Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ultimate Cleaner And Other Things


  • Please log in to reply
3 replies to this topic

#1 ShannonR

ShannonR

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 30 June 2007 - 02:49 AM

This seems to be getting worse by the minute. It started with Ultimate Cleaner taking over my desktop and tons of pop ups. Now there are like a half dozen different ad things that pop up and they are DRIVING ME CRAZY!

I downloaded and ran Hijackthis and combofix because it seems like that's what everyone else is doing. Please help!! My computer is quickly becoming useless.

Thank you & I apologize for my ignorance in advance...

Shannon

Logfile of HijackThis v1.99.1
Scan saved at 2:41:24 AM, on 6/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Internet Security\cfgwiz.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Symantec\LiveUpdate\LUAll.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Norton Internet Security\CfgWiz.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/NjU2NA==/2/3560/homepage/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: MSVPS System - {8E6CFDFE-79A8-421C-B854-04081690CE6B} - C:\WINDOWS\ddesupport.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://bb61.dcc.edu
O15 - Trusted Zone: http://west.ilrn.com
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.microgaming.com/DLhelper/ve...n7/dlhelper.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: msole - {D56E0D6C-34E6-4725-B242-138C9FCADA81} - C:\WINDOWS\msole.dll
O21 - SSODL: msdde - {CF3EBC43-D162-4C44-A94F-69FAC7C63FFE} - C:\WINDOWS\msdde.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

ComboFix 07-06-18.2 - C:\Documents and Settings\Owner\Desktop\ComboFix.exe
"Owner" - 2007-06-30 2:25:24 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Owner\Desktop.\internet explorer.lnk


((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-30 )))))))))))))))))))))))))))))))


2007-06-30 02:27 <DIR> d-------- C:\WINDOWS\privacy_danger
2007-06-30 02:03 <DIR> d-------- C:\DOCUME~1\Ang\APPLIC~1\Aim
2007-06-30 01:26 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-30 01:14 83,024 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-06-30 01:14 57,424 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-06-30 01:14 53,840 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-06-30 01:14 39,376 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-06-30 01:14 29,264 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-06-30 01:14 <DIR> d-------- C:\DOCUME~1\Ang\APPLIC~1\PC Tools
2007-06-30 00:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-30 00:10 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-06-30 00:05 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-06-30 00:05 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\PC Tools
2007-06-30 00:02 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-06-29 23:56 <DIR> d-------- C:\Program Files\Windows Defender
2007-06-29 13:24 21,504 --a------ C:\WINDOWS\xar6000v7.exe
2007-06-29 00:32 83,456 --a------ C:\WINDOWS\msdde.dll
2007-06-29 00:32 76,800 --a------ C:\WINDOWS\msole.dll
2007-06-29 00:32 30,720 --a------ C:\WINDOWS\main_uninstaller.exe
2007-06-29 00:32 266,240 --a------ C:\WINDOWS\ddesupport.dll
2007-06-29 00:04 <DIR> d-------- C:\My Downloads
2007-06-28 00:53 68,984 --a------ C:\DOCUME~1\Ang\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-06-25 13:31 <DIR> d-------- C:\DOCUME~1\John\APPLIC~1\Viewpoint
2007-06-23 10:15 <DIR> d-------- C:\DOCUME~1\John\APPLIC~1\Talkback
2007-06-19 16:42 <DIR> d-------- C:\DOCUME~1\Ang\APPLIC~1\BitDownload
2007-06-19 16:40 <DIR> d-------- C:\Program Files\idle 4
2007-06-19 16:40 <DIR> d-------- C:\Program Files\BitDownload
2007-06-19 16:40 <DIR> d-------- C:\DOCUME~1\Ang\APPLIC~1\idle 4
2007-06-19 16:40 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ONE TONS NAME 01
2007-06-19 04:08 <DIR> d-------- C:\Program Files\XviD
2007-06-18 19:58 <DIR> d-------- C:\DOCUME~1\Ang\APPLIC~1\vlc
2007-06-18 19:53 <DIR> d-------- C:\AllokMPEG4Folder
2007-06-18 18:54 <DIR> d-------- C:\Program Files\VideoLAN
2007-06-18 18:27 <DIR> d-------- C:\DOCUME~1\Ang\APPLIC~1\Shareaza
2007-06-18 13:35 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-06-18 04:41 <DIR> d-------- C:\DOCUME~1\Ang\APPLIC~1\LifeTimePorn
2007-06-18 04:38 382 --a------ C:\DOCUME~1\Ang\APPLIC~1\internaldb6334.dat
2007-06-18 04:38 363,980 --a------ C:\WINDOWS\1-fe5e180d56ed9c233080898276c260cc.exe
2007-06-18 04:38 194 --a------ C:\DOCUME~1\Ang\APPLIC~1\internaldb8467.dat
2007-06-18 04:38 184,589 --a------ C:\WINDOWS\8-25f1bf3c5e6149a5c56bfce94356a26a.exe
2007-06-18 04:38 18,432 --a------ C:\DOCUME~1\Ang\APPLIC~1\internaldb41.dat
2007-06-18 03:45 <DIR> d-------- C:\Program Files\The KMPlayer
2007-06-18 02:55 <DIR> d-------- C:\Program Files\RegCure
2007-06-17 05:00 <DIR> d-------- C:\DOCUME~1\Ang\APPLIC~1\DivX
2007-06-17 04:50 <DIR> d-------- C:\DOCUME~1\Ang\APPLIC~1\Talkback
2007-06-12 22:50 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-06-07 22:33 <DIR> d-------- C:\Program Files\Lionhead Studios
2007-06-05 15:00 <DIR> d-------- C:\Program Files\AC3Filter
2007-06-05 10:23 <DIR> d-------- C:\Program Files\Hoki Hoki
2007-06-04 04:02 <DIR> d-------- C:\Program Files\Gabest
2007-06-04 04:00 413,760 --a------ C:\WINDOWS\system32\DivXc32f.dll
2007-06-04 04:00 413,760 --a------ C:\WINDOWS\system32\DivXc32.dll
2007-06-04 04:00 33,280 --a------ C:\WINDOWS\system32\HUFFYUV.DLL
2007-06-04 04:00 <DIR> d-------- C:\Program Files\DivXCodec
2007-06-04 03:59 <DIR> d-------- C:\Program Files\GordianKnot
2007-06-03 14:55 28,672 --a------ C:\WINDOWS\system32\AVEQ.dll
2007-06-03 14:55 <DIR> d-------- C:\Program Files\Allok MPEG4 Converter
2007-06-03 10:02 36,734 --a------ C:\WINDOWS\system32\OggDSuninst.exe
2007-06-03 10:02 <DIR> d-------- C:\WINDOWS\system32\quicktime
2007-06-03 10:02 <DIR> d-------- C:\Program Files\NimoCodec Pack
2007-06-03 10:02 <DIR> d-------- C:\Program Files\ffdshow
2007-06-02 20:29 <DIR> d-------- C:\Program Files\Shareaza
2007-06-02 20:29 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Shareaza
2007-05-31 18:01 <DIR> d-------- C:\Program Files\MorpheusBar
2007-05-31 17:07 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-05-31 17:07 <DIR> d-------- C:\WINDOWS\system32\windows media
2007-05-31 17:07 <DIR> d-------- C:\Program Files\Windows Media Components
2007-05-31 17:01 309,616 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2007-05-31 17:01 1,415,680 --a------ C:\WINDOWS\system32\wmv9vcm.dll
2007-05-31 01:45 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-05-31 01:44 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-31 01:44 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-31 01:44 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-31 01:44 1,541,120 --a------ C:\WINDOWS\system32\divx.dll
2007-05-29 01:47 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\DivX
2007-05-21 17:30 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-05-21 17:30 <DIR> d-------- C:\Program Files\DivX


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-30 05:34:06 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Symantec
2007-06-30 05:17:21 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-30 05:14:01 -------- d-----w C:\Program Files\Symantec
2007-06-30 05:13:38 48,776 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-06-30 05:13:38 115,000 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-06-30 04:54:42 -------- d-----w C:\Program Files\Google
2007-06-30 04:40:35 -------- d-----w C:\Program Files\Morpheus Toolbar
2007-06-29 05:04:01 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\iMesh
2007-06-29 03:32:17 -------- d-----w C:\Program Files\LimeWire
2007-06-21 04:33:39 -------- d-----w C:\Program Files\iMesh Applications
2007-06-19 07:45:56 -------- d-----w C:\Program Files\Kazaa
2007-06-19 01:22:57 -------- d-----w C:\Program Files\Morpheus
2007-06-18 23:32:38 -------- d-----w C:\Program Files\The Weather Channel FW
2007-06-18 08:05:41 -------- d-----w C:\Program Files\Shanny
2007-06-17 12:49:18 -------- d-----w C:\Program Files\RXToolBar
2007-06-17 12:48:56 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-12 04:31:51 -------- d-----w C:\Program Files\AIM
2007-06-08 03:47:05 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-06-04 16:15:45 196,608 ----a-w C:\WINDOWS\system32\avisynth.dll
2007-06-01 16:11:21 4,876 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2007-05-31 23:53:52 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Morpheus
2007-05-30 23:43:26 -------- d-----w C:\Program Files\filesubmit
2007-05-30 10:17:21 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Apple Computer
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-09 19:54:55 -------- d-----w C:\Program Files\PartyGaming
2007-05-09 19:53:01 -------- d-----w C:\Program Files\PacificPoker
2007-05-09 19:51:53 -------- d-----w C:\Program Files\LiveActionPoker
2007-05-09 19:51:29 -------- d-----w C:\Program Files\Full Tilt Poker
2007-05-09 19:51:05 -------- d-----w C:\Program Files\Absolute Poker TV
2007-05-09 19:27:20 -------- d-----w C:\Program Files\Yahoo!
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-23 00:15:29 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 00:15:24 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-04-23 00:15:24 116,472 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-23 00:02:34 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-04-23 00:02:34 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-04-23 00:02:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-04-23 00:02:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-04-23 00:02:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-04-23 00:02:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-04-23 00:01:47 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-23 00:01:46 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll [2005-11-10 13:22]
{8E6CFDFE-79A8-421C-B854-04081690CE6B}=C:\WINDOWS\ddesupport.dll [2007-06-28 04:03]
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}=C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll [2006-02-06 23:35]
{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}=C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll [2006-02-05 01:03]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-01-11 20:55]
"IS CfgWiz"="C:\Program Files\Norton Internet Security\cfgwiz.exe" [2006-02-01 22:10]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 15:59]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 14:00]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-08-05 16:08]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{D56E0D6C-34E6-4725-B242-138C9FCADA81}"="C:\WINDOWS\msole.dll" [2007-06-28 04:03]
"{CF3EBC43-D162-4C44-A94F-69FAC7C63FFE}"="C:\WINDOWS\msdde.dll" [2007-06-28 04:03]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Install Pending Files.LNK]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Install Pending Files.LNK
backup=C:\WINDOWS\pss\Install Pending Files.LNKCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Morpheus.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Morpheus.lnk
backup=C:\WINDOWS\pss\Morpheus.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltnetPointsManager]
c:\program files\altnet\points manager\points manager.exe -s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
C:\WINDOWS\xar6000v7.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelAudioStudio]
"C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
C:\Program Files\Kazaa\kazaa.exe /SYSTRAY

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Name01boreaxis]
C:\Documents and Settings\All Users\Application Data\ONE TONS NAME 01\Bodyjoy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]
C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlaxoUpdate]
C:\Program Files\Plaxo\2.6.0.20\PlaxoHelper.exe -a

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
%WINDIR%\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
%WINDIR%\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyAway]
C:\Program Files\SpyAway\spyaway.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
C:\Program Files\Digital Media Reader\shwiconem.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN]
C:\Program Files\VVSN\VVSN.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5bbf6df1-0b51-11da-bd5a-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder
2007-06-30 07:23:20 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-30 02:28:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-30 2:28:43
C:\ComboFix-quarantined-files.txt ... 2007-06-30 02:28
C:\ComboFix2.txt ... 2007-06-30 01:58

--- E O F ---

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:04 AM

Posted 30 June 2007 - 04:37 AM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Please download SmitfraudFix (by S!Ri)
Open the file and it will extract the contents (a folder named SmitfraudFix) to your Desktop.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: MSVPS System - {8E6CFDFE-79A8-421C-B854-04081690CE6B} - C:\WINDOWS\ddesupport.dll
O21 - SSODL: msole - {D56E0D6C-34E6-4725-B242-138C9FCADA81} - C:\WINDOWS\msole.dll
O21 - SSODL: msdde - {CF3EBC43-D162-4C44-A94F-69FAC7C63FFE} - C:\WINDOWS\msdde.dll

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Using Windows Explorer, please locate the following files/folders, and delete them if still present:

C:\WINDOWS\xar6000v7.exe
C:\WINDOWS\msdde.dll
C:\WINDOWS\msole.dll
C:\WINDOWS\main_uninstaller.exe
C:\WINDOWS\ddesupport.dll
C:\Program Files\VVSN <--folder
C:\Documents and Settings\All Users\Application Data\ONE TONS NAME 01 <--folder
C:\Documents and Settings\All Users\Application Data\idle 4 <--folder
C:\Program Files\idle 4 <--folder

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

Close all instances of Internet Explorer .
Go to your control panel and open "Internet Options".
Click on the "General" tab.
Click the "Delete Cookies" button, then the "Delete Files" button.
If prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

Go to start and click on the "run" button.
Type the following in the box --> cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
Press OK to remove them.

Once in Safe Mode, open the SmitfraudFix folder again.
Double-click smitfraudfix.cmd.
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.

You will be rebooted back into normal mode, if not, please do it manually.

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Name01boreaxis]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN]

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Post the smitfraudfix scan results in your next reply, along with a new Hijackthis log.

Edited by D-Trojanator, 30 June 2007 - 04:38 AM.


#3 ShannonR

ShannonR
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 01 July 2007 - 12:28 AM

Thank you so much. The pop ups have stopped so far.

SmitFraudFix v2.197

Scan done at 0:19:04.79, Sun 07/01/2007
Run from C:\Documents and Settings\Ang\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


hosts

127.0.0.1 localhost

Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files


DNS

Description: Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 68.11.16.30
DNS Server Search Order: 68.11.16.25
DNS Server Search Order: 68.1.208.25

HKLM\SYSTEM\CCS\Services\Tcpip\..\{81C00F5C-2845-4BC5-A49F-EBE41B478B9F}: DhcpNameServer=68.11.16.30 68.11.16.25 68.1.208.25
HKLM\SYSTEM\CS1\Services\Tcpip\..\{81C00F5C-2845-4BC5-A49F-EBE41B478B9F}: DhcpNameServer=68.11.16.30 68.11.16.25 68.1.208.25
HKLM\SYSTEM\CS2\Services\Tcpip\..\{81C00F5C-2845-4BC5-A49F-EBE41B478B9F}: DhcpNameServer=68.11.16.30 68.11.16.25 68.1.208.25
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.11.16.30 68.11.16.25 68.1.208.25
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.11.16.30 68.11.16.25 68.1.208.25
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.11.16.30 68.11.16.25 68.1.208.25


Deleting Temp Files


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


Registry Cleaning

Registry Cleaning done.

SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

Logfile of HijackThis v1.99.1
Scan saved at 12:26:35 AM, on 7/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\mgrs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 3 for HijackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/NjU2NA==/2/3560/homepage/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [avp] C:\WINDOWS\xar6000v7.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://bb61.dcc.edu
O15 - Trusted Zone: http://west.ilrn.com
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.microgaming.com/DLhelper/ve...n7/dlhelper.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:04 AM

Posted 01 July 2007 - 03:24 AM

Good work! Let's continue.. :thumbsup:

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Please move HijackThis to another location, preferably c:\Program Files\HijackThis. Anywhere is fine, other than your Desktop or a Temp folder. If HijackThis is in a temporary folder you run the risk of accidentally deleting the backups or it clutters your desktop with all the backups.
If you use Windows XP it might be that you just double clicked on the file HijackThis.exe, but that only extracts the file to a temporary folder. Please select the file and Extract it to a folder.

How do you make a permanent folder:

Click "My Computer", then "C:\" and then on "Program Files".
In the menu bar, "File"->"New"->"Folder".
That will create a folder named "New Folder", which you can rename to "HJT" or "HijackThis".
Now you have "C:\Program Files\HijackThis". Put your HijackThis.exe there.

From within Spyware Doctor, click the "OnGuard" button on the left side.
Uncheck "Activate OnGuard".

Open hijackthis, click 'config' (bottom right) Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'. In the field, copy and paste the filepath a few lines below.
Click open. Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.
When asked if you want to reboot now, say Yes:
C:\WINDOWS\system32\mgrs.exe

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/NjU2NA==/2/3560/homepage/
O4 - HKLM\..\Run: [avp] C:\WINDOWS\xar6000v7.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

Close all instances of Internet Explorer .
Go to your control panel and open "Internet Options".
Click on the "General" tab.
Click the "Delete Cookies" button, then the "Delete Files" button.
If prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

Go to start and click on the "run" button.
Type the following in the box --> cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
Press OK to remove them.

Reboot back into normal mode.

Please perform this online scan: Kaspersky Webscan
Note that this scanner will only work on Internet Explorer, so please use this browser for the scan.
Read the Requirements and Privacy statement, then select "Accept"
A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
Select "Install" to download the ActiveX controls that allows ActiveScan to run.
When the download is complete it will say ready, click "Next"
Select a target to scan: Click on "My Computer"
When the scan is complete choose to save the results as "Save as Text"
Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

Edited by D-Trojanator, 01 July 2007 - 03:25 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users