypted

nkrypted
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 20 May 2007 - 09:58 PM

Thank you for your help. I've downloaded both AVG and comodo. installed them. Ran a scan, rebooted and ran a hijack scan. Here's the log.

Logfile of HijackThis v1.99.1
Scan saved at 9:51:48 PM, on 5/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\retadpu1000137.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Web Buying\v1.6.8\webbuying.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\PPPATC~1\services.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\s?mbols\arpa.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Connor\Desktop\hijackthis\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4AE0AF49-6F80-4D05-F64E-6EE34FE3AAC6} - C:\WINDOWS\system32\iufvqj.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Plugin - {C318CD44-E327-4377-A28E-6EC16A921AE8} - C:\Program Files\Web Buying\v1.6.8\webbuying.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000137.exe 61A847B5BBF72813329B385771FE01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.6.8\webbuying.exe
O4 - HKCU\..\Run: [Eaht] "C:\WINDOWS\system32\PPPATC~1\services.exe" -vt yazb
O4 - HKCU\..\Run: [Qdhv] C:\WINDOWS\system32\s?mbols\arpa.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1146541398578
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146541594078
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:07 PM

Posted 21 May 2007 - 01:09 AM

Hello,

Let's deal with the rest now....

It is important you don't miss a step and perform everything in the right order!!

Go to start > controlpanel > software > add/remove programs and uninstall next if present:

Web Buying
Oin
Yazzle by Oin
YazzleActiveX By OIN
Purityscan by Oin
MediaTickets by OIN
Snowballwars by Oin
Cowabanga by OIN
or anything similar with Oin in it.


Also, I see you have PartyPoker installed.
If you didn't install it with intension to play with, I suggest you uninstall it, because in most cases, these programs are supported by malware, getting installed without asking for it and also lead you to sites where malware is lurking.
If you do play it, then leave it alone.


Reboot when done! Really important!

After reboot,

* Download Brute Force Uninstaller.
Unzip it to a folder of itís own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok.
Then click execute in Brute Force Uninstaller.

Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script
( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.


Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

--------------------

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {4AE0AF49-6F80-4D05-F64E-6EE34FE3AAC6} - C:\WINDOWS\system32\iufvqj.dll
O2 - BHO: Plugin - {C318CD44-E327-4377-A28E-6EC16A921AE8} - C:\Program Files\Web Buying\v1.6.8\webbuying.dll
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000137.exe 61A847B5BBF72813329B385771FE01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.6.8\webbuying.exe
O4 - HKCU\..\Run: [Eaht] "C:\WINDOWS\system32\PPPATC~1\services.exe" -vt yazb
O4 - HKCU\..\Run: [Qdhv] C:\WINDOWS\system32\s?mbols\arpa.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!
Don't worry if some entries won't go away, we'll deal with that later...

---------------------

Please download, install, and update AVG Anti-Spyware
  • Load AVG Anti-Spyware and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Then click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close AVG Anti-Spyware and reboot!!
    I need the log later.
-------------------------

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post next logs in your following reply:
  • Log from combofix (combofix.txt) - do NOT post the ComboFix-quarantined-files.txt - unless I ask you to
  • Log from AVG Antispyware <== in case this log is HUGE, go to this page and upload it there
  • New HijackThislog
You may need several replies to post the logs in case they won't fit in one reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 nkrypted

nkrypted
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 21 May 2007 - 10:47 AM

Here is the combofix log.

"Connor" - 2007-05-21 10:26:54 Service Pack 2
ComboFix 07-05.21.6.V - Running from: "C:\Documents and Settings\Connor\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\DOCUME~1\Connor\Desktop.\internet explorer.lnk
C:\WINDOWS\system32\bszip.dll
C:\Program Files\outerinfo
C:\WINDOWS\system32\smpi1
C:\WINDOWS\system32\drivers\core.sys
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\WINDOWS\system32\PPPATC~1
C:\qoobox\purity\C\WINDOWS\system32\SMBOLS~1
C:\qoobox\purity\C\WINDOWS\system32\PPPATC~1\?ppPatch


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\core


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-21 ))))))))))))))))))))))))))))))))))


2007-05-21 09:16 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-21 09:02 <DIR> d-------- C:\bintheredunthat
2007-05-21 08:58 <DIR> d-------- C:\bfu
2007-05-20 20:24 <DIR> d-------- C:\DOCUME~1\Connor\APPLIC~1\Comodo
2007-05-20 20:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-05-20 20:19 <DIR> d-------- C:\Program Files\Comodo
2007-05-20 08:43 90,112 --a------ C:\WINDOWS\system32\st.exe
2007-05-20 08:43 509 --a------ C:\WINDOWS\system32\x.dat
2007-05-20 08:43 <DIR> d-------- C:\WINDOWS\system32\SBO
2007-05-14 23:40 <DIR> d-------- C:\New Folder
2007-05-14 23:39 <DIR> d-------- C:\Program Files\support.com
2007-05-14 23:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Support.com
2007-05-08 21:13 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-05-07 20:57 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-05-07 20:54 <DIR> d-------- C:\7e738da5f06d5d078aaee0144677db


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-20 13:44:40 -------- d-----w C:\Program Files\Windows NT
2007-05-18 21:25:09 -------- d-----w C:\Program Files\StepMania
2007-05-15 00:28:43 -------- d-----w C:\Program Files\LimeWire
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-02-05 20:17:02 185,344 ----a-w C:\WINDOWS\system32\upnphost.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 01:56]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll [2006-10-12 04:25]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"nwiz"="nwiz.exe" [2002-08-30 02:06 C:\WINDOWS\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" []
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2003-07-13 02:49]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-02-14 10:04]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 04:10]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-05-20 20:19]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-05-20 20:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 09:13]



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070521-091356-811
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)

???????????????????????????????????????????4??????????????????????????????????4???=??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????=??

backup-20070521-091355-155
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)

???????????????????????????????????????????4??????????????????????????????????4???=??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????=??

backup-20070521-091355-888
O4 - HKCU\..\Run: [Qdhv] C:\WINDOWS\system32\s?mbols\arpa.exe

backup-20070521-091355-731
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000137.exe 61A847B5BBF72813329B385771FE01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

backup-20070521-091355-251
O4 - HKCU\..\Run: [Eaht] "C:\WINDOWS\system32\PPPATC~1\services.exe" -vt yazb

backup-20070521-091355-889
O2 - BHO: (no name) - {4AE0AF49-6F80-4D05-F64E-6EE34FE3AAC6} - C:\WINDOWS\system32\iufvqj.dll

backup-20070521-091355-910
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
Contents of the 'Scheduled Tasks' folder
2007-05-21 15:21:00 C:\WINDOWS\tasks\MP Scheduled Scan.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-21 10:34:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-21 10:40:30 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-21 10:40

--- E O F ---


Here is the AVG scan log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:14:07 AM 5/21/2007

+ Scan result:



C:\System Volume Information\_restore{801A5AC8-2A5C-42EA-AAA8-71F61FA3DB44}\RP964\A0064585.exe -> Adware.Agent : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Effective-i -> Adware.EffectiveBrandToolbar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1644491937-1123561945-725345543-1003\Software\Effective-i -> Adware.EffectiveBrandToolbar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1644491937-1123561945-725345543-1003\Software\Effective-i\TheSearchAccelerator -> Adware.EffectiveBrandToolbar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1644491937-1123561945-725345543-1003\Software\Effective-i\TheSearchAccelerator\IE5 -> Adware.EffectiveBrandToolbar : Cleaned with backup (quarantined).
HKU\S-1-5-21-1644491937-1123561945-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1A1DDC19-5893-43AB-A73F-F41A0F34D115} -> Adware.Generic : Cleaned with backup (quarantined).
C:\Documents and Settings\Connor\Desktop\hijackthis\HijackThis\backups\backup-20070521-091355-889.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{801A5AC8-2A5C-42EA-AAA8-71F61FA3DB44}\RP964\A0064576.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{801A5AC8-2A5C-42EA-AAA8-71F61FA3DB44}\RP964\A0064599.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\sуmbols\arpa.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{801A5AC8-2A5C-42EA-AAA8-71F61FA3DB44}\RP964\A0064580.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{801A5AC8-2A5C-42EA-AAA8-71F61FA3DB44}\RP962\A0064532.exe -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{801A5AC8-2A5C-42EA-AAA8-71F61FA3DB44}\RP962\A0064533.dll -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{801A5AC8-2A5C-42EA-AAA8-71F61FA3DB44}\RP964\A0064575.dll -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\WINDOWS\system32\smpi1\lb66.exe/IUCMORE.DLL -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\WINDOWS\system32\smpi1\lb66.exe/UCMTSAIE.DLL -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\WINDOWS\system32\smpi1\lb66.exe/empty_00000001 -> Adware.Ucmore : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{801A5AC8-2A5C-42EA-AAA8-71F61FA3DB44}\RP963\A0064546.exe -> Adware.WebBuying : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{801A5AC8-2A5C-42EA-AAA8-71F61FA3DB44}\RP963\A0064564.dll -> Adware.WebBuying : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{801A5AC8-2A5C-42EA-AAA8-71F61FA3DB44}\RP964\A0064586.dll -> Adware.WebBuying : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{801A5AC8-2A5C-42EA-AAA8-71F61FA3DB44}\RP964\A0064587.exe -> Adware.WebBuying : Cleaned with backup (quarantined).
C:\WINDOWS\wbun.exe -> Adware.WebBuying : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{801A5AC8-2A5C-42EA-AAA8-71F61FA3DB44}\RP963\A0064562.exe -> Adware.ZQuest : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{801A5AC8-2A5C-42EA-AAA8-71F61FA3DB44}\RP963\A0064558.exe -> Backdoor.Rbot : Cleaned with backup (quarantined).
C:\WINDOWS\retadpu1000137.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\WINDOWS\system32\smpi1\lib06.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\WINDOWS\system32\АppPatch\services.exe -> Downloader.PurityScan.dx : Cleaned with backup (quarantined).
C:\Documents and Settings\Connor\Local Settings\Temporary Internet Files\Content.IE5\LR2GVTV5\!update-4395[1].0000 -> Downloader.PurityScan.ee : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{801A5AC8-2A5C-42EA-AAA8-71F61FA3DB44}\RP963\A0064560.exe -> Downloader.PurityScan.eh : Cleaned with backup (quarantined).
C:\WINDOWS\system32\stt.exe -> Downloader.PurityScan.eh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{801A5AC8-2A5C-42EA-AAA8-71F61FA3DB44}\RP962\A0064536.exe -> Downloader.Small.eqn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{801A5AC8-2A5C-42EA-AAA8-71F61FA3DB44}\RP962\A0064534.dll -> Hijacker.StartPage : Cleaned with backup (quarantined).
C:\Documents and Settings\Connor\Cookies\connor@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@journalregistercompany.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@mcclatchy.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@saxoconcordmonitor.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@gatorarcade.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@getmusicfree.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@ads.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@ads.cnn[2].txt -> TrackingCookie.Cnn : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.228:C:\Documents and Settings\Connor\Application Data\Mozilla\Firefox\Profiles\pc9j3ajh.default\cookies.txt -> TrackingCookie.Fortunecity : Cleaned.
:mozilla.231:C:\Documents and Settings\Connor\Application Data\Mozilla\Firefox\Profiles\pc9j3ajh.default\cookies.txt -> TrackingCookie.Fortunecity : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@ehg-gatehousemedia.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@ehg-groupernetworks.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@ehg-maniatv.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@ehg-pcsecurityshield.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@search.live[1].txt -> TrackingCookie.Live : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@overture[1].txt -> TrackingCookie.Overture : Cleaned.
:mozilla.170:C:\Documents and Settings\Connor\Application Data\Mozilla\Firefox\Profiles\pc9j3ajh.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.171:C:\Documents and Settings\Connor\Application Data\Mozilla\Firefox\Profiles\pc9j3ajh.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.172:C:\Documents and Settings\Connor\Application Data\Mozilla\Firefox\Profiles\pc9j3ajh.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.173:C:\Documents and Settings\Connor\Application Data\Mozilla\Firefox\Profiles\pc9j3ajh.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.174:C:\Documents and Settings\Connor\Application Data\Mozilla\Firefox\Profiles\pc9j3ajh.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@sexlist[1].txt -> TrackingCookie.Sexlist : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@counter3.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@counter6.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@h.starware[1].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@anat.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@xceedads.valuead[2].txt -> TrackingCookie.Valuead : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@statse.webtrendslive[4].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@c5.zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Connor\Cookies\connor@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\System Volume Information\_restore{801A5AC8-2A5C-42EA-AAA8-71F61FA3DB44}\RP963\A0064561.exe -> Trojan.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wnsintsv.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{801A5AC8-2A5C-42EA-AAA8-71F61FA3DB44}\RP962\A0064542.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{801A5AC8-2A5C-42EA-AAA8-71F61FA3DB44}\RP963\A0064557.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{801A5AC8-2A5C-42EA-AAA8-71F61FA3DB44}\RP963\A0064559.exe -> Worm.VB.dw : Cleaned with backup (quarantined).


::Report end

And here is the new hijacklog.

Logfile of HijackThis v1.99.1
Scan saved at 10:42:37 AM, on 5/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Connor\Desktop\hijackthis\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1146541398578
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1146541594078
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:07 PM

Posted 21 May 2007 - 10:54 AM

Hello,

This is looking much better. Your HijackThislog looks clean again.

Just some files and folders you have to delete, so delete next files and folders:

C:\Qoobox <== folder
C:\bintheredunthat <== folder
C:\WINDOWS\system32\st.exe <== file
C:\WINDOWS\system32\x.dat <== file
C:\WINDOWS\system32\SBO <== folder

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u1.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u1".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 nkrypted

nkrypted
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 21 May 2007 - 01:22 PM

I'm not getting that annoying windows defender alert pop-up anymore. But the net is still slow. I'm also having trouble opening IE with the comodo firewall. Do I need it? is it recommended? if so..how do I get around the problem of IE not able to pull up any pages sometimes. I have to exit out of comodo to have IE running normally? is that normal?

Edited by nkrypted, 21 May 2007 - 01:33 PM.


#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:07 PM

Posted 21 May 2007 - 01:52 PM

Did you block Internet Explorer in Comodo Firewall?
Look in Comodo under the Security tab > application monitor and make sure iexplore.exe is set to allow.

Anyway, in case you're still having issues with Comodo afterwards, uninstall it and try another firewall instead. Look in my signature under Firewalls for the ones I recommend.

Ofcourse a firewall is needed/recommended. The same is for an Antivirus. Because how are you supposed to prevent malware otherwise?
Since you didn't have them installed previously, you may indeed notice a difference in speed, this is normal. This because your Antivirus/Firewall also monitors webpages while browsing to make sure no malware can get installed.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 nkrypted

nkrypted
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:03:07 PM

Posted 21 May 2007 - 03:17 PM

Thanks for your help. Much appreciated. I will keep comodo as my firewall. I'll just learn how to use it properly for what I need. Again. Thanks for your help.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:07 PM

Posted 21 May 2007 - 03:26 PM

Comodo has an option to scan for known programs and automatically set the correct rules for it - which makes it
To use this, open Comodo > Security tab > Tasks (tab on the left) > Scan for known applications (below)

And you're welcome :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:07 PM

Posted 25 May 2007 - 09:56 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users