Welcome Guest ( Log In | Join )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Want to ask a question, reply to a topic, or remove all advertising? It's easy, fast and free. Join today!
Spyware, virus, trojan, fake security or privacy alerts? Please start with our malware cleaning guide.
     
 
 Closed TopicStart new topic
Wow I got something BAD! [RESOLVED], Malware in my hair!
Winterblast
post Apr 4 2008, 08:04 AM
Post #1


New Member
*
Posts: 5
OS: XP
Yeah, I dunno, but the whole PC must be a mess of malware at this point. Even my google searches redirect to other stuff now.

Here is the Hijackthis file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:24 AM, on 4/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\JavaCore\JavaCore.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [kernel] C:\Program Files\kernel\kernel.exe
O4 - HKCU\..\Run: [xInsIDE] C:\Program Files\xInsIDE\xInsIDE.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\JavaCore\JavaCore.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Policies\Explorer\Run: [{5C8231D9-0BB8-1033-0429-050409010001}] "C:\Program Files\Common Files\{5C8231D9-0BB8-1033-0429-050409010001}\Update.exe" mc-110-12-0000904
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6A2E758A-028B-46BB-A11D-0608AB5A4ED3} (DaumBGMCtrl Class) - http://listen.daum.net/52st/bgmplayer/Daum52stBGMPlayer.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9_1/dmcc2.cab?Version=1,0,0,10
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NetWork Service (ntserv) - Unknown owner - c:\program files\common files\system\ntserv.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5763 bytes


What can I do? Help me Obiwan!
Go to the top of the page
 
+Quote Post
Winterblast
post Apr 4 2008, 01:14 PM
Post #2


New Member
*
Posts: 5
OS: XP
Bump!
Go to the top of the page
 
+Quote Post
Essexboy
post Apr 4 2008, 02:50 PM
Post #3


Global Moderator
Group Icon
Posts: 10,028
From: Darkest Cornwall
OS: Vista Ultimate
QUOTE
Bump!
Naughty Naughty

OK lets get you cleaned up then shall we smile.gif

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKCU\..\Run: [kernel] C:\Program Files\kernel\kernel.exe
O4 - HKCU\..\Run: [xInsIDE] C:\Program Files\xInsIDE\xInsIDE.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\JavaCore\JavaCore.exe
O4 - HKCU\..\Policies\Explorer\Run: [{5C8231D9-0BB8-1033-0429-050409010001}] "C:\Program Files\Common Files\{5C8231D9-0BB8-1033-0429-050409010001}\Update.exe" mc-110-12-0000904

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.


Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Ipwins

Please note any other programs that you dont recognize in that list in your next response

NEXT

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


Logs required : Report.txt and a new Hijackthis log
Go to the top of the page
 
+Quote Post
Winterblast
post Apr 4 2008, 09:42 PM
Post #4


New Member
*
Posts: 5
OS: XP
Ok awesome so

The Report

SDFix: Version 1.166

Run by Protoman on Fri 04/04/2008 at 11:26 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDfix\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Program Files\JavaCore\JavaCore.exe - Deleted
C:\Program Files\JavaCore\UnInstall.exe - Deleted



Folder C:\Program Files\JavaCore - Removed
Folder C:\Program Files\kernel - Removed
Folder C:\Program Files\Temporary - Removed
Folder C:\Program Files\xInsIDE - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-04 23:32:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{86160C21-8200-3688-7C4F-8FB663D01859}]
"iahbhllkpmhkkclphc"=hex:6a,61,6d,67,6c,64,63,6d,6b,61,61,69,70,69,6f,6b,6e,6b,69,67,00,..
"hajbjngocogfomhc"=hex:6a,61,6d,67,6c,64,63,6d,6b,61,61,69,70,69,6f,6b,6e,6b,69,67,00,..

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"="C:\\Program Files\\BitTornado\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\Program Files\\DC++\\DCPlusPlus.exe"="C:\\Program Files\\DC++\\DCPlusPlus.exe:*:Enabled:DC++"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Documents and Settings\\Protoman\\My Documents\\D Drive\\SNES\\zsnesw.exe"="C:\\Documents and Settings\\Protoman\\My Documents\\D Drive\\SNES\\zsnesw.exe:*:Enabled:zsnesw"
"C:\\Program Files\\Java\\jre1.5.0_05\\bin\\javaw.exe"="C:\\Program Files\\Java\\jre1.5.0_05\\bin\\javaw.exe:*:Enabled:Java™ 2 Platform Standard Edition binary"
"C:\\Program Files\\RSSoft\\RSEDNClient.exe"="C:\\Program Files\\RSSoft\\RSEDNClient.exe:*:Enabled:RSEDNClient"
"C:\\Program Files\\SmartFTP\\SmartFTP.exe"="C:\\Program Files\\SmartFTP\\SmartFTP.exe:*:Enabled:SmartFTP Client"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Documents and Settings\\Protoman\\My Documents\\D Drive\\NES Nesticle\\NESTCL95.EXE"="C:\\Documents and Settings\\Protoman\\My Documents\\D Drive\\NES Nesticle\\NESTCL95.EXE:*:Disabled:NESTCL95"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\Kazaa\\kazaa.exe"="C:\\Program Files\\Kazaa\\kazaa.exe:*:Enabled:Kazaa"
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.5"
"C:\\WINDOWS\\system32\\rtcshare.exe"="C:\\WINDOWS\\system32\\rtcshare.exe:*:Enabled:RTC App Sharing"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windowsr NetMeetingr"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Program Files\\Game Vindicator\\Game Vindicator\\GameVindicator.exe"="C:\\Program Files\\Game Vindicator\\Game Vindicator\\GameVindicator.exe:*:Enabled:GameVindicator"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

Remaining Files :


File Backups: - C:\SDfix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Sat 9 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BIT1A.tmp"
Thu 7 Dec 2006 3,096,576 A..H. --- "C:\Documents and Settings\Protoman\Application Data\U3\temp\Launchpad Removal.exe"

Finished!



The Hijack this Report


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:42:00 PM, on 4/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6A2E758A-028B-46BB-A11D-0608AB5A4ED3} (DaumBGMCtrl Class) - http://listen.daum.net/52st/bgmplayer/Daum52stBGMPlayer.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9_1/dmcc2.cab?Version=1,0,0,10
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NetWork Service (ntserv) - Unknown owner - c:\program files\common files\system\ntserv.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5331 bytes


Thanks again guys, you are the gods of the internet!
Go to the top of the page
 
+Quote Post
Essexboy
post Apr 5 2008, 03:45 AM
Post #5


Global Moderator
Group Icon
Posts: 10,028
From: Darkest Cornwall
OS: Vista Ultimate
Looks better smile.gif

QUOTE
@echo off
sc stop ntserv
sc delete ntserv
exit

Next you will need to create the batch fix to do that copy and paste ALL of the above in the quote box to a notepad file.
Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.bat

This will create a batch file

Then run fix.bat by double clicking you may see a black box appear this is normal

THEN

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
Go to the top of the page
 
+Quote Post
Winterblast
post Apr 5 2008, 01:40 PM
Post #6


New Member
*
Posts: 5
OS: XP
Ok the new report is here

ComboFix 08-04-04.1 - Protoman 2008-04-05 15:33:41.1 - NTFSx86
Running from: C:\Documents and Settings\Protoman\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Protoman\Local Settings\Temporary Internet Files\banner10337.html
C:\Documents and Settings\Protoman\Local Settings\Temporary Internet Files\banner10619.html
C:\Documents and Settings\Protoman\Local Settings\Temporary Internet Files\banner11211.html
C:\Documents and Settings\Protoman\Local Settings\Temporary Internet Files\banner11488.html
C:\Documents and Settings\Protoman\Local Settings\Temporary Internet Files\banner14466.html
C:\Documents and Settings\Protoman\Local Settings\Temporary Internet Files\banner15727.html
C:\Documents and Settings\Protoman\Local Settings\Temporary Internet Files\banner16720.html
C:\Documents and Settings\Protoman\Local Settings\Temporary Internet Files\banner16970.html
C:\Documents and Settings\Protoman\Local Settings\Temporary Internet Files\banner17356.html
C:\Documents and Settings\Protoman\Local Settings\Temporary Internet Files\banner20730.html
C:\Documents and Settings\Protoman\Local Settings\Temporary Internet Files\banner20749.html
C:\Documents and Settings\Protoman\Local Settings\Temporary Internet Files\banner21366.html
C:\Documents and Settings\Protoman\Local Settings\Temporary Internet Files\banner2222.html
C:\Documents and Settings\Protoman\Local Settings\Temporary Internet Files\banner24741.html
C:\Documents and Settings\Protoman\Local Settings\Temporary Internet Files\banner24895.html
C:\Documents and Settings\Protoman\Local Settings\Temporary Internet Files\banner27981.html
C:\Documents and Settings\Protoman\Local Settings\Temporary Internet Files\banner28128.html
C:\Documents and Settings\Protoman\Local Settings\Temporary Internet Files\banner28392.html
C:\Documents and Settings\Protoman\Local Settings\Temporary Internet Files\banner29354.html
C:\Documents and Settings\Protoman\Local Settings\Temporary Internet Files\banner32226.html
C:\Documents and Settings\Protoman\Local Settings\Temporary Internet Files\banner32270.html
C:\Documents and Settings\Protoman\Local Settings\Temporary Internet Files\banner32487.html
C:\Documents and Settings\Protoman\Local Settings\Temporary Internet Files\banner3588.html
C:\Documents and Settings\Protoman\Local Settings\Temporary Internet Files\banner4745.html
C:\Documents and Settings\Protoman\Local Settings\Temporary Internet Files\banner4778.html
C:\Documents and Settings\Protoman\Local Settings\Temporary Internet Files\banner5616.html
C:\Documents and Settings\Protoman\Local Settings\Temporary Internet Files\banner5735.html
C:\Documents and Settings\Protoman\Local Settings\Temporary Internet Files\banner606.html
C:\Documents and Settings\Protoman\Local Settings\Temporary Internet Files\banner8100.html
C:\Documents and Settings\Protoman\Local Settings\Temporary Internet Files\banner8993.html
C:\Documents and Settings\Protoman\Local Settings\Temporary Internet Files\banner9607.html
C:\Documents and Settings\Protoman\Local Settings\Temporary Internet Files\banner9748.html
C:\Documents and Settings\Protoman\Local Settings\Temporary Internet Files\banner9849.html
C:\Program Files\Common Files\{5C823~1
C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\smdat32m.sys

.
((((((((((((((((((((((((( Files Created from 2008-03-05 to 2008-04-05 )))))))))))))))))))))))))))))))
.

2008-04-04 23:23 . 2008-04-04 23:23 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-04 23:19 . 2008-04-04 23:19 <DIR> d-------- C:\SDfix
2008-04-04 09:55 . 2008-04-04 09:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-04 09:15 . 2008-04-04 09:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-04-04 09:14 . 2008-04-04 09:17 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-04-04 09:14 . 2008-04-04 09:14 <DIR> d-------- C:\Program Files\AVSMedia
2008-04-04 09:14 . 2002-01-05 15:40 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2008-04-04 09:14 . 2003-05-21 13:50 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-04-04 09:13 . 2008-04-04 09:13 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-04-03 02:08 . 2008-04-03 02:08 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-03 02:08 . 2008-04-03 02:08 2,544 --a------ C:\WINDOWS\unins000.dat
2008-03-27 05:17 . 2008-03-27 05:17 <DIR> d-------- C:\Documents and Settings\Protoman\Application Data\acccore
2008-03-27 05:13 . 2008-03-27 05:13 <DIR> d-------- C:\Program Files\Viewpoint
2008-03-27 05:13 . 2008-03-27 05:13 <DIR> d-------- C:\Program Files\AOL Search
2008-03-27 05:13 . 2008-03-27 05:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-27 05:13 . 2008-03-27 05:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-03-27 05:13 . 2008-03-27 05:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-03-27 05:12 . 2008-03-27 05:12 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-03-27 05:12 . 2008-03-27 05:14 <DIR> d-------- C:\Program Files\AIM6
2008-03-27 05:12 . 2008-03-27 05:13 444 --ah----- C:\IPH.PH
2008-03-26 02:52 . 2008-03-26 02:57 <DIR> d-------- C:\Program Files\MKVTOAVI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-05 19:30 --------- d-----w C:\Documents and Settings\Protoman\Application Data\Azureus
2008-04-05 12:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-04 14:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-04 14:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-03 06:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-03 06:10 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-03 05:56 --------- d-----w C:\Program Files\mIRC
2008-03-24 09:32 --------- d-----w C:\Program Files\DOSBox-0.72
2008-03-12 04:58 --------- d-----w C:\Program Files\Azureus
2008-02-23 06:25 --------- d-----w C:\Documents and Settings\Protoman\Application Data\AVG7
2008-02-23 06:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-02-23 05:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-23 05:29 --------- d-----w C:\Program Files\Lavasoft
2008-02-23 05:28 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-22 21:06 --------- d-----w C:\Program Files\Enigma Software Group
2008-02-21 11:07 --------- d-----w C:\Documents and Settings\Protoman\Application Data\U3
2008-02-17 09:05 --------- d-----w C:\Program Files\Common Files\DirectX
2008-02-17 09:03 --------- d-----w C:\Program Files\MumboJumbo
2008-02-16 09:35 2,293,848 ----a-w C:\Program Files\FLV PlayerFCSetup.exe
2008-02-16 09:35 --------- d-----w C:\Program Files\FLV Player
2008-02-06 00:45 --------- d-----w C:\Documents and Settings\Protoman\Application Data\Publish Providers
2008-02-06 00:44 --------- d-----w C:\Documents and Settings\Protoman\Application Data\Sony
2008-02-06 00:40 --------- d-----w C:\Program Files\Vstplugins
2008-02-06 00:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony
2008-02-06 00:39 --------- d-----w C:\Program Files\Sony
2008-02-06 00:33 --------- d-----w C:\Program Files\Sony Setup
2008-02-06 00:33 --------- d-----w C:\Documents and Settings\Protoman\Application Data\Sony Setup
2008-02-05 11:26 --------- d-----w C:\Program Files\Screen Recorder Gold
2004-03-11 18:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
1997-11-09 15:24 2,794 ----a-w C:\Program Files\Palette.pal
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2005-10-12 17:13 7086080]
"PowerBar"="" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 11:49 307200]
"Aim6"="" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-16 04:11 155648]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 02:05 122939]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 02:01 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-23 08:54 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo8"= VfWWDM32.dll
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
"vidc.wmv3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll
"msacm.scg726"= scg726.acm
"vidc.VP31"= vp31vfw.dll
"msacm.alf2cd"= alf2cd.acm

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\DC++\\DCPlusPlus.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Documents and Settings\\Protoman\\My Documents\\D Drive\\SNES\\zsnesw.exe"=
"C:\\Program Files\\Java\\jre1.5.0_05\\bin\\javaw.exe"=
"C:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Documents and Settings\\Protoman\\My Documents\\D Drive\\NES Nesticle\\NESTCL95.EXE"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"C:\\WINDOWS\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7845:UDP"= 7845:UDP:SNES
"4000:TCP"= 4000:TCP:SNES download
"6881:UDP"= 6881:UDP:Torrent for Az
"9420:TCP"= 9420:TCP:RSP
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
R3 PhilCam8116;Logitech QuickCam Pro 3000 (08B0);C:\WINDOWS\system32\DRIVERS\CamDrO21.sys [2001-08-17 15:05]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2004-08-04 08:00]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2004-08-04 08:00]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2004-08-04 08:00]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2004-08-04 08:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{98e4be3c-da6f-11dc-bca6-001320775b47}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-05 15:37:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PowerBar = ????<????4@?h??????w????h???Z??w(???*??wt?@?l?@?HSa?????????????????????????,??????????????????????w????g??w0??w????*??w???w?????4@????????????w????l?@????????w????t?@? ?a?????????l?@?l?@????????w????t?@?????l?@?8?@?l?@?3??s????????????????????8?@?_??s8?@?8?@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-05 15:38:23
ComboFix-quarantined-files.txt 2008-04-05 19:38:20
Pre-Run: 8,434,626,560 bytes free
Post-Run: 8,423,677,952 bytes free
.
2008-03-12 07:10:52 --- E O F ---


And the Hijack this

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:40:35 PM, on 4/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6A2E758A-028B-46BB-A11D-0608AB5A4ED3} (DaumBGMCtrl Class) - http://listen.daum.net/52st/bgmplayer/Daum52stBGMPlayer.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9_1/dmcc2.cab?Version=1,0,0,10
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 5107 bytes


Everything has gone smoothly so far! Thanks
Go to the top of the page
 
+Quote Post
Essexboy
post Apr 5 2008, 04:22 PM
Post #7


Global Moderator
Group Icon
Posts: 10,028
From: Darkest Cornwall
OS: Vista Ultimate
Nicely done thumbsup.gif

Subject to your next report this may be the final run smile.gif

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    CODE
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\PowerBar
    Purity

  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the yellow bar) and choose Paste.

  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

THEN

To clear any I missed

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Logs required : OTMoveit, MBAM and a new Hijackthis log - plus how is your computer running now ?
Go to the top of the page
 
+Quote Post
Winterblast
post Apr 5 2008, 04:44 PM
Post #8


New Member
*
Posts: 5
OS: XP
Moveitlog

File/Folder HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\PowerBar not found.
< Purity >

OTMoveIt2 by OldTimer - Version 1.0.4.0 log created on 04052008_183640


Malwarebytes' Anti-Malware 1.10
Database version: 594

Scan type: Quick Scan
Objects scanned: 29263
Time elapsed: 4 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\RXToolBar (Adware.RXToolbar) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:45:40 PM, on 4/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6A2E758A-028B-46BB-A11D-0608AB5A4ED3} (DaumBGMCtrl Class) - http://listen.daum.net/52st/bgmplayer/Daum52stBGMPlayer.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/cab9_1/dmcc2.cab?Version=1,0,0,10
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\P