Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pop-ups


  • This topic is locked This topic is locked
13 replies to this topic

#1 sallyjessie

sallyjessie

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 01 July 2007 - 11:26 AM

Logfile of HijackThis v1.99.1
Scan saved at 12:21:15 PM, on 7/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\AOL\1154898451\ee\AOLSoftware.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\WinTouch\WinTouch.exe
C:\WINDOWS\pwclkv.exe
C:\Program Files\Common Files\{90350479-0BB0-1033-0525-050506220001}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\Program Files\WinPop\winpop.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\TWlrZSBNZXJrbGVy\command.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
c:\program files\common files\aol\1154898451\ee\aim6.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1154898451\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [WinTouch] C:\Program Files\WinTouch\WinTouch.exe
O4 - HKLM\..\Run: [SfKg6w] C:\WINDOWS\pwclkv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Pojeisqq] "C:\Program Files\Common Files\?racle\n?tepad.exe"
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Poker Rewards Poker - {6DAF93EB-C7E3-41ab-83D9-CAE1785F41BC} - C:\Program Files\pokerrewardsMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Client IP-IPX - Unknown owner - ".exe (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWlrZSBNZXJrbGVy\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)

BC AdBot (Login to Remove)

 


m

#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:37 PM

Posted 01 July 2007 - 12:06 PM

Hello sallyjessie,

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post the ComboFix log in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Edited by SifuMike, 01 July 2007 - 12:07 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 sallyjessie

sallyjessie
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 01 July 2007 - 12:42 PM

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\MIKEME~1\Desktop.\internet explorer.lnk
C:\Program Files\Common Files\{30350~1
C:\Program Files\Common Files\{30350~1\Bar888.dll
C:\Program Files\Common Files\{30350~1\UnInstall.exe
C:\Program Files\Common Files\{90350~1
C:\Program Files\Common Files\{90350~1\Update.exe
C:\Program Files\Common Files\racle~1
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\inetget2
C:\Program Files\ipwindows
C:\Program Files\ipwindows\ipwins.dll
C:\Program Files\ipwindows\ipwins.exe
C:\Program Files\ipwindows\UnInstall.exe
C:\Program Files\winpop
C:\Program Files\winpop\UnInstall.exe
C:\Program Files\winpop\winpop.exe
C:\setup.exe
C:\temp\tn3
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\TWlrZSBNZXJrbGVy\asappsrv.dll
C:\WINDOWS\TWlrZSBNZXJrbGVy\command.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CLIENT_IP-IPX
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\Client IP-IPX
-------\cmdService
-------\core


((((((((((((((((((((((((( Files Created from 2007-06-01 to 2007-07-01 )))))))))))))))))))))))))))))))


2007-07-01 13:23 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-07-01 13:23 1,092,209 --a------ C:\ComboFix.exe
2007-07-01 12:18 <DIR> d-------- C:\HijackThis
2007-06-27 19:56 <DIR> d-------- C:\DOCUME~1\MIKEME~1\APPLIC~1\SecondLife
2007-06-27 19:55 <DIR> d-------- C:\Program Files\SecondLife
2007-06-27 19:54 32,513,029 --a------ C:\Second Life 1-17-2-0 Setup.exe
2007-06-07 18:43 34,304 --a------ C:\WINDOWS\pwclkv.exe
2007-06-07 18:43 <DIR> d-------- C:\Program Files\WinTouch
2007-06-04 22:45 <DIR> d-------- C:\Program Files\AIM6


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-01 15:18:00 -------- d-----w C:\Program Files\Napster
2007-07-01 05:30:05 -------- d-----w C:\DOCUME~1\MIKEME~1\APPLIC~1\Skype
2007-06-30 05:49:42 -------- d-----w C:\DOCUME~1\MIKEME~1\APPLIC~1\uTorrent
2007-06-10 12:06:22 -------- d-----w C:\Program Files\Empire Poker
2007-06-07 22:30:03 -------- d-----w C:\DOCUME~1\MIKEME~1\APPLIC~1\Viewpoint
2007-06-05 02:46:20 -------- d-----w C:\Program Files\Viewpoint
2007-06-03 21:14:01 -------- d-----w C:\DOCUME~1\MIKEME~1\APPLIC~1\Microgaming
2007-05-26 18:52:01 20,319,104 ----a-w C:\aoe3-111-english.exe
2007-05-25 02:21:14 -------- d-----w C:\DOCUME~1\MIKEME~1\APPLIC~1\Google
2007-05-25 02:20:31 -------- d-----w C:\Program Files\Google
2007-05-19 15:40:00 17,180,704 ----a-w C:\antivir_workstation_win7u_en_h.exe
2007-05-19 15:32:06 7,121,880 ----a-w C:\Windows-KB890830-V1.29.exe
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-12 05:37:36 -------- d-----w C:\Program Files\pokerrewardsMPP
2007-05-09 15:35:32 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-02 19:44:37 2,933 ----a-w C:\WINDOWS\mozver.dat
2007-04-26 03:25:35 18,895,728 ----a-w C:\MSN_Messenger.exe
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-18 06:59:08 71,275,856 ----a-w C:\SpeechSDK51.exe
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 02:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 02:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-13 03:09:22 2,010,624 ----a-w C:\ventrilo-2.3.0-Windows-i386.exe
2007-04-13 03:00:54 17,364,672 ----a-w C:\ashampoo_antispyware160_sm.exe
2007-04-09 18:34:25 5,037,072 ----a-w C:\spybotsd14.exe
2005-07-29 20:24:26 472 --sha-r C:\WINDOWS\TWlrZSBNZXJrbGVy\nq5Otm1htrLOv3pV.vbs


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx [2001-03-02 12:02]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll [2004-08-13 01:05]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 21:05]
"P17Helper"="P17.dll" [2005-05-03 19:38 C:\WINDOWS\system32\P17.dll]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2006-08-05 02:23]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 12:59]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-09-16 08:43]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 01:01]
"NapsterShell"="C:\Program Files\Napster\napster.exe" [2006-06-29 14:17]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-23 19:26]
"HostManager"="C:\Program Files\Common Files\AOL\1154898451\ee\AOLSoftware.exe" [2006-05-09 20:24]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 18:05]
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" []
"WinTouch"="C:\Program Files\WinTouch\WinTouch.exe" [2007-06-07 18:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-07-21 13:06]
"Pojeisqq"="C:\Program Files\Common Files\?racle\n?tepad.exe" []
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1154898451\ee\AOLSoftware.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca628635-3876-11db-a29e-0014bf7794a0}]
AutoRun\command- F:\setupSNK.exe


Contents of the 'Scheduled Tasks' folder
2007-07-01 07:00:00 C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-01 01:33:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-01 1:35:35 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-01 01:35

--- E O F ---
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\MIKEME~1\Desktop.\internet explorer.lnk
C:\Program Files\Common Files\{30350~1
C:\Program Files\Common Files\{30350~1\Bar888.dll
C:\Program Files\Common Files\{30350~1\UnInstall.exe
C:\Program Files\Common Files\{90350~1
C:\Program Files\Common Files\{90350~1\Update.exe
C:\Program Files\Common Files\racle~1
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\inetget2
C:\Program Files\ipwindows
C:\Program Files\ipwindows\ipwins.dll
C:\Program Files\ipwindows\ipwins.exe
C:\Program Files\ipwindows\UnInstall.exe
C:\Program Files\winpop
C:\Program Files\winpop\UnInstall.exe
C:\Program Files\winpop\winpop.exe
C:\setup.exe
C:\temp\tn3
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\TWlrZSBNZXJrbGVy\asappsrv.dll
C:\WINDOWS\TWlrZSBNZXJrbGVy\command.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CLIENT_IP-IPX
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\Client IP-IPX
-------\cmdService
-------\core


((((((((((((((((((((((((( Files Created from 2007-06-01 to 2007-07-01 )))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-01 15:18:00 -------- d-----w C:\Program Files\Napster
2007-07-01 05:34:58 -------- d-----w C:\DOCUME~1\MIKEME~1\APPLIC~1\Skype
2007-06-30 05:49:42 -------- d-----w C:\DOCUME~1\MIKEME~1\APPLIC~1\uTorrent
2007-06-10 12:06:22 -------- d-----w C:\Program Files\Empire Poker
2007-06-07 22:30:03 -------- d-----w C:\DOCUME~1\MIKEME~1\APPLIC~1\Viewpoint
2007-06-05 02:46:20 -------- d-----w C:\Program Files\Viewpoint
2007-06-03 21:14:01 -------- d-----w C:\DOCUME~1\MIKEME~1\APPLIC~1\Microgaming
2007-05-26 18:52:01 20,319,104 ----a-w C:\aoe3-111-english.exe
2007-05-25 02:21:14 -------- d-----w C:\DOCUME~1\MIKEME~1\APPLIC~1\Google
2007-05-25 02:20:31 -------- d-----w C:\Program Files\Google
2007-05-19 15:40:00 17,180,704 ----a-w C:\antivir_workstation_win7u_en_h.exe
2007-05-19 15:32:06 7,121,880 ----a-w C:\Windows-KB890830-V1.29.exe
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-12 05:37:36 -------- d-----w C:\Program Files\pokerrewardsMPP
2007-05-09 15:35:32 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-02 19:44:37 2,933 ----a-w C:\WINDOWS\mozver.dat
2007-04-26 03:25:35 18,895,728 ----a-w C:\MSN_Messenger.exe
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-18 06:59:08 71,275,856 ----a-w C:\SpeechSDK51.exe
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 02:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 02:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-13 03:09:22 2,010,624 ----a-w C:\ventrilo-2.3.0-Windows-i386.exe
2007-04-13 03:00:54 17,364,672 ----a-w C:\ashampoo_antispyware160_sm.exe
2007-04-09 18:34:25 5,037,072 ----a-w C:\spybotsd14.exe
2005-07-29 20:24:26 472 --sha-r C:\WINDOWS\TWlrZSBNZXJrbGVy\nq5Otm1htrLOv3pV.vbs


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx [2001-03-02 12:02]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll [2004-08-13 01:05]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 21:05]
"P17Helper"="P17.dll" [2005-05-03 19:38 C:\WINDOWS\system32\P17.dll]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2006-08-05 02:23]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2006-02-17 12:59]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-09-16 08:43]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 01:01]
"NapsterShell"="C:\Program Files\Napster\napster.exe" [2006-06-29 14:17]
"HP Software Update"="c:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-23 19:26]
"HostManager"="C:\Program Files\Common Files\AOL\1154898451\ee\AOLSoftware.exe" [2006-05-09 20:24]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-08-22 18:05]
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" []
"WinTouch"="C:\Program Files\WinTouch\WinTouch.exe" [2007-06-07 18:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-07-21 13:06]
"Pojeisqq"="C:\Program Files\Common Files\?racle\n?tepad.exe" []
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1154898451\ee\AOLSoftware.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca628635-3876-11db-a29e-0014bf7794a0}]
AutoRun\command- F:\setupSNK.exe


Contents of the 'Scheduled Tasks' folder
2007-07-01 07:00:00 C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-01 01:37:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-07-01 1:38:44 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-01 01:38

--- E O F ---

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:37 PM

Posted 01 July 2007 - 01:18 PM

Hi sallyjessie,

Please post a fresh Hijackthis log and tell me how your computer is running.
Still getting popups? :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:37 PM

Posted 01 July 2007 - 01:30 PM

Hi sallyjessie,

Hate to be like Columbo, but just one more thing. :thumbsup:

You have a suspicious file we need to check.

You will need to configure Windows to show Hidden files.

Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\pwclkv.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.
Once scanned, copy and paste the results also in your next reply.

I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.

Edited by SifuMike, 01 July 2007 - 01:33 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 sallyjessie

sallyjessie
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 01 July 2007 - 01:41 PM

Here are the results of the scan

Antivirus Version Update Result
AhnLab-V3 2007.6.30.0 06.29.2007 no virus found
AntiVir 7.4.0.37 06.29.2007 TR/Dldr.Agent.buo
Authentium 4.93.8 06.29.2007 W32/Downloader2.AIRC
Avast 4.7.997.0 07.01.2007 no virus found
AVG 7.5.0.476 07.01.2007 no virus found
BitDefender 7.2 07.01.2007 no virus found
CAT-QuickHeal 9.00 06.30.2007 no virus found
ClamAV devel-20070416 07.01.2007 no virus found
DrWeb 4.33 07.01.2007 Trojan.DownLoader.26460
eSafe 7.0.15.0 06.30.2007 suspicious Trojan/Worm
eTrust-Vet 30.8.3752 06.29.2007 no virus found
Ewido 4.0 07.01.2007 no virus found
FileAdvisor 1 07.01.2007 no virus found
Fortinet 2.91.0.0 07.01.2007 no virus found
F-Prot 4.3.2.48 06.29.2007 W32/Downloader2.AIRC
F-Secure 6.70.13030.0 07.01.2007 Trojan-Downloader.Win32.Agent.buo
Ikarus T3.1.1.8 07.01.2007 no virus found
Kaspersky 4.0.2.24 07.01.2007 Trojan-Downloader.Win32.Agent.buo
McAfee 5064 06.29.2007 no virus found
Microsoft 1.2701 07.01.2007 no virus found
NOD32v2 2368 07.01.2007 no virus found
Norman 5.80.02 06.29.2007 no virus found
Panda 9.0.0.4 07.01.2007 Suspicious file
Sophos 4.19.0 06.28.2007 no virus found
Sunbelt 2.2.907.0 06.29.2007 Trojan-Downloader.Matcash
Symantec 10 07.01.2007 no virus found
TheHacker 6.1.6.140 06.28.2007 no virus found
VBA32 3.12.0.2 06.30.2007 no virus found
VirusBuster 4.3.23:9 07.01.2007 no virus found
Webwasher-Gateway 6.0.1 06.29.2007 Trojan.Dldr.Agent.buo



and here is the new hijackthis log


Logfile of HijackThis v1.99.1
Scan saved at 2:43, on 7/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\AOL\1154898451\ee\AOLSoftware.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\WinTouch\WinTouch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
c:\program files\common files\aol\1154898451\ee\aim6.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1154898451\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [WinTouch] C:\Program Files\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Pojeisqq] "C:\Program Files\Common Files\?racle\n?tepad.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Poker Rewards Poker - {6DAF93EB-C7E3-41ab-83D9-CAE1785F41BC} - C:\Program Files\pokerrewardsMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)

Edited by sallyjessie, 01 July 2007 - 01:45 PM.


#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:37 PM

Posted 01 July 2007 - 02:08 PM

Hi sallyjessie,

Did you install WinTouch and do you know what it is? :thumbsup:

*******************************************

I see you have SpywareBot running. SpywareBot is on the list of Rogue/Suspect" anti-spyware products. See here: http://www.spywarewarrior.com/rogue_anti-spyware.htm

I recommend you get rid of it. We will uninstall it below.


I see Viewpoint installed.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now, if you did not install it.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player
SpywareBot


*******************************************

You have some malware on your computer. Not to worry, we will soon have it off.

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial


*******************************************

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key. If that does not work this go to this site: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/



Please boot into Safe Mode and select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix."

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [Pojeisqq] "C:\Program Files\Common Files\?racle\n?tepad.exe"




*******************************************

Next, we're going on a file hunt.
Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Using Windows Explorer, delete the following files/folders in bold (Do not be concerned if they do not exist)

C:\WINDOWS\pwclkv.exe <== file
C:\Program Files\SpywareBot\ <== folder
C:\Program Files\Viewpoint\ <== folder

*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Cookies.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section.
Clean all entries in the "Advanced" section.
Clean any others that you choose.

In the Applications Tab:
Clean all except cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Reboot to the Normal Mode.

You will need to use Internet Explorer for this scan.

Disable your antivirus program and go here to run BitDefender Online Scan.
Click on I Agree.
Avoid clicking on other links as you don't need to try out the full install at this point, just the online scanner.

When the ActiveX Control has loaded, click on "Click here to scan".
Please be patient, as this scan may take a few hours. It all depends on the number of files on your computer.

NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat the BitDefender Online Scan.


When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the BitDefender log.


Post a new Hijackthis log, the BitDefender log, and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 sallyjessie

sallyjessie
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 01 July 2007 - 05:21 PM

I dont remember installing WinTouch and no I dont know what it is

Here is the log for the bitdefender log

Statistics

Time
01:12:27

Files
210208

Folders
5360

Boot Sectors
4

Archives
2761

Packed Files
10872




Results

Identified Viruses
14

Infected Files
31

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
31




Engines Info

Virus Definitions
636189

Engine build
AVCORE v1.0 (build 2410) (i386) (Jun 12 2007 21:08:27)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1122OinAdmin.exe.vir
Infected with: Trojan.Downloader.PurityScan.CR

C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1122OinAdmin.exe.vir
Disinfection failed

C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1122OinAdmin.exe.vir
Deleted

C:\QooBox\Quarantine\C\Program Files\Common Files\{30350~1\Bar888.dll.vir
Infected with: Trojan.Downloader.Adload.JM

C:\QooBox\Quarantine\C\Program Files\Common Files\{30350~1\Bar888.dll.vir
Disinfection failed

C:\QooBox\Quarantine\C\Program Files\Common Files\{30350~1\Bar888.dll.vir
Deleted

C:\QooBox\Quarantine\C\Program Files\Common Files\{90350~1\Update.exe.vir
Infected with: Trojan.Downloader.Adload.JM

C:\QooBox\Quarantine\C\Program Files\Common Files\{90350~1\Update.exe.vir
Disinfection failed

C:\QooBox\Quarantine\C\Program Files\Common Files\{90350~1\Update.exe.vir
Deleted

C:\QooBox\Quarantine\C\Program Files\Ipwindows\ipwins.dll.vir
Infected with: Trojan.Matcash.DLL

C:\QooBox\Quarantine\C\Program Files\Ipwindows\ipwins.dll.vir
Disinfection failed

C:\QooBox\Quarantine\C\Program Files\Ipwindows\ipwins.dll.vir
Deleted

C:\QooBox\Quarantine\C\Program Files\Ipwindows\ipwins.exe.vir
Infected with: Trojan.Rond.A

C:\QooBox\Quarantine\C\Program Files\Ipwindows\ipwins.exe.vir
Disinfection failed

C:\QooBox\Quarantine\C\Program Files\Ipwindows\ipwins.exe.vir
Deleted

C:\QooBox\Quarantine\C\Program Files\WinPop\UnInstall.exe.vir
Infected with: Trojan.Popwin.BK

C:\QooBox\Quarantine\C\Program Files\WinPop\UnInstall.exe.vir
Disinfection failed

C:\QooBox\Quarantine\C\Program Files\WinPop\UnInstall.exe.vir
Deleted

C:\QooBox\Quarantine\C\Program Files\WinPop\winpop.exe.vir
Infected with: Trojan.Popwin.BK

C:\QooBox\Quarantine\C\Program Files\WinPop\winpop.exe.vir
Disinfection failed

C:\QooBox\Quarantine\C\Program Files\WinPop\winpop.exe.vir
Deleted

C:\RECYCLER\S-1-5-18\Dc36\Update.exe
Infected with: Trojan.Downloader.Adload.JM

C:\RECYCLER\S-1-5-18\Dc36\Update.exe
Disinfection failed

C:\RECYCLER\S-1-5-18\Dc36\Update.exe
Deleted

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP261\A0027722.exe
Infected with: Trojan.Dnschange.F

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP261\A0027722.exe
Disinfection failed

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP261\A0027722.exe
Deleted

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP261\A0027723.vbs
Infected with: Trojan.Small.WY

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP261\A0027723.vbs
Disinfection failed

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP261\A0027723.vbs
Deleted

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP261\A0027725.exe
Infected with: Trojan.Dloader.AFR

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP261\A0027725.exe
Disinfection failed

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP261\A0027725.exe
Deleted

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP266\A0027820.exe
Infected with: Trojan.Downloader.Purityscan.EG

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP266\A0027820.exe
Disinfection failed

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP266\A0027820.exe
Deleted

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP266\A0027826.exe
Infected with: Trojan.Downloader.PurityScan.EG

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP266\A0027826.exe
Deleted

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP275\A0028161.exe
Infected with: Trojan.Downloader.Tsupdate.R

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP275\A0028161.exe
Disinfection failed

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP275\A0028161.exe
Deleted

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP275\A0028162.exe
Infected with: Trojan.Downloader.TSUpdate.Q

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP275\A0028162.exe
Disinfection failed

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP275\A0028162.exe
Deleted

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP275\A0028168.exe
Infected with: Trojan.Downloader.Tsupdate.N

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP275\A0028168.exe
Disinfection failed

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP275\A0028168.exe
Deleted

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP275\A0028169.exe
Infected with: Trojan.Downloader.TSUpdate.Q

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP275\A0028169.exe
Disinfection failed

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP275\A0028169.exe
Deleted

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP285\A0028349.exe
Infected with: Trojan.Downloader.Adload.JM

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP285\A0028349.exe
Disinfection failed

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP285\A0028349.exe
Deleted

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP285\A0028350.exe
Infected with: Trojan.Downloader.Adload.GY

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP285\A0028350.exe
Disinfection failed

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP285\A0028350.exe
Deleted

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP346\A0031282.dll
Infected with: Trojan.Matcash.DLL

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP346\A0031282.dll
Disinfection failed

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP346\A0031282.dll
Deleted

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP346\A0031283.exe
Infected with: Trojan.Rond.A

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP346\A0031283.exe
Disinfection failed

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP346\A0031283.exe
Deleted

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP346\A0031285.dll
Infected with: Trojan.Matcash.DLL

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP346\A0031285.dll
Disinfection failed

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP346\A0031285.dll
Deleted

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP346\A0031286.exe
Infected with: Trojan.Rond.A

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP346\A0031286.exe
Disinfection failed

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP346\A0031286.exe
Deleted

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP346\A0031291.exe
Infected with: Trojan.Downloader.PurityScan.CR

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP346\A0031291.exe
Disinfection failed

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP346\A0031291.exe
Deleted

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP346\A0031296.dll
Infected with: Trojan.Matcash.DLL

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP346\A0031296.dll
Disinfection failed

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP346\A0031296.dll
Deleted

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP346\A0031297.exe
Infected with: Trojan.Rond.A

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP346\A0031297.exe
Disinfection failed

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP346\A0031297.exe
Deleted

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP346\A0031299.exe
Infected with: Trojan.Popwin.BK

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP346\A0031299.exe
Disinfection failed

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP346\A0031299.exe
Deleted

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP346\A0031300.exe
Infected with: Trojan.Popwin.BK

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP346\A0031300.exe
Disinfection failed

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP346\A0031300.exe
Deleted

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP346\A0031301.dll
Infected with: Trojan.Downloader.Adload.JM

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP346\A0031301.dll
Disinfection failed

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP346\A0031301.dll
Deleted

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP346\A0031303.exe
Infected with: Trojan.Downloader.Adload.JM

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP346\A0031303.exe
Disinfection failed

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP346\A0031303.exe
Deleted

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP347\A0032298.exe
Infected with: Trojan.Downloader.Adload.JM

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP347\A0032298.exe
Disinfection failed

C:\System Volume Information\_restore{F6957B5C-321D-48CC-9B91-17643B109C69}\RP347\A0032298.exe
Deleted




Here is the hijackthis log




Logfile of HijackThis v1.99.1
Scan saved at 6:20, on 7/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\AOL\1154898451\ee\AOLSoftware.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\WinTouch\WinTouch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1154898451\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinTouch] C:\Program Files\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Poker Rewards Poker - {6DAF93EB-C7E3-41ab-83D9-CAE1785F41BC} - C:\Program Files\pokerrewardsMPP\MPPoker.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)

#9 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:37 PM

Posted 01 July 2007 - 07:26 PM

Hi sallyjessie,

I dont remember installing WinTouch and no I dont know what it is


Ok, then lets check it. :thumbsup:


You will need to configure Windows to show Hidden files.

Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\Program Files\WinTouch\WinTouch.exe


Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.
Once scanned, copy and paste the results also in your next reply.

I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 sallyjessie

sallyjessie
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 01 July 2007 - 09:30 PM

Here are the Wintouch results



Antivirus Version Update Result
AhnLab-V3 2007.6.30.0 06.29.2007 no virus found
AntiVir 7.4.0.37 07.01.2007 no virus found
Authentium 4.93.8 06.29.2007 no virus found
Avast 4.7.997.0 07.02.2007 no virus found
AVG 7.5.0.476 07.01.2007 no virus found
BitDefender 7.2 07.02.2007 no virus found
CAT-QuickHeal 9.00 06.30.2007 no virus found
ClamAV devel-20070416 07.01.2007 no virus found
DrWeb 4.33 07.02.2007 no virus found
eSafe 7.0.15.0 06.30.2007 suspicious Trojan/Worm
eTrust-Vet 30.8.3752 06.29.2007 no virus found
Ewido 4.0 07.01.2007 no virus found
FileAdvisor 1 07.02.2007 no virus found
Fortinet 2.91.0.0 07.01.2007 no virus found
F-Prot 4.3.2.48 06.29.2007 no virus found
F-Secure 6.70.13030.0 07.02.2007 no virus found
Ikarus T3.1.1.8 07.01.2007 no virus found
Kaspersky 4.0.2.24 07.02.2007 no virus found
McAfee 5064 06.29.2007 no virus found
Microsoft 1.2701 07.02.2007 no virus found
NOD32v2 2368 07.01.2007 no virus found
Norman 5.80.02 06.29.2007 no virus found
Panda 9.0.0.4 07.01.2007 Suspicious file
Sophos 4.19.0 06.24.2007 no virus found
Sunbelt 2.2.907.0 06.29.2007 Trojan-Downloader.Matcash
Symantec 10 07.02.2007 no virus found
TheHacker 6.1.6.140 06.28.2007 no virus found
VBA32 3.12.0.2 07.02.2007 no virus found
VirusBuster 4.3.23:9 07.01.2007 no virus found
Webwasher-Gateway 6.0.1 07.01.2007 no virus found

#11 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:37 PM

Posted 01 July 2007 - 11:00 PM

Hi sallyjessie,

Lets get rid of it. :thumbsup:

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix."

O4 - HKLM\..\Run: [WinTouch] C:\Program Files\WinTouch\WinTouch.exe

Run CCleaner.

Reboot, post a fresh Hijackthis log and tell me how your computer is running.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 sallyjessie

sallyjessie
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:02:37 AM

Posted 02 July 2007 - 05:42 PM

Seems to be fine now, thanks. Here's the log


Logfile of HijackThis v1.99.1
Scan saved at 6:38, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\AOL\1154898451\ee\AOLSoftware.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\system32\wscntfy.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1154898451\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Poker Rewards Poker - {6DAF93EB-C7E3-41ab-83D9-CAE1785F41BC} - C:\Program Files\pokerrewardsMPP\MPPoker.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)
O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)

#13 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:37 PM

Posted 02 July 2007 - 06:31 PM

Hi sallyjessie,

Your log looks clean! :thumbsup: Good job on the cleanup!

Let's reset you files so they are hidden and protected.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading deselect Show hidden files and folders.
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK


Let's clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
NOTE: only do this ONCE, NOT on a regular basis

System Restore will now be active again.


Please read and follow How did I get infected?, With steps so it does not happen again!

If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:11:37 PM

Posted 10 July 2007 - 01:23 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users