Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cpvfeed On Vista


  • Please log in to reply
12 replies to this topic

#1 BigJohn07

BigJohn07

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 11 June 2007 - 11:00 PM

Mod edit: Log split away from this topic in the Vista forum: http://www.bleepingcomputer.com/forums/t/95564/need-help-with-removing-pop-up/

I came up with this problem when I was trying to run HJT:

An unexpected error has occurred at procedure: modMain_CheckOther1Item()
Error #75 - Path/File access error

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 6.00.1904
MSIE version: 7.0.6000.16448
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.

but here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:54:44 PM, on 6/11/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\CONI\Documents\?ystem32\notepad.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\CONI\AppData\Local\Temp\RtkBtMnt.exe
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Users\CONI\AppData\Local\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566....acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {48E7A244-65F8-3A76-A24B-6FE336EFA9E8} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {9B5D496F-8384-890B-DB0C-8BADD2E973EB} - C:\Windows\system32\exzupa.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [?????????] ??????????????e
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Hazkbh] C:\Windows\System32\?ecurity\l?gonui.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Ieuu] "C:\Users\CONI\DOCUME~1\YSTEM3~1\notepad.exe" -vt ndrv
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxdev.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - (no file)
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

Edited by Papakid, 11 June 2007 - 11:16 PM.


BC AdBot (Login to Remove)

 


#2 Jacee

Jacee

    Bleeping around


  • Malware Response Team
  • 3,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:42 PM

Posted 12 June 2007 - 11:48 AM

Hi BigJohn07, I'm going to try to help you get this mess cleaned up. As Papakid said, not all our removal programs are geared to Vista yet, so we'll have to take this slowly.


Download SUPERAntiSpyware Home Edition (free version)
SUPERAntiSpyware
Home Edition (free version)

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.

***Close all other browser windows before
scanning
  • Under Configuration and Preferences, click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked:
  • Scan for tracking cookie
  • Terminate memory threats before quarantining.
    Please leave the others unchecked.
  • Click the Close button to leave the control center screen.
  • On the main screen, under Scan for Harmful Software
    click Scan your computer.
  • On the left check C:\Fixed Drive.
  • On the right, under Complete Scan, choose Perform
    Complete Scan
    .

    Click Next to start the scan. Please be patient while it scans your
    computer.
    After the scan is complete a summary box will appear. Click OK.

    Make sure everything in the white box has a check next to it, then click
    Next.
    It will quarantine what it found and if it asks if you want to reboot, click
    Yes.

    To retrieve the removal information, please do the following:
  • After reboot, double-click the SUPERAntispyware icon on your
    desktop.
    Click Preferences. Click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan
    Log
    .
    It will open in your default text editor (such as Notepad/Wordpad).
  • Highlight everything in the notepad, then right-click and choose copy.
    Click close and close again to exit the program.

    Please copy and paste that information here with a new HijackThis log.

MS_MVP.gif
MS MVP Windows-Security 2006-2016
Member of UNITE, the Unified Network of Instructors and Trusted Eliminators

Admin PC Pitstop


#3 BigJohn07

BigJohn07
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 12 June 2007 - 02:49 PM

This is my SuperAntiSpyware log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/12/2007 at 02:27 PM

Application Version : 3.8.1002

Core Rules Database Version : 3252
Trace Rules Database Version: 1263

Scan type : Complete Scan
Total Scan Time : 00:17:20

Memory items scanned : 708
Memory threats detected : 1
Registry items scanned : 6324
Registry threats detected : 8
File items scanned : 1501
File threats detected : 7

Adware.ClickSpring-Variant
C:\Users\CONI\DOCUME~1\YSTEM3~1\notepad.exe
C:\Users\CONI\DOCUME~1\YSTEM3~1\notepad.exe

Adware.ClickSpring
[Ieuu] C:\USERS\CONI\DOCUME~1\YSTEM3~1\NOTEPAD.EXE

Adware.ClickSpring/Resident
HKLM\Software\Classes\CLSID\{9B5D496F-8384-890B-DB0C-8BADD2E973EB}
HKCR\CLSID\{9B5D496F-8384-890B-DB0C-8BADD2E973EB}
HKCR\CLSID\{9B5D496F-8384-890B-DB0C-8BADD2E973EB}\InprocServer32
HKCR\CLSID\{9B5D496F-8384-890B-DB0C-8BADD2E973EB}\InprocServer32#ThreadingModel
HKCR\CLSID\{9B5D496F-8384-890B-DB0C-8BADD2E973EB}\Programmable
HKCR\CLSID\{9B5D496F-8384-890B-DB0C-8BADD2E973EB}\TypeLib
C:\WINDOWS\SYSTEM32\EXZUPA.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9B5D496F-8384-890B-DB0C-8BADD2E973EB}

Adware.Tracking Cookie
C:\Users\CONI\AppData\Roaming\Microsoft\Windows\Cookies\coni@ad.outerinfo[1].txt

Adware.ClickSpring/Outer Info Network
C:\Program Files\Outerinfo\outerinfo.ico
C:\Program Files\Outerinfo\Terms.rtf
C:\Program Files\Outerinfo
C:\Users\CONI\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Outerinfo


Here is my new HJT log:


An unexpected error has occurred at procedure: modMain_CheckOther1Item()
Error #75 - Path/File access error

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 6.00.1904
MSIE version: 7.0.6000.16448
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.

Logfile of HijackThis v1.99.1
Scan saved at 2:44:00 PM, on 6/12/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE
C:\Users\CONI\AppData\Local\Temp\RtkBtMnt.exe
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE
C:\Windows\system32\igfxext.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Windows\System32\notepad.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Users\CONI\AppData\Local\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=566....acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {48E7A244-65F8-3A76-A24B-6FE336EFA9E8} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Suggest - {5A263CF7-56A6-4D68-A8CF-345BE45BC911} - C:\Program Files\Yahoo!\Search\YSearchSuggest.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {9B5D496F-8384-890B-DB0C-8BADD2E973EB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [?????????] ??????????????e
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Hazkbh] C:\Windows\System32\?ecurity\l?gonui.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v6.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxdev.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - (no file)
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

#4 Jacee

Jacee

    Bleeping around


  • Malware Response Team
  • 3,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:42 PM

Posted 12 June 2007 - 03:08 PM

Open Hijackthis, In the lower right corner click the Config...
(Configuration) button.

Once in the Configuration panel, click Misc Tools button.
Then click the Open Uninstall Manager... button.

The Add/Remove Programs Manager panel should appear.
In this panel click the Save list button.

Save the uninstall_list.txt file to your desktop and copy and paste the
contents back in your next reply.

MS_MVP.gif
MS MVP Windows-Security 2006-2016
Member of UNITE, the Unified Network of Instructors and Trusted Eliminators

Admin PC Pitstop


#5 BigJohn07

BigJohn07
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 12 June 2007 - 04:03 PM

Ok, here's the list...

Acer Arcade
Acer Assist
Acer eDataSecurity Management
Acer eLock Management
Acer Empowering Technology
Acer eNet Management
Acer ePower Management
Acer ePresentation Management
Acer eSettings Management
Acer Mobility Center Plug-In
Acer Registration
Acer ScreenSaver
Acer Tour
Addintools Mechanic 1.0
Adobe Flash Player ActiveX
Adobe Reader 7.0
Apple Software Update
ArcSoft PhotoImpression
CEP - Color Enable Package
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
HDAUDIO Soft Data Fax Modem with SmartCP
HijackThis 1.99.1
Intel® Graphics Media Accelerator Driver
iTunes
Java™ SE Runtime Environment 6 Update 1
Launch Manager
Logitech Audio Echo Cancellation Component
Logitech QuickCam
Logitech Video Enumerator
Logitech® Camera Driver
Microsoft .NET Framework 1.1
Microsoft Visual C++ 2005 Redistributable
MSXML 4.0 SP2 (KB927978)
MVision
MyDsc2
NTI Backup NOW! 4.7
NTI CD & DVD-Maker
Outerinfo
PC Tools AntiVirus 3.1
PhoTags Express
QuickTime
Realtek High Definition Audio Driver
RogueRemover 1.19
Shareaza version 2.2.5.0
SimPE 0.60b (alpha)
SMSC Fast Infrared Driver
Spybot - Search & Destroy 1.4
Star Fax Cover Sheet Creator 2.25
SUPERAntiSpyware Free Edition
Synaptics Pointing Device Driver
TS2 Enhancer
TSR Installation Wizard
TweakVI
WexTech AnswerWorks
Window Washer
WinZip
Yahoo! Browser Services
Yahoo! Messenger
Yahoo! Toolbar

#6 Jacee

Jacee

    Bleeping around


  • Malware Response Team
  • 3,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:42 PM

Posted 12 June 2007 - 04:45 PM

Please print these instructions out. Next, go offline (disconnect your modem)

Rescan with HJT, check these items:

O2 - BHO: (no name) - {48E7A244-65F8-3A76-A24B-6FE336EFA9E8} - (no file)

O2 - BHO: (no name) - {9B5D496F-8384-890B-DB0C-8BADD2E973EB} - (no file)

O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe

O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [?????????] ??????????????e
O4 - HKCU\..\Run: [Hazkbh] C:\Windows\System32\?ecurity\l?gonui.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - (no file)


Close all other windows except HJT, then click 'fix checked'.

Next, go to control panel, click on "Programs and Features", uninstall:
Outerinfo

Reboot into safe mode.
Restart the computer
Immediately begin gently tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Now, using Windows explorer, find and delete:
C:\Program Files\outlook <--folder
C:\WINDOWS\system32\winlog.exe <--file

Reboot normally

Let's take a closer look inside your system with this tool:

MicroWorld - Free AntiVirus standalone scanner

Make a folder called c:\bases

Download mwav.exe http://www.mwti.net/antivirus/free_utilities.asp
to that new folder.

Run mwav.exe which will start run mwavscan.com

Select 'all files', press 'scan', and when it is completed 'view log'

The log is so large, we only need to see the lines with "action taken" in them, so copy/paste those into the reply. Don't post sections if they are in antimalware backups folders.

This tool will only report, but is thorough.

MS_MVP.gif
MS MVP Windows-Security 2006-2016
Member of UNITE, the Unified Network of Instructors and Trusted Eliminators

Admin PC Pitstop


#7 BigJohn07

BigJohn07
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 12 June 2007 - 05:50 PM

This is the log that the mwav.exe produced....



Tue Jun 12 17:33:25 2007 => Scanning File C:\Windows\DOWNLO~1\POPCAP~1.DLL
Tue Jun 12 17:33:51 2007 => File C:\Windows\DOWNLO~1\POPCAP~1.DLL tagged as "not-a-virus:Downloader.Win32.PopCap.b". Action Taken: No Action Taken.

Tue Jun 12 17:33:51 2007 => File C:\Windows\DOWNLO~1\POPCAP~1.DLL tagged as "not-a-virus:Downloader.Win32.PopCap.b". Action Taken: No Action Taken.

!! Invalid Entry outlook = C:\Program Files\outlook\outlook.exe /auto (in key SOFTWARE\Microsoft\Windows\CurrentVersion\Run). No Action Taken.
Tue Jun 12 17:34:00 2007 => ERROR!!! Invalid Entry winlog = winlog.exe (in key SOFTWARE\Microsoft\Windows\CurrentVersion\Run). No Action Taken.

ng HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Tue Jun 12 17:34:00 2007 => ERROR!!! Invalid Entry winlog = winlog.exe (in key SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices). No Action Taken.

Tue Jun 12 17:34:00 2007 => Scanning HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Tue Jun 12 17:34:00 2007 => ERROR!!! Invalid Entry ????????? = ??????????????e (in key SOFTWARE\Microsoft\Windows\CurrentVersion\Run). No Action Taken.

Tue Jun 12 17:34:27 2007 => System found infected with funwebproducts Spyware/Adware ({1d4db7d3-6ec9-47a3-bd87-1e41684e07bb})! Action taken: No Action Taken.
Tue Jun 12 17:34:29 2007 => Offending Key found: HKLM\Software\magnet !!!
Tue Jun 12 17:34:29 2007 => Object "grokster Spyware/Adware" found in File System! Action Taken: No Action Taken.

Tue Jun 12 17:34:29 2007 => Offending Key found: HKCU\Software\VB and VBA Program Settings\mc !!!
Tue Jun 12 17:34:29 2007 => Object "instantaccess Adware" found in File System! Action Taken: No Action Taken.

Tue Jun 12 17:34:30 2007 => Offending Key found: HKCU\\magnet !!!
Tue Jun 12 17:34:30 2007 => Object "grokster Spyware/Adware" found in File System! Action Taken: No Action Taken.

Tue Jun 12 17:34:32 2007 => Offending file found: C:\Windows\DOWNLO~1\popcaploader.dll
Tue Jun 12 17:34:32 2007 => System found infected with downloader-ak Trojan-Downloader (popcaploader.dll)! Action taken: No Action Taken.


Tue Jun 12 17:34:33 2007 => Offending file found: C:\Windows\system32\bszip.dll
Tue Jun 12 17:34:33 2007 => System found infected with casinoonnet Spyware/Adware (bszip.dll)! Action taken: No Action Taken.

Tue Jun 12 17:34:33 2007 => Offending file found: C:\Users\CONI\AppData\Local\Temp\!update.exe
Tue Jun 12 17:34:33 2007 => System found infected with midaddle Spyware/Adware (!update.exe)! Action taken: No Action Taken.

Tue Jun 12 17:34:33 2007 => Offending file found: C:\Users\CONI\AppData\Local\Temp\ctxad.exe
Tue Jun 12 17:34:33 2007 => System found infected with media tickets Spyware/Adware (ctxad.exe)! Action taken: No Action Taken.

Tue Jun 12 17:34:35 2007 => Offending Folder found: C:\Users\CONI\AppData\Local\microsoft\windows sidebar\gadgets\weatherbug.gadget\images\loader
Tue Jun 12 17:34:35 2007 => Object "loader Spyware/Adware" found in File System! Action Taken: No Action Taken.

Tue Jun 12 17:34:35 2007 => Offending Folder found: C:\Users\CONI\AppData\Local\microsoft\windows sidebar\gadgets\weatherbug.gadget\library\js\wbclasses\universal
Tue Jun 12 17:34:35 2007 => Object "universaltb Browser Hijacker" found in File System! Action Taken: No Action Taken.

Tue Jun 12 17:34:35 2007 => Offending file found: C:\Users\CONI\AppData\Local\temp\!update.exe
Tue Jun 12 17:34:35 2007 => System found infected with midaddle Spyware/Adware (!update.exe)! Action taken: No Action Taken.

Tue Jun 12 17:34:35 2007 => Offending file found: C:\Users\CONI\AppData\Local\temp\ctxad.exe
Tue Jun 12 17:34:35 2007 => System found infected with media tickets Spyware/Adware (ctxad.exe)! Action taken: No Action Taken.

Tue Jun 12 17:34:35 2007 => Offending Folder found: C:\Users\CONI\AppData\Local\virtualstore\program files\funwebproducts
Tue Jun 12 17:34:35 2007 => Object "funwebproducts Spyware/Adware" found in File System! Action Taken: No Action Taken.

Tue Jun 12 17:34:37 2007 => Offending file found: C:\Users\CONI\AppData\Roaming\microsoft\windows\start menu\programs\yahoo!\games\poker.url
Tue Jun 12 17:34:37 2007 => System found infected with smitfraud Browser Hijacker (poker.url)! Action taken: No Action Taken.

Tue Jun 12 17:34:37 2007 => Offending file found: C:\Users\CONI\Desktop\internet.lnk
Tue Jun 12 17:34:37 2007 => System found infected with ezula Spyware/Adware (internet.lnk)! Action taken: No Action Taken.

Tue Jun 12 17:34:37 2007 => Offending file found: C:\Users\CONI\AppData\Roaming\Microsoft\Windows\Start Menu\programs\yahoo!\games\poker.url
Tue Jun 12 17:34:37 2007 => System found infected with smitfraud Browser Hijacker (poker.url)! Action taken: No Action Taken.

Tue Jun 12 17:34:38 2007 => Offending file found: C:\Users\CONI\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\yahoo!\games\poker.url
Tue Jun 12 17:34:38 2007 => System found infected with smitfraud Browser Hijacker (poker.url)! Action taken: No Action Taken.

Tue Jun 12 17:34:38 2007 => Offending file found: C:\ProgramData\Microsoft\Windows\Start Menu\programs\outerinfo\terms.lnk
Tue Jun 12 17:34:38 2007 => System found infected with popcornnet/movieland Spyware/Adware (terms.lnk)! Action taken: No Action Taken.

Tue Jun 12 17:34:38 2007 => Offending file found: C:\ProgramData\Microsoft\Windows\Start Menu\programs\ucmore - the search accelerator\ucmore tour.lnk
Tue Jun 12 17:34:38 2007 => System found infected with ucmore Spyware/Adware (ucmore tour.lnk)! Action taken: No Action Taken.

Tue Jun 12 17:34:39 2007 => Offending file found: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\outerinfo\terms.lnk
Tue Jun 12 17:34:39 2007 => System found infected with popcornnet/movieland Spyware/Adware (terms.lnk)! Action taken: No Action Taken.

Tue Jun 12 17:34:39 2007 => Offending file found: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ucmore - the search accelerator\ucmore tour.lnk
Tue Jun 12 17:34:39 2007 => System found infected with ucmore Spyware/Adware (ucmore tour.lnk)! Action taken: No Action Taken.

Tue Jun 12 17:34:40 2007 => Offending file found: C:\ProgramData\microsoft\windows\start menu\programs\outerinfo\terms.lnk
Tue Jun 12 17:34:40 2007 => System found infected with popcornnet/movieland Spyware/Adware (terms.lnk)! Action taken: No Action Taken.

Tue Jun 12 17:34:40 2007 => Offending file found: C:\ProgramData\microsoft\windows\start menu\programs\ucmore - the search accelerator\ucmore tour.lnk
Tue Jun 12 17:34:40 2007 => System found infected with ucmore Spyware/Adware (ucmore tour.lnk)! Action taken: No Action Taken.

Tue Jun 12 17:34:46 2007 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Users\CONI\Documents\ItsDeductible2006\ID2006DB.mdb". Action Taken: No Action Taken.

Tue Jun 12 17:34:46 2007 => Checking Installer Entries...
Tue Jun 12 17:34:48 2007 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\Folders" refers to invalid object "C:\Program Files\SpywareBot\". Action Taken: No Action Taken.

Tue Jun 12 17:34:48 2007 => Checking Shared Tools Entries...
Tue Jun 12 17:34:48 2007 => Checking File Extension Entries...
Tue Jun 12 17:34:48 2007 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".0000". Action Taken: No Action Taken.

Tue Jun 12 17:34:48 2007 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".0001". Action Taken: No Action Taken.

Tue Jun 12 17:34:48 2007 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".0002". Action Taken: No Action Taken.

Tue Jun 12 17:34:48 2007 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".0003". Action Taken: No Action Taken.

Tue Jun 12 17:34:48 2007 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".0004". Action Taken: No Action Taken.

Tue Jun 12 17:34:48 2007 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".0005". Action Taken: No Action Taken.

Tue Jun 12 17:34:48 2007 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".0006". Action Taken: No Action Taken.

Tue Jun 12 17:34:48 2007 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".62". Action Taken: No Action Taken.

Tue Jun 12 17:34:48 2007 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".abm". Action Taken: No Action Taken.

Tue Jun 12 17:34:48 2007 => Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".tax". Action Taken: No Action Taken.

Tue Jun 12 17:36:45 2007 => File C:\Users\CONI\AppData\Local\Temp\!update.exe//PE_Patch.PECompact//PecBundle//PECompact infected by "Trojan-Downloader.Win32.PurityScan.dx" Virus! Action Taken: No Action Taken.

Tue Jun 12 17:36:45 2007 => File C:\Users\CONI\AppData\Local\Temp\!update.exe//PE_Patch.PECompact//PecBundle//PECompact infected by "Trojan-Downloader.Win32.PurityScan.dx" Virus! Action Taken: No Action Taken.

Tue Jun 12 17:36:55 2007 => File C:\Users\CONI\AppData\Local\Temp\ctxad.exe//data0002//PE_Patch.PECompact//PecBundle//PECompact tagged as "not-a-virus:AdWare.Win32.PurityScan.bu". Action Taken: No Action Taken.

#8 Jacee

Jacee

    Bleeping around


  • Malware Response Team
  • 3,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:42 PM

Posted 12 June 2007 - 06:13 PM

ugh! :thumbsup:

Question...was this version of vista installed over XP?

Download this script, it should leave a little notepad icon on the desktop. copy and paste that back here.
http://spyware-free.us/2007/02/whoami.html

This is going to take me sometime to see how to clean your infections. Most of our tools won't work with Vista :flowers:

MS_MVP.gif
MS MVP Windows-Security 2006-2016
Member of UNITE, the Unified Network of Instructors and Trusted Eliminators

Admin PC Pitstop


#9 BigJohn07

BigJohn07
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 12 June 2007 - 06:18 PM

I am not sure if this was installed on top of something else. I did not buy it new. That is why you will see another user name CONI in some places....

Here is the notepad that WHOAMI? LEFT:

WhoAmI by wng_z3r0
6/12/2007
6:11 PM
******************
Operating system:
Microsoft® Windows Vista™ Home Basic
Ram: 502 mb

Accounts on this computer:
Administrator
ASPNET
CONI
Guest

Current User: CONI
User is not an admin
UAC is enabled
******************

System Privileges:

SeShutdownPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeIncreaseWorkingSetPrivilege
SeTimeZonePrivilege


End of file

#10 BigJohn07

BigJohn07
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 12 June 2007 - 06:20 PM

Would it be better if I just go out and buy a new OS and install it on here? or is this fixable? I don't want to waste your time trying to fix this if it can't be fixed.

#11 Jacee

Jacee

    Bleeping around


  • Malware Response Team
  • 3,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:42 PM

Posted 12 June 2007 - 06:50 PM

Well, it's really a mess! I wouldn't trust the computer to be stable. It's going to require a ton of registry cleaning. Among other spyware you have these...
W32/Rbot-ACZ.
The worm copies itself into shared folders used by common Peer to Peer (P2P) filesharing applications.
W32/Alcra-A may also modify documents containing hyperlinks by changing the hyperlink destination to point to a predefined URL.

Another --> instantaccess Adware
http://www.symantec.com/security_response/...-111618-3236-99

I would buy a legit Vista CD (not an upgrade) and wipe the computer clean before I even attempted to install the new OS.

MS_MVP.gif
MS MVP Windows-Security 2006-2016
Member of UNITE, the Unified Network of Instructors and Trusted Eliminators

Admin PC Pitstop


#12 BigJohn07

BigJohn07
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 12 June 2007 - 07:40 PM

ok thanks, i will see what i can do about getting a new OS....one more question though...i was connected to someone else's router while trying to fix this....all this stuff is not going to go through the router to other computers is it?

#13 Jacee

Jacee

    Bleeping around


  • Malware Response Team
  • 3,716 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:10:42 PM

Posted 12 June 2007 - 08:16 PM

EEps! I sure hope not, but I don't know.

Your computer is infected with a 'bot' that will inturn infect other computers if they aren't properly protected.

MS_MVP.gif
MS MVP Windows-Security 2006-2016
Member of UNITE, the Unified Network of Instructors and Trusted Eliminators

Admin PC Pitstop





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users