Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Infected with multiple trojans / spyware / adware including Internet S

Started by buice , Sep 10 2007 08:11 PM

  • This topic is locked This topic is locked

#1
buice
Posted 10 September 2007 - 08:11 PM

buice

    Member

  • Member
  • PipPip
  • 84 posts
Hello,

I am having problems with ad windows that pop up, even when I am not using an internet browser. The popup windows say:

rond.starsdoor.com
searchvirtuoso.com
By Internet Speed Monitor

I followed all of the steps in the "You must Read This Before Posting a Hijackthis Log", and below are all of the logs. I noticed that my computer is infected with additional trojans, adware, and spyware. Hopefully I can get those take care of as well!


AVG Anti-Spyware
---------------------------------------------------------

I ran the AVG Anti-Spyware scan, but was not able to get a report to run.


SUPERAntiSpyware
---------------------------------------------------------

SUPERAntiSpyware Scan Log
Generated 09/09/2007 at 07:24 PM

Application Version : 3.6.1000

Core Rules Database Version : 3206
Trace Rules Database Version: 1216

Scan type : Complete Scan
Total Scan Time : 05:42:02

Memory items scanned : 447
Memory threats detected : 2
Registry items scanned : 6097
Registry threats detected : 2
File items scanned : 67393
File threats detected : 18

Adware.ClickSpring-Variant
C:\PROGRA~1\COMMON~1\MCROSO~1\DVDPLAY.EXE
C:\PROGRA~1\COMMON~1\MCROSO~1\DVDPLAY.EXE
C:\PROGRAM FILES\COMMON FILES\MCROSO~1\DVDPLAY.EXE

Adware.ClickSpring/Resident
C:\DOCUME~1\JESSIC~1\MYDOCU~1\MCROSO~1.NET\EXPLOR~1.EXE
C:\DOCUME~1\JESSIC~1\MYDOCU~1\MCROSO~1.NET\EXPLOR~1.EXE

Adware.Tracking Cookie
C:\Documents and Settings\Jessica Pendleton\Cookies\jessica [email protected][1].txt
C:\Documents and Settings\Jessica Pendleton\Cookies\jessica [email protected][1].txt
C:\Documents and Settings\Jessica Pendleton\Cookies\jessica [email protected][2].txt
C:\Documents and Settings\Jessica Pendleton\Cookies\jessica [email protected][1].txt
C:\Documents and Settings\Jessica Pendleton\Cookies\jessica pendleton@exitexchange[1].txt

Adware.AdSponsor
HKCR\AppId\AdBand.DLL
HKCR\AppId\AdBand.DLL#AppID

Adware.ClickSpring/Outer Info Network
C:\Program Files\Outerinfo\Terms.rtf
C:\Program Files\Outerinfo
C:\Documents and Settings\Jessica Pendleton\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Jessica Pendleton\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\Jessica Pendleton\Start Menu\Programs\Outerinfo

Adware.ClickSpring/Yazzle
C:\PROGRAM FILES\COMMON FILES\YAZZLE1552OINADMIN.EXE
C:\PROGRAM FILES\COMMON FILES\YAZZLE1552OINUNINSTALLER.EXE

Trojan.Unknown Origin
C:\SYSTEM VOLUME INFORMATION\_RESTORE{46DE8921-1D39-44D2-A9E9-64119261F211}\RP492\A0081486.EXE

Trace.Known Threat Sources
C:\Documents and Settings\Jessica Pendleton\Local Settings\Temporary Internet Files\Content.IE5\HCOVXL0P\client_settings_3[1].bin
C:\Documents and Settings\Jessica Pendleton\Local Settings\Temporary Internet Files\Content.IE5\O7ZRAKLD\campaigns8[1].encrypted


Panda Activescan
---------------------------------------------------------


Incident Status Location

Adware:Adware/Winpopup Not disinfected C:\Program Files\WinPop\winpop.exe
Virus:Trj/Downloader.QBW Disinfected Operating system
Virus:Trj/ConHook.AH Disinfected Operating system
Virus:Trj/DNSChanger.XB Disinfected Operating system
Adware:adware/wintools Not disinfected Windows Registry
Spyware:spyware/virtumonde Not disinfected Windows Registry
Potentially unwanted tool:application/funweb Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
Adware:Adware/Yazzle Not disinfected C:\25.tmp
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Jessica Pendleton\Cookies\jessica [email protected][2].txt
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Jessica Pendleton\Cookies\jessica [email protected][1].txt
Virus:Trj/Downloader.QBW Disinfected C:\Documents and Settings\Jessica Pendleton\Local Settings\Temporary Internet Files\Content.IE5\CL6J09Y7\barsik[1]
Hacktool:Exploit/MS06-006 Not disinfected C:\Documents and Settings\Jessica Pendleton\Local Settings\Temporary Internet Files\Content.IE5\HCOVXL0P\nsp[1].mov
Virus:Trj/Downloader.QCO Disinfected C:\Documents and Settings\Jessica Pendleton\Local Settings\Temporary Internet Files\Content.IE5\U53GPSRE\nsp[1]
Virus:Generic Trojan Disinfected C:\Program Files\InetGet2\popinstall.exe
Adware:Adware/Winpopup Not disinfected C:\WINDOWS\b122.exe
Virus:Trj/DNSChanger.XB Disinfected C:\WINDOWS\SYSTEM32\awvtrpm.dll
Virus:Trj/DNSChanger.XB Disinfected C:\WINDOWS\SYSTEM32\efeedda.dll
Virus:Trj/ConHook.AH Disinfected C:\WINDOWS\SYSTEM32\HTICOS1.dll
Virus:Trj/DNSChanger.XB Disinfected C:\WINDOWS\SYSTEM32\jkkhhed.dll
Virus:Trj/DNSChanger.XB Disinfected C:\WINDOWS\SYSTEM32\khhfdaa.dll
Virus:Trj/DNSChanger.XB Disinfected C:\WINDOWS\SYSTEM32\pmkiifg.dll
Virus:Trj/DNSChanger.XB Disinfected C:\WINDOWS\SYSTEM32\yabcbca.dll


HijackThis Log
---------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 7:04:46 PM, on 9/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\HJT\AVG AntiSpyware\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\FilmLoop Player\FilmLoop.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\HJT\AVG AntiSpyware\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\HJT\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ISM\ISMModule3.exe
C:\Program Files\WinPop\winpop.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0D1FFFA5-326D-3EC8-6551-4A71C5059593} - C:\WINDOWS\system32\erolc.dll
O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\system32\l3acdb2.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: BndDrive2 BHO Class - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - C:\Program Files\ISM\BndDrive3.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\tmp3E.tmp.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [FilmLoop] "C:\Program Files\FilmLoop Player\FilmLoop.exe" -hide
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB002" /M "Stylus C88"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\HJT\AVG AntiSpyware\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\HJT\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\COMMON~1\MCROSO~1\dvdplay.exe" -vt yazb
O4 - HKCU\..\Run: [ISMModule3] "C:\Program Files\ISM\ISMModule3.exe"
O4 - HKCU\..\Run: [Fsya] "C:\Documents and Settings\Jessica Pendleton\My Documents\M?crosoft.NET\?explore.exe"
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: View Original Image - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1174869198854
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - AppInit_DLLs: c:\windows\system32\efeedda.dll
O20 - Winlogon Notify: !SASWinLogon - C:\HJT\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: HTICOS1 - HTICOS1.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\HJT\AVG AntiSpyware\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DomainService - Unknown owner - C:\Documents and Settings\Jessica Pendleton\Application Data\tmp39.tmp.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe



Thanks!!!
  • 0

Advertisements

#2
jwbirdsong
Posted 10 September 2007 - 09:26 PM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
Please download VundoFix.exe (by Atribune) to your Desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting. Run the Vudnofix at LEAST 2 times OR until you get a "No vundo found message"

Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Please post
  • C:\vundofix.txt
  • Combofix log
in a reply to this thread.
  • 0

#3
buice
Posted 11 September 2007 - 11:58 PM

buice

    Member

  • Topic Starter
  • Member
  • PipPip
  • 84 posts
Thanks for the response! I followed your steps, and here are the two logs:


VundoFix
---------------------------------------------------------

VundoFix V6.5.8

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 10:37:35 PM 9/11/2007

Listing files found while scanning....

C:\WINDOWS\system32\tmp3E.tmp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\tmp3E.tmp.dll
C:\WINDOWS\system32\tmp3E.tmp.dll Has been deleted!

Performing Repairs to the registry.
Done!


ComboBox
---------------------------------------------------------

ComboFix 07-09-10.6 - "Jessica Pendleton" 2007-09-11 22:46:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.200 [GMT -7:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\JESSIC~1\APPLIC~1\tmp38.tmp.exe
C:\DOCUME~1\JESSIC~1\APPLIC~1\tmp3E.tmp.exe
C:\DOCUME~1\JESSIC~1\MYDOCU~1\MCROSO~1.NET
C:\Program Files\Common Files\mcroso~1
C:\Program Files\Common Files\mcroso~1\M?crosoft\
C:\Program Files\inetget2
C:\Program Files\ISM
C:\Program Files\ISM\BndDrive3.dll
C:\Program Files\ISM\bndloader.exe
C:\Program Files\ISM\dictionary.gz
C:\Program Files\ISM\ism.exe
C:\Program Files\ISM\ISMModule4.exe
C:\Program Files\ISM\syncupd.exe
C:\Program Files\ISM\targets.gz
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\winpop
C:\Program Files\winpop\winpop.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\opqopq.dll
C:\WINDOWS\qpoqpo.ini
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\erolc.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\ApiMon
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-08-12 to 2007-09-12 )))))))))))))))))))))))))))))))
.

2007-09-11 22:45 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-11 22:37 <DIR> d-------- C:\VundoFix Backups
2007-09-10 07:31 81,342 --a------ C:\WINDOWS\SYSTEM32\atiicdxx.dat
2007-09-10 07:31 36,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ati2erec.dll
2007-09-10 07:31 135,168 --a------ C:\WINDOWS\SYSTEM32\atikvmag.dll
2007-09-09 14:13 68,096 --a------ C:\WINDOWS\SYSTEM32\l3acdb2.dll
2007-09-06 05:52 14,639 --a------ C:\WINDOWS\SYSTEM32\rt25.exe
2007-09-02 23:11 109,568 --a------ C:\WINDOWS\SYSTEM32\rt27.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-10 07:34 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-10 07:33 --------- d-------- C:\Program Files\ATI Technologies
2007-09-09 23:21 --------- d-------- C:\Program Files\QuickTime
2007-09-09 22:47 --------- d-------- C:\Program Files\iTunes
2007-09-09 22:39 --------- d-------- C:\Program Files\Google
2007-09-09 22:39 --------- d-------- C:\Program Files\FilmLoop Player
2007-09-09 22:38 --------- d-------- C:\Program Files\ewido anti-malware
2007-09-09 22:34 --------- d-------- C:\Program Files\Digital Line Detect
2007-09-09 22:34 --------- d-------- C:\Program Files\DellSupport
2007-09-09 22:25 --------- d-------- C:\Program Files\Apoint
2007-09-09 21:33 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-06-13 03:23 1033216 --a------ C:\WINDOWS\explorer.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53B5F2B1-94DD-43E5-8187-EB4E31F00701}]
2007-09-09 14:13 68096 --a------ C:\WINDOWS\system32\l3acdb2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-08-21 17:04]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-05 21:05]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 10:43]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2004-10-07 18:44]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 00:01]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 00:01]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 00:05]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 21:32]
"BCWipeTM Startup"="C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" [2005-12-20 04:15]
"FilmLoop"="C:\Program Files\FilmLoop Player\FilmLoop.exe" [2006-03-22 13:14]
"EPSON Stylus C88 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe" [2005-01-27 05:00]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 15:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-27 23:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-26 23:39]
"!AVG Anti-Spyware"="C:\HJT\AVG AntiSpyware\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 11:00]
"DW4"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-28 22:19]
"SUPERAntiSpyware"="C:\HJT\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39]
"Tair"="C:\PROGRA~1\COMMON~1\MCROSO~1\dvdplay.exe" []
"Fsya"="C:\Documents and Settings\Jessica Pendleton\My Documents\M?crosoft.NET\?explore.exe" []
"ISMModule4"="C:\Program Files\ISM\ISMModule4.exe" []

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 16:15:06]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-02-03 06:39:00]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-03-28 22:19:05]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-04-09 23:09:33]

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 16:15:06]

C:\DOCUME~1\BETHPE~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 16:15:06]

C:\DOCUME~1\Guest\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 16:15:06]

C:\DOCUME~1\JESSIC~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 16:15:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\HJT\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\HJT\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\HJT\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\HTICOS1]
HTICOS1.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\efeedda.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau

R3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys
S4 BCSWAP;BCSWAP;C:\WINDOWS\system32\drivers\BCSWAP.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8e4b10c0-bafd-11da-a4a1-000e35d3be92}]
AutoRun\command- rundll32.exe url.dll,FileProtocolHandler LapNetWizard.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eaabf890-bafe-11da-a4a2-000e35d3be92}]
AutoRun\command- rundll32.exe url.dll,FileProtocolHandler LapNetWizard.exe

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-11 22:52:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-11 22:53:37 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-11 22:53
.
--- E O F ---
  • 0

#4
jwbirdsong
Posted 12 September 2007 - 10:28 PM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
Download haxfix.exe
and save it to your desktop.
  • Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
  • Checkmark "Create a desktop icon"
  • Click "Next"
  • When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
  • Click "Finish"
A red "dos window" (dos box) will open with options:
1. Make logfile
E. Exit Haxfix
  • Select option 1. Make logfile by typing 1 and then pressing Enter
  • Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt)
  • Copy the contents of that logfile and paste it into this thread.

  • 0

#5
buice
Posted 12 September 2007 - 11:33 PM

buice

    Member

  • Topic Starter
  • Member
  • PipPip
  • 84 posts
Thanks again - here is the log:

--------------------------------------------------------------


HAXFIX logfile - by Marckie

version 4.53
Wed 09/12/2007 22:19:42.82

--- Checking for Haxdoor ---

checking for a3d files
a3d files not found

checking for matching notify keys
no matching notify keys found

checking for matching services
matching services found
CmBatt

checking for matching safeboot services
no matching safeboot services found

checking for other Haxdoor-files
no other Haxdoor-files found


--- Checking for Goldun ---

checking for SSODL keys
no ssodl keys found

checking for notify keys
no notify keys found

checking for services
no services found

checking for other Goldun-files
no other Goldun-files found

checking iexplore.exe
iexplore.exe is not infected


--- Catchme logfile - thank you Gmer ---

catchme 0.3.1160 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-12 22:19:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000018
"TracesSuccessful"=dword:00000011

scanning hidden files ...

C:\WINDOWS\Temp\mcu1D.tmp\McAppIns.exe
C:\WINDOWS\Temp\mcu1D.tmp\mcuninst.dll
C:\WINDOWS\Temp\mcu1D.tmp\Uninst.dll
C:\WINDOWS\Temp\mcu1D.tmp\uninst.ini
C:\WINDOWS\Temp\mcu1D.tmp\UpdReq.mcaf
C:\WINDOWS\Temp\mcu1D.tmp\UpdResp.mcaf
C:\WINDOWS\Temp\mcu1D.tmp\VsCfgIns.dll
C:\WINDOWS\Temp\mcu1D.tmp\vso
C:\WINDOWS\Temp\mcu1D.tmp\vso\44744475.upd
C:\WINDOWS\Temp\mcu1D.tmp\vso\44754476.upd
C:\WINDOWS\Temp\mcu1D.tmp\vso\44764477.upd
C:\WINDOWS\Temp\mcu1D.tmp\vso\44774478.upd
C:\WINDOWS\Temp\mcu1D.tmp\vso\delta.ini
C:\WINDOWS\Temp\mcu1D.tmp\vso\en-us
C:\WINDOWS\Temp\mcu1D.tmp\vso\en-us\us
C:\WINDOWS\Temp\mcu1D.tmp\vso\en-us\us\aolcfg.cab
C:\WINDOWS\Temp\mcu1D.tmp\vsocfg.ini
C:\WINDOWS\Temp\mcu1D.tmp\vsoins.cab
C:\WINDOWS\Temp\mcu1D.tmp\vsoins.inf
C:\WINDOWS\Temp\mcu1D.tmp\vsoins.ui
C:\WINDOWS\Temp\mcu1D.tmp\VsoVer.ini
C:\WINDOWS\Temp\mcu22.tmp\UpdReq.mcaf
C:\WINDOWS\Temp\mcu22.tmp\UpdResp.mcaf
C:\WINDOWS\Temp\mcu22.tmp\vso
C:\WINDOWS\Temp\mcu22.tmp\vso\45874588.upm
C:\WINDOWS\Temp\mcu22.tmp\vso\45884589.upm
C:\WINDOWS\Temp\mcu22.tmp\vso\mcdelta.ini
C:\WINDOWS\Temp\mcu4F.tmp\UpdReq.mcaf
C:\WINDOWS\Temp\mcu4F.tmp\UpdResp.mcaf
C:\WINDOWS\Temp\mcu4F.tmp\vso
C:\WINDOWS\Temp\mcu4F.tmp\vso\46444645.upm
C:\WINDOWS\Temp\mcu4F.tmp\vso\mcdelta.ini
C:\WINDOWS\Temp\mcu2C.tmp\UpdReq.mcaf
C:\WINDOWS\Temp\mcu2C.tmp\UpdResp.mcaf
C:\WINDOWS\Temp\mcu2C.tmp\vso
C:\WINDOWS\Temp\mcu2C.tmp\vso\46014602.upm
C:\WINDOWS\Temp\mcu2C.tmp\vso\mcdelta.ini
C:\WINDOWS\Temp\mcu2D.tmp\UpdReq.mcaf
C:\WINDOWS\Temp\mcu2D.tmp\UpdResp.mcaf
C:\WINDOWS\Temp\mcu2D.tmp\vso
C:\WINDOWS\Temp\mcu2D.tmp\vso\46024603.upm
C:\WINDOWS\Temp\mcu2D.tmp\vso\46034604.upm
C:\WINDOWS\Temp\mcu2D.tmp\vso\mcdelta.ini
C:\WINDOWS\Temp\mcu2E.tmp\UpdReq.mcaf
C:\WINDOWS\Temp\mcu2E.tmp\UpdResp.mcaf
C:\WINDOWS\Temp\mcu2E.tmp\vso
C:\WINDOWS\Temp\mcu2E.tmp\vso\46044605.upm
C:\WINDOWS\Temp\mcu2E.tmp\vso\mcdelta.ini
C:\WINDOWS\Temp\mcu2F.tmp\UpdReq.mcaf
C:\WINDOWS\Temp\mcu2F.tmp\UpdResp.mcaf
C:\WINDOWS\Temp\mcu2F.tmp\vso
C:\WINDOWS\Temp\mcu2F.tmp\vso\46054606.upm
C:\WINDOWS\Temp\mcu2F.tmp\vso\46064607.upm
C:\WINDOWS\Temp\mcu2F.tmp\vso\mcdelta.ini
C:\WINDOWS\Temp\mcu30.tmp\UpdReq.mcaf
C:\WINDOWS\Temp\mcu30.tmp\UpdResp.mcaf
C:\WINDOWS\Temp\mcu30.tmp\vso
C:\WINDOWS\Temp\mcu30.tmp\vso\46074608.upm
C:\WINDOWS\Temp\mcu30.tmp\vso\mcdelta.ini
C:\WINDOWS\Temp\mcu33.tmp\UpdReq.mcaf
C:\WINDOWS\Temp\mcu33.tmp\UpdResp.mcaf
C:\WINDOWS\Temp\mcu33.tmp\vso
C:\WINDOWS\Temp\mcu33.tmp\vso\46094610.upm
C:\WINDOWS\Temp\mcu33.tmp\vso\mcdelta.ini
C:\WINDOWS\Temp\mcu34.tmp\UpdReq.mcaf
C:\WINDOWS\Temp\mcu34.tmp\UpdResp.mcaf
C:\WINDOWS\Temp\mcu34.tmp\vso
C:\WINDOWS\Temp\mcu34.tmp\vso\46114612.upm
C:\WINDOWS\Temp\mcu34.tmp\vso\46124613.upm
C:\WINDOWS\Temp\mcu34.tmp\vso\mcdelta.ini
C:\WINDOWS\Temp\mcu35.tmp\UpdReq.mcaf
C:\WINDOWS\Temp\mcu35.tmp\UpdResp.mcaf
C:\WINDOWS\Temp\mcu35.tmp\vso
C:\WINDOWS\Temp\mcu35.tmp\vso\46134614.upm
C:\WINDOWS\Temp\mcu35.tmp\vso\mcdelta.ini
C:\WINDOWS\Temp\mcu36.tmp\UpdReq.mcaf
C:\WINDOWS\Temp\mcu36.tmp\UpdResp.mcaf
C:\WINDOWS\Temp\mcu36.tmp\vso
C:\WINDOWS\Temp\mcu36.tmp\vso\46144615.upm
C:\WINDOWS\Temp\mcu36.tmp\vso\mcdelta.ini
C:\WINDOWS\Temp\mcu3C.tmp\UpdReq.mcaf
C:\WINDOWS\Temp\mcu3C.tmp\UpdResp.mcaf
C:\WINDOWS\Temp\mcu3C.tmp\vso
C:\WINDOWS\Temp\mcu3C.tmp\vso\46204621.upm
C:\WINDOWS\Temp\mcu3C.tmp\vso\46214622.upm
C:\WINDOWS\Temp\mcu3C.tmp\vso\46224623.upm
C:\WINDOWS\Temp\mcu3C.tmp\vso\mcdelta.ini
C:\WINDOWS\Temp\mcu3E.tmp\UpdReq.mcaf
C:\WINDOWS\Temp\mcu3E.tmp\UpdResp.mcaf
C:\WINDOWS\Temp\mcu3E.tmp\vso
C:\WINDOWS\Temp\mcu3E.tmp\vso\46234624.upm
C:\WINDOWS\Temp\mcu3E.tmp\vso\46244625.upm
C:\WINDOWS\Temp\mcu3E.tmp\vso\46254626.upm
C:\WINDOWS\Temp\mcu3E.tmp\vso\mcdelta.ini
C:\WINDOWS\Temp\mcu3F.tmp\UpdReq.mcaf
C:\WINDOWS\Temp\mcu3F.tmp\UpdResp.mcaf
C:\WINDOWS\Temp\mcu3F.tmp\vso
C:\WINDOWS\Temp\mcu3F.tmp\vso\46264627.upm
C:\WINDOWS\Temp\mcu3F.tmp\vso\46274628.upm
C:\WINDOWS\Temp\mcu3F.tmp\vso\mcdelta.ini
C:\WINDOWS\Temp\mcu40.tmp\UpdReq.mcaf
C:\WINDOWS\Temp\mcu40.tmp\UpdResp.mcaf
C:\WINDOWS\Temp\mcu40.tmp\vso
C:\WINDOWS\Temp\mcu40.tmp\vso\46284629.upm
C:\WINDOWS\Temp\mcu40.tmp\vso\46294630.upm
C:\WINDOWS\Temp\mcu40.tmp\vso\mcdelta.ini
C:\WINDOWS\Temp\mcu41.tmp\UpdReq.mcaf
C:\WINDOWS\Temp\mcu41.tmp\UpdResp.mcaf
C:\WINDOWS\Temp\mcu41.tmp\vso
C:\WINDOWS\Temp\mcu41.tmp\vso\46304631.upm
C:\WINDOWS\Temp\mcu41.tmp\vso\mcdelta.ini
C:\WINDOWS\Temp\mcu42.tmp\UpdReq.mcaf
C:\WINDOWS\Temp\mcu42.tmp\UpdResp.mcaf
C:\WINDOWS\Temp\mcu42.tmp\vso
C:\WINDOWS\Temp\mcu42.tmp\vso\46174618.upm
C:\WINDOWS\Temp\mcu42.tmp\vso\mcdelta.ini
C:\WINDOWS\Temp\mcu43.tmp\UpdReq.mcaf
C:\WINDOWS\Temp\mcu43.tmp\UpdResp.mcaf
C:\WINDOWS\Temp\mcu43.tmp\vso
C:\WINDOWS\Temp\mcu43.tmp\vso\46314632.upm
C:\WINDOWS\Temp\mcu43.tmp\vso\mcdelta.ini
C:\WINDOWS\Temp\mcu46.tmp\UpdReq.mcaf
C:\WINDOWS\Temp\mcu46.tmp\UpdResp.mcaf
C:\WINDOWS\Temp\mcu46.tmp\vso
C:\WINDOWS\Temp\mcu46.tmp\vso\46344635.upm
C:\WINDOWS\Temp\mcu46.tmp\vso\mcdelta.ini
C:\WINDOWS\Temp\mcu4B.tmp\UpdReq.mcaf
C:\WINDOWS\Temp\mcu4B.tmp\UpdResp.mcaf
C:\WINDOWS\Temp\mcu4B.tmp\vso
C:\WINDOWS\Temp\mcu4B.tmp\vso\46414642.upm
C:\WINDOWS\Temp\mcu4B.tmp\vso\mcdelta.ini
C:\WINDOWS\Temp\mcu26.tmp\UpdReq.mcaf
C:\WINDOWS\Temp\mcu26.tmp\UpdResp.mcaf
C:\WINDOWS\Temp\mcu26.tmp\vso
C:\WINDOWS\Temp\mcu26.tmp\vso\45954596.upm
C:\WINDOWS\Temp\mcu26.tmp\vso\mcdelta.ini
C:\WINDOWS\Temp\mcu38.tmp\UpdReq.mcaf
C:\WINDOWS\Temp\mcu38.tmp\UpdResp.mcaf
C:\WINDOWS\Temp\mcu38.tmp\vso
C:\WINDOWS\Temp\mcu38.tmp\vso\46154616.upm
C:\WINDOWS\Temp\mcu38.tmp\vso\mcdelta.ini
C:\WINDOWS\Temp\mcu4E.tmp\UpdReq.mcaf
C:\WINDOWS\Temp\mcu4E.tmp\UpdResp.mcaf
C:\WINDOWS\Temp\mcu4E.tmp\vso
C:\WINDOWS\Temp\mcu4E.tmp\vso\46104611.upm
C:\WINDOWS\Temp\mcu4E.tmp\vso\mcdelta.ini
C:\WINDOWS\Temp\mcu50.tmp\UpdReq.mcaf
C:\WINDOWS\Temp\mcu50.tmp\UpdResp.mcaf
C:\WINDOWS\Temp\mcu50.tmp\vso
C:\WINDOWS\Temp\mcu50.tmp\vso\46454646.upm
C:\WINDOWS\Temp\mcu50.tmp\vso\46464647.upm
C:\WINDOWS\Temp\mcu50.tmp\vso\mcdelta.ini

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 152


--- Analysing Catchme logfile ---

no matching regkeys found


Finished!
  • 0

#6
jwbirdsong
Posted 16 September 2007 - 02:18 PM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
Sorry for the delay in answering; not sure how you slipped by me.

Open notepad and copy/paste the text in the quotebox below into it:

http://www.geekstogo.com/forum/Infected-multiple-trojans-spyware-adware-including-Internet-S-t170469.html&view=findpost&p=1047642#entry1047642
File::
C:\WINDOWS\system32\l3acdb2.dll

Folder::
C:\WINDOWS\Temp\


Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53B5F2B1-94DD-43E5-8187-EB4E31F00701}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DW4"=-
"Tair"=-
"Fsya"=-
"ISMModule4"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Collect::[34]
C:\WINDOWS\SYSTEM32\rt27.exe
C:\WINDOWS\SYSTEM32\rt25.exe

Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you at C:ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.
  • 0

#7
buice
Posted 16 September 2007 - 06:21 PM

buice

    Member

  • Topic Starter
  • Member
  • PipPip
  • 84 posts
No worries - thanks for the reply.

I ran ComboFix as you directed and submitted the file to Bleeping Computer. The log is posted below.

---------------------------------------------------------

ComboFix 07-09-10.6 - "Jessica Pendleton" 2007-09-16 17:02:19.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.197 [GMT -7:00]
* Created a new restore point

FILE::
C:\WINDOWS\system32\l3acdb2.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\l3acdb2.dll
C:\WINDOWS\SYSTEM32\rt25.exe
C:\WINDOWS\SYSTEM32\rt27.exe
C:\WINDOWS\Temp\
C:\WINDOWS\Temp\\mcu1D.tmp\
C:\WINDOWS\Temp\\mcu22.tmp\
C:\WINDOWS\Temp\\mcu26.tmp\
C:\WINDOWS\Temp\\mcu2C.tmp\
C:\WINDOWS\Temp\\mcu2D.tmp\
C:\WINDOWS\Temp\\mcu2E.tmp\
C:\WINDOWS\Temp\\mcu2F.tmp\
C:\WINDOWS\Temp\\mcu30.tmp\
C:\WINDOWS\Temp\\mcu33.tmp\
C:\WINDOWS\Temp\\mcu34.tmp\
C:\WINDOWS\Temp\\mcu35.tmp\
C:\WINDOWS\Temp\\mcu36.tmp\
C:\WINDOWS\Temp\\mcu38.tmp\
C:\WINDOWS\Temp\\mcu3C.tmp\
C:\WINDOWS\Temp\\mcu3E.tmp\
C:\WINDOWS\Temp\\mcu3F.tmp\
C:\WINDOWS\Temp\\mcu40.tmp\
C:\WINDOWS\Temp\\mcu41.tmp\
C:\WINDOWS\Temp\\mcu42.tmp\
C:\WINDOWS\Temp\\mcu43.tmp\
C:\WINDOWS\Temp\\mcu46.tmp\
C:\WINDOWS\Temp\\mcu4B.tmp\
C:\WINDOWS\Temp\\mcu4E.tmp\
C:\WINDOWS\Temp\\mcu4F.tmp\
C:\WINDOWS\Temp\\mcu50.tmp\
C:\WINDOWS\Temp\\Perflib_Perfdata_a8c.dat
C:\WINDOWS\Temp\\Perflib_Perfdata_c14.dat
C:\WINDOWS\Temp\\T30DebugLogFile.txt
C:\WINDOWS\Temp\\WGAErrLog.txt
C:\WINDOWS\Temp\\WGANotify.settings


((((((((((((((((((((((((( Files Created from 2007-08-17 to 2007-09-17 )))))))))))))))))))))))))))))))
.

2007-09-12 22:19 90,112 --a------ C:\WINDOWS\SYSTEM32\RegDACL.exe
2007-09-12 22:19 9,006 --a------ C:\clean.bat
2007-09-12 22:19 53,248 --a------ C:\WINDOWS\SYSTEM32\process.exe
2007-09-12 22:19 4,096 --a------ C:\WINDOWS\SYSTEM32\reboot.exe
2007-09-11 22:45 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-11 22:37 <DIR> d-------- C:\VundoFix Backups
2007-09-10 07:31 81,342 --a------ C:\WINDOWS\SYSTEM32\atiicdxx.dat
2007-09-10 07:31 36,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\ati2erec.dll
2007-09-10 07:31 135,168 --a------ C:\WINDOWS\SYSTEM32\atikvmag.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-14 23:05 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-09-10 07:34 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-10 07:33 --------- d-------- C:\Program Files\ATI Technologies
2007-09-09 23:21 --------- d-------- C:\Program Files\QuickTime
2007-09-09 22:47 --------- d-------- C:\Program Files\iTunes
2007-09-09 22:39 --------- d-------- C:\Program Files\Google
2007-09-09 22:39 --------- d-------- C:\Program Files\FilmLoop Player
2007-09-09 22:38 --------- d-------- C:\Program Files\ewido anti-malware
2007-09-09 22:34 --------- d-------- C:\Program Files\Digital Line Detect
2007-09-09 22:34 --------- d-------- C:\Program Files\DellSupport
2007-09-09 22:25 --------- d-------- C:\Program Files\Apoint
.

((((((((((((((((((((((((((((( snapshot_2007-09-11_225310.92 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 135,168 2007-07-12 08:22:00 C:\WINDOWS\SYSTEM32\java.exe
----a-w 135,168 2007-07-12 08:22:04 C:\WINDOWS\SYSTEM32\javaw.exe
----a-w 139,264 2007-07-12 09:22:38 C:\WINDOWS\SYSTEM32\javaws.exe
.
----a-w 49,248 2005-11-10 18:27:06 C:\WINDOWS\SYSTEM32\java.exe
----a-w 49,250 2005-11-10 18:27:16 C:\WINDOWS\SYSTEM32\javaw.exe
----a-w 127,078 2005-11-10 20:03:54 C:\WINDOWS\SYSTEM32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-08-21 17:04]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-05 21:05]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 10:43]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2004-10-07 18:44]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 00:01]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 00:01]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 00:05]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 21:32]
"BCWipeTM Startup"="C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" [2005-12-20 04:15]
"FilmLoop"="C:\Program Files\FilmLoop Player\FilmLoop.exe" [2006-03-22 13:14]
"EPSON Stylus C88 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.exe" [2005-01-27 05:00]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-02-23 15:45]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-04-27 23:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-26 23:39]
"!AVG Anti-Spyware"="C:\HJT\AVG AntiSpyware\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 11:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-03-28 22:19]
"SUPERAntiSpyware"="C:\HJT\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-09-12 22:42]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 16:15:06]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-02-03 06:39:00]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-03-28 22:19:05]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-04-09 23:09:33]

C:\DOCUME~1\ADMINI~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 16:15:06]

C:\DOCUME~1\BETHPE~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 16:15:06]

C:\DOCUME~1\Guest\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 16:15:06]

C:\DOCUME~1\JESSIC~1\STARTM~1\Programs\Startup\
DESKTOP.INI [2004-08-11 16:15:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\HJT\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\HJT\SUPERAntiSpyware\SASWINLO.DLL 2007-09-12 22:42 294912 C:\HJT\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\HTICOS1]
HTICOS1.dll

R3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys
S4 BCSWAP;BCSWAP;C:\WINDOWS\system32\drivers\BCSWAP.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8e4b10c0-bafd-11da-a4a1-000e35d3be92}]
AutoRun\command- rundll32.exe url.dll,FileProtocolHandler LapNetWizard.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eaabf890-bafe-11da-a4a2-000e35d3be92}]
AutoRun\command- rundll32.exe url.dll,FileProtocolHandler LapNetWizard.exe

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-16 17:10:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-16 17:13:44 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-16 17:12
C:\ComboFix2.txt ... 2007-09-11 22:53
.
--- E O F ---
  • 0

#8
jwbirdsong
Posted 17 September 2007 - 04:39 AM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
Clean your Cache and Cookies in IE:
Go to Control Panel > Internet Options > General tab.
Click the "Delete Cookies" button and then the "Delete Files" button next to it.
When prompted, place a check in: "Delete all offline content",
(You will have to re-enter passwords at websites that require them.)
Click OK

Clean other Temporary files + Recycle bin:
Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report and a fresh HijackThis log

  • 0

#9
buice
Posted 19 September 2007 - 12:50 AM

buice

    Member

  • Topic Starter
  • Member
  • PipPip
  • 84 posts
Here you go...

-------------------------------------------------------------

Incident Status Location

Adware:adware/wintools Not disinfected Windows Registry
Spyware:spyware/virtumonde Not disinfected Windows Registry
Potentially unwanted tool:application/funweb Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
Adware:Adware/Yazzle Not disinfected C:\25.tmp
Virus:Trj/Downloader.QDR Disinfected C:\2B.tmp
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jessica Pendleton\Application Data\Mozilla\Firefox\Profiles\7h2tsbbh.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Jessica Pendleton\Application Data\Mozilla\Firefox\Profiles\7h2tsbbh.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Jessica Pendleton\Application Data\Mozilla\Firefox\Profiles\7h2tsbbh.default\cookies.txt[.overture.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Jessica Pendleton\Application Data\Mozilla\Firefox\Profiles\7h2tsbbh.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Jessica Pendleton\Application Data\Mozilla\Firefox\Profiles\7h2tsbbh.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Jessica Pendleton\Application Data\Mozilla\Firefox\Profiles\7h2tsbbh.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Jessica Pendleton\Application Data\Mozilla\Firefox\Profiles\7h2tsbbh.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Jessica Pendleton\Application Data\Mozilla\Firefox\Profiles\7h2tsbbh.default\cookies.txt[.zedo.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Jessica Pendleton\Application Data\Mozilla\Firefox\Profiles\7h2tsbbh.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Jessica Pendleton\Application Data\Mozilla\Firefox\Profiles\7h2tsbbh.default\cookies.txt[.2o7.net/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Jessica Pendleton\Application Data\Mozilla\Firefox\Profiles\7h2tsbbh.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Jessica Pendleton\Application Data\Mozilla\Firefox\Profiles\7h2tsbbh.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Jessica Pendleton\Application Data\Mozilla\Firefox\Profiles\7h2tsbbh.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Jessica Pendleton\Application Data\Mozilla\Firefox\Profiles\7h2tsbbh.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Jessica Pendleton\Application Data\Mozilla\Firefox\Profiles\7h2tsbbh.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Jessica Pendleton\Application Data\Mozilla\Firefox\Profiles\7h2tsbbh.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Jessica Pendleton\Application Data\Mozilla\Firefox\Profiles\7h2tsbbh.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Jessica Pendleton\Application Data\Mozilla\Firefox\Profiles\7h2tsbbh.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Jessica Pendleton\Application Data\Mozilla\Firefox\Profiles\7h2tsbbh.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Jessica Pendleton\Application Data\Mozilla\Firefox\Profiles\7h2tsbbh.default\cookies.txt[.com.com/]
Virus:Generic Malware Disinfected C:\HJT\Combofix\ComboFix.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Program Files\HaxFix\Process.exe
Adware:Adware/Winpopup Not disinfected C:\qoobox\Quarantine\C\Program Files\WinPop\winpop.exe.vir
Adware:Adware/Winpopup Not disinfected C:\qoobox\Quarantine\C\WINDOWS\b122.exe.vir
Virus:Generic Trojan Disinfected C:\VundoFix Backups\tmp3E.tmp.dll.bad
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\SYSTEM32\process.exe


-------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:47:26 PM, on 9/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\HJT\AVG AntiSpyware\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\FilmLoop Player\FilmLoop.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\HJT\AVG AntiSpyware\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\HJT\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\internet explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [FilmLoop] "C:\Program Files\FilmLoop Player\FilmLoop.exe" -hide
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB002" /M "Stylus C88"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\HJT\AVG AntiSpyware\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\HJT\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: View Original Image - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1174869198854
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\HJT\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: HTICOS1 - HTICOS1.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\HJT\AVG AntiSpyware\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
  • 0

#10
jwbirdsong
Posted 23 September 2007 - 01:51 AM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
Delete C:\25.tmp and C:\2B.tmp

You need to print this out or save a copy to Notepad for reading because you can NOT have IE/FF or any browser open while doing the fix.

Open HijackThis and click on Do a system scan only. Place a check mark next to the following:


Close ALL other open windows and programs and click Fix checked
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O20 - Winlogon Notify: HTICOS1 - HTICOS1.dll (file missing) [/color]

Reboot and post a new HJT and tell how everything is running.
  • 0

Advertisements

#11
buice
Posted 23 September 2007 - 10:44 PM

buice

    Member

  • Topic Starter
  • Member
  • PipPip
  • 84 posts
I couldn't find the file "C:\2B.tmp" to delete. I deleted the three files with Hijackthis, and the log is posted below. So far it looks like the popups have stopped.

---------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:41:48 PM, on 9/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\HJT\AVG AntiSpyware\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\FilmLoop Player\FilmLoop.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\HJT\AVG AntiSpyware\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\HJT\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [FilmLoop] "C:\Program Files\FilmLoop Player\FilmLoop.exe" -hide
O4 - HKLM\..\Run: [EPSON Stylus C88 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIABA.EXE /P23 "EPSON Stylus C88 Series" /O6 "USB002" /M "Stylus C88"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\HJT\AVG AntiSpyware\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\HJT\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: View Original Image - C:\Program Files\MSN\MSNIA\CC\MSNCC\WA\getoriginal.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1174869198854
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\HJT\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\HJT\AVG AntiSpyware\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
  • 0

#12
jwbirdsong
Posted 28 September 2007 - 09:47 PM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
Sorry for the delay..for some reason I am getting about half of my notices of replies here.

You log looks really good...I did notice you have the old Ewido installed..which was taken over by and is the same as AVG AntiSpyware.

Before we close out your thread and call your computer clean, let's take a peek at your installed programs.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
  • 0

#13
buice
Posted 01 October 2007 - 09:19 PM

buice

    Member

  • Topic Starter
  • Member
  • PipPip
  • 84 posts
The uninstall list is pasted below. I also wanted to mention that I have a window for Super Anti-Spyware that appears every time I start up windows. Also, I'm getting a popup asking me to register AVG Anti-Spyware. Any chance I can get rid of those also?

Thanks!

-----------------------------------------------------------------------------

ABBYY FineReader 5.0 Sprint
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat 5.0
Adobe Flash Player ActiveX
Adobe Photoshop Elements 2.0
Adobe Reader 6.0.1
ALPS Touch Pad Driver
ArcSoft PhotoImpression
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
AVG Anti-Spyware 7.5
BCWipe 3.0
Broadcom Advanced Control Suite
BUM
CCleaner (remove only)
Conexant D480 MDC V.9x Modem
Dell Driver Reset Tool
Dell Media Experience
Dell Media Experience Update
Dell Picture Studio v3.0
DellSupport
Digital Line Detect
EarthLink setup files
EPSON Copy Utility
EPSON PERF 1670 Guide
EPSON Photo Print
EPSON Printer Software
EPSON Scan
EPSON Smart Panel
ewido anti-malware
FilmLoop Player
FinePixViewer Ver.3.2
FUJIFILM USB Driver
Get High Speed Internet!
Goleads Marketing CRM
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
H&R Block Tax Offer
HaxFix 4.53
HijackThis 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB926239)
HP Deskjet 5400 series
HP Image Zone Express
HP Imaging Device Functions 5.0
HP Software Update
HP Solution Center & Imaging Support Tools 5.0
ImageMixer VCD for FinePix
Internet Explorer Default Page
Internet Speed Monitor
iPod for Windows 2005-03-23
iPod for Windows 2006-03-23
ItsDeductible Express
iTunes
J2SE Runtime Environment 5.0 Update 6
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro Studio, Dell Editon
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 2
Learn2 Player (Uninstall Only)
LG PC Sync
LG USB Modem driver
LGUsbConverterDriver
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office 2000 SR-1 Professional
Microsoft Picture It! Photo Premium 9
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Streets and Trips 2004
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Word 2002
Microsoft Works
Microsoft Works 2004 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
Modem Helper
Mozilla Firefox (2.0.0.7)
MSN Connection Center
MSN Messenger 6.2
MSN Music Assistant
MSN Toolbar
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Musicmatch for Windows Media Player
NetWaiting
Panda ActiveScan
Photo Click
Picasa 2
PowerDVD 5.1
Presto! BizCard 4.0 Component for Windows CE
Presto! BizCard 4.1 Eng
Qualxserve Service Agreement
QuickLink Mobile
QuickSet
QuickTime
RealPlayer
ScanToWeb
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Sensational Fairies Screen Saver
Shockwave
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
SpywareBlaster v3.5.1
Star Alliance Electronic Timetable
SUPERAntiSpyware Free Edition
The Weather Channel Desktop
TurboTax Deluxe 2005
TurboTax ItsDeductible 2005
TurboTax Premier 2004
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
URGE
Viewpoint Media Player
Weather Services
WexTech AnswerWorks
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinZip
  • 0

#14
jwbirdsong
Posted 02 October 2007 - 07:35 PM

jwbirdsong

    Trusted Helper

  • Retired Staff
  • 668 posts
Yep
Go to your Control Panel>Add/Remove and uninstall the following:

ewido anti-malware
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03

Open HijackThis and place a check next to the following:
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\HJT\SUPERAntiSpyware\SUPERAntiSpyware.exe

Close ALL windows..(even this one) and hit Fix Checked.


You can delete the combofix, vundofix, c:\qoobox folder/files now..

First, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

You also NEED to update your Java...follow guidelines HERE

To reduce the potential for spyware infection in the future, I strongly recommend installing SpywareBlaster and SpyWareGuard and IE/Spyad.

SpywareBlaster and SpywareGuard are by JavaCool and both are free programs. SpywareBlaster will prevent spyware from being installed and consumes no system resources. SpywareGuard offers realtime protection from spyware installation attempts.

IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It is free.

More info and download is available at links in the following article by TonyKlein

Make SURE to read How Did I Get Infected in the First Place??

Edited by jwbirdsong, 02 October 2007 - 07:37 PM.

  • 0

#15
buice
Posted 03 October 2007 - 12:31 AM

buice

    Member

  • Topic Starter
  • Member
  • PipPip
  • 84 posts
I've uninstalled the programs, removed the file on HJT, reset / re-enabled system restore, installed SpywareBlaster and SpywareGuard. I did not install IE/Spyad (the link has changed).

The Super Anti-Spyware window is gone, although I'm still getting the AVG popup window on startup.

Thanks!
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP