Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

cproc infection, unwanted ad pop-ups


  • This topic is locked This topic is locked

#1
Chris Owen

Chris Owen

    Member

  • Member
  • PipPip
  • 11 posts
Hi guys,

Firstly thanks for creating this forum for people like me who sometimes need help!!

Problem - my PC appears top have been infected with something that my set of spyware removers can't handle. 'cproc application error' pops up all the time, as do a series of highly irritating, frequent pop up ads which sit there until I manually close them (they get past Pop-Up Stopper). An unfamiliar toolbar also appeared in IE.

What I've done myself - I have Spybot S&D, Spyware Doctor, Spyware Snooper and AVG on my system. I run them regularly and have just done so again. They cleaned out the usual stuff but not the current problem I have.

I 'think' I've done everything listed in your list of do's....I downloaded and ran ATF Cleaner and HiJackThis, and ran the online Panda Activescan.

My system has SP2 installed, and has always been set for automatically installing any Windows Updates it needs. I'm using XP Pro in case you need to know.

I've copied and pasted below the logs you needed to see....Activescan, HiJackThis and the Uninstall List.

Huge thanks in advance for your invaluable assistance, it's MUCH appreciated!!

- Chris Owen



ACTIVESCAN

Incident Status Location

Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Cookies\[email protected][1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Cookies\[email protected][1].txt
Adware:Adware/DeluxeComunications Not disinfected C:\Program Files\Common Files\misc002\DXC.exe
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\{30B159BC-0489-1033-0428-04080603002c}\Activate.exe
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\{30B159BC-0489-1033-0428-04080603002c}\MyToolBar.dll
Adware:Adware/DollarRevenue Not disinfected C:\Program Files\Common Files\{30B159BC-0489-1033-0428-04080603002c}\Uninst.exe
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\{D0B159BC-0489-1033-0428-04080603002c}\services.dll
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Common Files\{D0B159BC-0489-1033-0428-04080603002c}\Update.exe
Adware:Adware/DeluxeComunications Not disinfected C:\Program Files\DeluxeCommunications\Dxc.exe
Adware:Adware/DeluxeComunications Not disinfected C:\Program Files\DeluxeCommunications\DxcBho.dll
Adware:Adware/DeluxeComunications Not disinfected C:\Program Files\DeluxeCommunications\DxcCore.dll
Adware:Adware/Maxifiles Not disinfected C:\Program Files\ipwins\Uninst.exe[˛ÜÇ\nsProcess.dll]
Potentially unwanted tool:Application/SpywareSnooper Not disinfected C:\Program Files\Spyware Snooper\SpywareSnooper.exe
Spyware:spyware/betterinet Not disinfected C:\WINDOWS\susp.exe
Dialer:dialer.xd Not disinfected C:\WINDOWS\switchagreement.txt
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\system32\5.exe
Adware:Adware/DeluxeComunications Not disinfected C:\WINDOWS\system32\bkd.exe
Adware:Adware/DeluxeComunications Not disinfected C:\WINDOWS\system32\dxclib303562752.dll

HIJACKTHIS NOTEPAD

Logfile of HijackThis v1.99.1
Scan saved at 00:36:08, on 17/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Napster\napster.exe
C:\Program Files\ipwins\ipwins.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wmp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Desktop\Documents\Downloaded Software Installers\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [batt] C:\WINDOWS\system32\batt.exe
O4 - HKCU\..\Run: [wmp] C:\WINDOWS\system32\wmp.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [hhsetup] C:\WINDOWS\system32\hhsetup.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.p0rt2.com
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrad...raderMediaX.cab
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
O16 - DPF: {43331111-1111-1111-1111-611111195622} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1141702308341
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1146016606019
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{38311A06-06C4-47BC-B0F8-B39CE7A938B1}: NameServer = 212.74.114.129 212.74.112.66
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: cmcfg32.exe - Unknown owner - C:\WINDOWS\system32\cmcfg32.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: nvrsno.exe - Unknown owner - C:\WINDOWS\system32\nvrsno.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: wdfapi.exe - Unknown owner - C:\WINDOWS\system32\wdfapi.exe (file missing)

UNINSTALL LIST

Adobe Download Manager 2.0 (Remove Only)
Adobe Photoshop 7.0
Adobe Premiere 6.0
Adobe Reader 7.0.5
Advanced RealMedia Export Plug-in for Premiere 6.0
AVG Free Edition
BlackICE
CCleaner (remove only)
Clean! 1.5
Cleaner 5 EZ
CyberScrub Trial Edition 3.5
dBpowerAMP AAC Codec
dBpowerAMP DirectShow Decoder Codec
dBpowerAMP FLAC Codec
dBpowerAMP Mp4 Codec
dBpowerAMP Music Converter
dBPowerAMP Real Audio Encoder R3
dBpowerAMP Shorten Codec
dBpowerAMP WMA V9.1 Codec
DC++ 0.674
DeluxeCommunications
DivX
DivX Player
DVD X Player Pro 1.0
DVD-lab PRO 1.00
Easy CD & DVD Creator 6
Enable S3 for USB Device
EPSON Attach To Email
EPSON Easy Photo Print
EPSON File Manager
EPSON Print CD
EPSON Printer Software
EPSON Scan Assistant
EPSON Web-To-Page
ESPR220 User's Guide
FileZilla (remove only)
Final Draft 6
Final Draft v6.0.2.5 Update
FrostWire
Hijackthis 1.99.1
HijackThis 1.99.1
IpWins
iTunes
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
Macromedia Flash Player 8
Macromedia FreeHand 10
MailWasher Free
Microsoft AutoRoute 2001
Microsoft User-Mode Driver Framework Feature Pack 1.0.0 (Pre-Release 5348)
Microsoft Word 2000
Microsoft Works 2000 Setup Launcher
MSN Messenger 7.5
Napster
Napster Burn Engine
Nero 6 Ultra Edition
NVIDIA Windows 2000/XP Display Drivers
oggcodecs 0.69.8924
Panda ActiveScan
PIF DESIGNER
Pop-Up Stopper Free Edition
PowerDVD
QuickTime
RealPlayer
Realtek AC'97 Audio
REALTEK Gigabit and Fast Ethernet NIC Driver
SAGEM [email protected] 800-840
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Skype 2.0
SoulSeek Client 156b
Spybot - Search & Destroy 1.4
Spyware Doctor 3.5
Spyware Snooper 1.0.1
Ulead DVD MovieFactory 4.0
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
USB 2.0 Setup program
VIA Integrated Setup Wizard
WaveLab
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
Word in Works Suite add-in
  • 0

Advertisements


#2
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello Chris and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions! (Click the Options drop down near the upper right of the topic. Select Print this topic.)

You have quite a mixture of malware and Trojans. Let’s see what we can do.

I note that you are running HijackThis from Temporary Folder; please create a new folder for it (for example C:\Program Files\Hijackthis\Hijackthis.exe) and move the programme into it. It is very important you do this before anything else since backup files can be deleted if they are not within their own folder!

Click My Computer, then C:\ and then Program Files.
In the menu bar, go to File>New>Folder. That will create a folder named New Folder, which you can right-click on and rename to HJT or HijackThis. Now you have C:\Program Files\HijackThis. Cut ‘n’ Paste your HijackThis.exe into it.

Please Disable Spyware Doctor. From within Spyware Doctor, click the OnGuard button on the left side. Uncheck Activate OnGuard

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

Killbox by Option^Explicit
CCleaner
AVG AntiSpyware
combofix.exe

Right click on this link Del 015 Domains.inf and choose Save (link) As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards

Go to Start>Run and type Services.msc then hit OK
Scroll down and find these services:

cmcfg32.exe
nvrsno.exe
wdfapi.exe


When you find them, double-click on each. In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then OK.

Run HiJackThis. Click on None of the above, just start the program. Now, click on the Config button (bottom right), then click on Misc Tools, then click on Delete an NT Service a window will pop up. Enter these items into that field one at a time(copy and paste):

cmcfg32.exe
nvrsno.exe
wdfapi.exe


Click OK.

It should pull up information about the service, when it asks if you want to reboot now click YES

Please install, and update Ewido/ AVG Anti Spyware
  • Load AVGas and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Please select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
  • Select "Automatically generate report after every scan"
  • Deselect "Only if threats were found"
  • Close AVGas. Do not run it yet.
Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
For additional help in booting into Safe Mode, see the following site:

Safe Mode

  • In Safe Mode, load AVGas and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be patient.
  • AVGas will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVGas will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (I suggest the Desktop).
  • Please ensure you post that log in your reply.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {C004DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [batt] C:\WINDOWS\system32\batt.exe
O4 - HKCU\..\Run: [wmp] C:\WINDOWS\system32\wmp.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [hhsetup] C:\WINDOWS\system32\hhsetup.exe
O15 - Trusted Zone: *.p0rt2.com
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
O16 - DPF: {43331111-1111-1111-1111-611111195622} -
O20 - AppInit_DLLs: dxclib303562752.dll
O23 - Service: cmcfg32.exe - Unknown owner - C:\WINDOWS\system32\cmcfg32.exe (file missing)
O23 - Service: nvrsno.exe - Unknown owner - C:\WINDOWS\system32\nvrsno.exe
O23 - Service: wdfapi.exe - Unknown owner - C:\WINDOWS\system32\wdfapi.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. .

Please remove these entries from Add/Remove Programs in the Control Panel (if present):(click Start>Settings>Control Panel)

IpWins
J2SE Runtime Environment 5.0 Update 3
Napster
Napster Burn Engine
Spyware Snooper 1.0.1

Please notify me of any other programmes that you don’t recognise in that list in your next response

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete these folders (if present) using Windows Explorer:

C:\Program Files\DeluxeCommunications\

Close Windows Explorer and Reboot normally

Please install Killbox by Option^Explicit.
  • Please double-click Killbox.exe to run it.
  • Select Delete on Reboot
  • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\Program Files\Napster\napster.exe
C:\Program Files\ipwins\ipwins.exe
C:\WINDOWS\system32\wmp.exe
C:\Program Files\DeluxeCommunications\DxcBho.dll
C:\Program Files\DeluxeCommunications\Dxc.exe
C:\WINDOWS\system32\batt.exe
C:\Program Files\Common Files\{30B159BC-0489-1033-0428-04080603002c}\Activate.exe
C:\Program Files\Common Files\{30B159BC-0489-1033-0428-04080603002c}\MyToolBar.dll
C:\Program Files\Common Files\{30B159BC-0489-1033-0428-04080603002c}\Uninst.exe
C:\Program Files\Common Files\{D0B159BC-0489-1033-0428-04080603002c}\services.dll
C:\Program Files\Common Files\{D0B159BC-0489-1033-0428-04080603002c}\Update.exe
C:\WINDOWS\susp.exe
C:\WINDOWS\switchagreement.txt
C:\WINDOWS\system32\5.exe
C:\WINDOWS\system32\hhsetup.exe
C:\WINDOWS\system32\dxclib303562752.dll
C:\WINDOWS\system32\nvrsno.exe
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Now we must hide the files we revealed earlier by reversing the process, this is an important safeguard to stop important system files being deleted by accident.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, check the default setting in the left-hand pane, ensure you uncheck old prefetch data found under the system tab, and under the heading of Applications uncheck AVGas Anti-malware log then click Analyze> Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

Double click combofix.exe & follow the prompts.

When it has finished, it will produce a log. Please post that log in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post back a fresh HijackThis log (from normal mode) and I will take another look.

Edited by Crustyoldbloke, 17 October 2006 - 08:54 AM.

  • 0

#3
Chris Owen

Chris Owen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi again Phil, and huge thanks for your very detailed reply!!

First of all, I did as you asked and moved HijackThis into its proper folder within C:\Program Files. It now seems to be saving its logs into this folder.

Okay, I've just finished carrying out everything as per instructed. A couple of possible problems occurred, I'll list them here for you in case they're important...

When running HijackThis in Safe Mode, the following entries were not in the list, and so could not be checked and fixed...

015 - Trusted Zone: *.p0rt.com
023 - Service: cmcfg32.exe - Unknown owner - C:\WINDOWS\system32\cmcfg32.exe (file missing)
023 - Service: nvrsno.exe - Unknown owner - C:\WINDOWS\system32\nvrsno.exe (file missing)
023 - Service: wdfapi.exe - Unknown owner - C:\WINDOWS\system32\wdfapi.exe (file missing)

I notice these last 3 all had their Start-Up type changed to Disabled earlier in your procedure...is this any connection to them not being in the list?


The version of AVG you asked me to download crashed immediately upon applying fixes to all problems it found after it's complete system scan in Safe Mode. I ran the scan again, but AVG crashed again. I saved a report regardless, though is this still useful baring the crash in mind? I'm not certain if AVG applied all the fixes before it crashed. I don't think it did, becasue when I ran the second scan, the same problem seemed to be present. In leiu of this, is it okay to run the AVG scan in normal mode?


After clicking 'fix checked' in HijackThis is Safe Mode, an error message appeared, stating...

'an unexpected error has occurred at procedure: modBackup_MakeBackup (s/tem=020-Applnit_DLLs:dxclib303562752.dll) Error #5 - Invalid procedure call or argument. Please email me at [email protected], reporting the following - *what you were trying to fix when the error occurred, if applicable * how you can reproduce the error *a complete HijackThis scan log, if possible. Windows version - Windows NT 5.01.2600 MSIE version - 6.0.2900.2180 HijackThis version - 1.99.1 This message has been copied to your clipboard. Click OK to continue scan.'

I hit OK and the scan seemed to continue fine, so I'm not sure just how important the error message was.


When in add/remove programs - when I tried to uninstall 'J2SE Runtime Environment 5.0 Update 3', a message appeared, stating, 'The Windows Install Service could not be accessed'. There was also an Update 6 in the list, which also threw up the same message. Due to this, I was unable to remove both entires from the list.


C:\Program Files\Deluxe Communications proved difficult to remove, but I was eventually able to remove it with Ccleaner. Windows couldn't remove it, and kept insisting it was being used by another person or application.

From the populated list in add/remove programs, I did not recognise the following -

Adobe Download Manager
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
PIF Designer (now removed)
Toolbar 888 (now removed)

I hope it was okay to remove these last two.

Other than that, the whole procedure seemed to go well.

Here are the logs you asked me to post.




COMBOFIX

Chris - 06-10-20 1:36:05.48 Service Pack 2
ComboFix 06.10.16 - Running from: "C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Desktop\Documents\Downloaded Software Installers"

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Application Data\Dxcknwrd.dll
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Application Data\Dxcuknwrd.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\misc002
C:\Program Files\Inetget2
C:\Program Files\Common Files\{D0B159BC-0489-1033-0428-04080603002c}
C:\Program Files\PrintView


((((((((((((((((((((((((((((((( Files Created from 2006-09-20 to 2006-10-20 ))))))))))))))))))))))))))))))))))


2006-10-20 00:12 18,944 --a------ C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\DIBL.exe
2006-10-20 00:10 18,944 --a------ C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\OBKP.exe
2006-10-19 01:43 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-18 23:19 45,056 --a------ C:\WINDOWS\system32\BJNI.exe
2006-10-18 23:18 45,056 --a------ C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\JQKT.exe
2006-10-16 22:59 48,640 --a------ C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\7.exe
2006-10-16 22:59 45,056 --a------ C:\WINDOWS\system32\QFLS.exe
2006-10-16 22:59 45,056 --a------ C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\KOSF.exe
2006-10-16 21:00 45,056 --a------ C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\LDEP.exe
2006-10-16 17:03 45,056 --a------ C:\WINDOWS\system32\OPLHA.exe
2006-10-16 17:03 45,056 --a------ C:\WINDOWS\system32\DSRF.exe
2006-10-16 17:03 115,947 --------- C:\WINDOWS\system32\5.exe
2006-10-01 05:25 48,640 --a------ C:\WINDOWS\system32\si.exe
2006-10-01 05:25 48,128 --a------ C:\WINDOWS\system32\vig.exe
2006-10-01 05:24 15,872 --a------ C:\WINDOWS\system32\OEKPI.exe
2006-10-01 05:23 15,872 --a------ C:\WINDOWS\system32\BMEDK.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-20 01:36 -------- d-------- C:\Program Files\Common Files
2006-10-20 01:32 -------- d-------- C:\Program Files\Internet Explorer
2006-10-19 23:57 -------- d-------- C:\Program Files\Common Files\Adobe
2006-10-19 23:54 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-19 23:43 -------- d-------- C:\Program Files\Hijackthis
2006-10-19 01:43 -------- d-------- C:\Program Files\Grisoft
2006-10-19 01:40 -------- d---s---- C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Application Data\Microsoft
2006-10-18 04:16 -------- d-------- C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Application Data\MailWasherPro
2006-10-17 00:12 -------- d-------- C:\Program Files\WinRAR
2006-10-17 00:09 -------- d-------- C:\Program Files\Spyware Doctor
2006-10-17 00:09 -------- d-------- C:\Program Files\QuickTime
2006-10-16 23:58 -------- d-------- C:\Program Files\iTunes
2006-10-16 21:12 -------- d-------- C:\Program Files\Soulseek
2006-10-16 20:58 -------- d-------- C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Application Data\uTorrent
2006-10-12 20:16 -------- d-------- C:\Program Files\MailWasher
2006-10-07 02:47 -------- d-------- C:\Program Files\CCleaner
2006-09-27 06:08 -------- d-------- C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Application Data\Roxio
2006-09-27 06:03 -------- d-------- C:\Program Files\Common Files\Napster Shared
2006-09-25 16:39 -------- d-------- C:\Program Files\DVDlabPro
2006-09-23 23:40 -------- d-------- C:\Program Files\FileZilla
2006-09-19 00:22 -------- d-------- C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Application Data\FrostWire
2006-09-13 06:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 16:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-22 02:56 -------- d-------- C:\Program Files\AvRack
2006-08-21 13:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 10:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 10:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-16 12:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-07-27 14:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 09:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"PopUpStopperFreeEdition"="\"C:\\PROGRA~1\\PANICW~1\\POP-UP~1\\PSFree.exe\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"ipxrip"="C:\\WINDOWS\\system32\\ipxrip.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"adiras"="adiras.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"EPSON Stylus Photo R220 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAIE.EXE /P30 \"EPSON Stylus Photo R220 Series\" /O6 \"USB001\" /M \"Stylus Photo R220\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"RoxioEngineUtility"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe\""
"SoundMan"="SOUNDMAN.EXE"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
"path"="C:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\Startup\\VIA RAID TOOL.lnk"
"backup"="C:\\WINDOWS\\pss\\VIA RAID TOOL.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\VIA\\RAID\\RAID_T~1.EXE "
"item"="VIA RAID TOOL"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adware.Srv32]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="runsrv32"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\runsrv32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SOUNDMAN"
"hkey"="HKLM"
"command"="SOUNDMAN.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-20 1:41:32.09
C:\ComboFix.txt ... 06-10-20 01:41





AVG

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 21:33:56 19/10/2006

+ Scan result:



C:\Program Files\DeluxeCommunications -> Adware.DeluxeCommunications : No action taken.
C:\Program Files\DeluxeCommunications\Dxc.exe -> Adware.DeluxeCommunications : No action taken.
C:\Program Files\DeluxeCommunications\DxcBho.dll -> Adware.DeluxeCommunications : No action taken.
C:\Program Files\DeluxeCommunications\DxcCore.dll -> Adware.DeluxeCommunications : No action taken.
HKLM\SOFTWARE\Classes\CLSID\{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} -> Adware.DeluxeCommunications : No action taken.
HKLM\SOFTWARE\DeluxeCommunications -> Adware.DeluxeCommunications : No action taken.
HKLM\SOFTWARE\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\DeluxeCommunications -> Adware.DeluxeCommunications : No action taken.
HKU\S-1-5-21-329068152-2049760794-682003330-1003\Software\DeluxeCommunications -> Adware.DeluxeCommunications : No action taken.
HKU\S-1-5-21-329068152-2049760794-682003330-1003\Software\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : No action taken.
HKU\S-1-5-21-329068152-2049760794-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Run\\DeluxeCommunications -> Adware.DeluxeCommunications : No action taken.
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : No action taken.
C:\Program Files\Common Files\{30B159BC-0489-1033-0428-04080603002c}\MyToolBar.dll -> Adware.Softomate : No action taken.
C:\Program Files\Common Files\{D0B159BC-0489-1033-0428-04080603002c}\Update.exe -> Adware.Softomate : No action taken.
C:\Program Files\Common Files\{D0B159BC-0489-1033-0428-04080603002c}\services.dll -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{200371D4-4CB5-4347-A24A-B247F85BE789}\RP276\A0101823.dll -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{200371D4-4CB5-4347-A24A-B247F85BE789}\RP276\A0101824.exe -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{200371D4-4CB5-4347-A24A-B247F85BE789}\RP276\A0101825.dll -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{200371D4-4CB5-4347-A24A-B247F85BE789}\RP277\A0101959.dll -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{200371D4-4CB5-4347-A24A-B247F85BE789}\RP277\A0101960.dll -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{200371D4-4CB5-4347-A24A-B247F85BE789}\RP277\A0101961.exe -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{200371D4-4CB5-4347-A24A-B247F85BE789}\RP278\A0102111.dll -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{200371D4-4CB5-4347-A24A-B247F85BE789}\RP278\A0102112.dll -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{200371D4-4CB5-4347-A24A-B247F85BE789}\RP278\A0102113.exe -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{200371D4-4CB5-4347-A24A-B247F85BE789}\RP279\A0102262.dll -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{200371D4-4CB5-4347-A24A-B247F85BE789}\RP279\A0102263.dll -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{200371D4-4CB5-4347-A24A-B247F85BE789}\RP279\A0102264.exe -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{200371D4-4CB5-4347-A24A-B247F85BE789}\RP280\A0102358.dll -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{200371D4-4CB5-4347-A24A-B247F85BE789}\RP280\A0102359.exe -> Adware.Softomate : No action taken.
C:\System Volume Information\_restore{200371D4-4CB5-4347-A24A-B247F85BE789}\RP280\A0102360.dll -> Adware.Softomate : No action taken.
C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : No action taken.
[256] C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : No action taken.
[304] C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : No action taken.
[316] C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : No action taken.
[480] C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : No action taken.
[544] C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : No action taken.
[612] C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : No action taken.
[888] C:\WINDOWS\system32\dxclib303562752.dll -> Adware.SurfSide : No action taken.
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Cookies\[email protected][1].txt -> TrackingCookie.247realmedia : No action taken.
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Cookies\[email protected][2].txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Cookies\[email protected][1].txt -> TrackingCookie.Adviva : No action taken.
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Cookies\[email protected][2].txt -> TrackingCookie.Cpvfeed : No action taken.
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Cookies\[email protected][2].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Cookies\[email protected][2].txt -> TrackingCookie.Liveperson : No action taken.
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Cookies\[email protected][1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Cookies\[email protected][1].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Cookies\[email protected][2].txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Cookies\[email protected][1].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Cookies\[email protected][2].txt -> TrackingCookie.Tradedoubler : No action taken.
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Cookies\[email protected][1].txt -> TrackingCookie.Tribalfusion : No action taken.
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : No action taken.


::Report end




HIJACKTHIS

Logfile of HijackThis v1.99.1
Scan saved at 23:35:44, on 19/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{30B159BC-0489-1033-0428-04080603002c}\MyToolBar.dll
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{30B159BC-0489-1033-0428-04080603002c}\MyToolBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [batt] C:\WINDOWS\system32\batt.exe
O4 - HKCU\..\Run: [wmp] C:\WINDOWS\system32\wmp.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [hhsetup] C:\WINDOWS\system32\hhsetup.exe
O4 - HKCU\..\Run: [ipxrip] C:\WINDOWS\system32\ipxrip.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrad...raderMediaX.cab
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
O16 - DPF: {43331111-1111-1111-1111-611111195622} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1141702308341
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1146016606019
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe



MANY thanks for your assistance again, and please let me know if I've missed anything out!

All the best,

- Chris Owen

Edited by Chris Owen, 19 October 2006 - 07:31 PM.

  • 0

#4
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Chris

Your response was very detailed, so I will try and answer as much as I can, so your question will be in red with my answer following it.

When running HijackThis in Safe Mode, the following entries were not in the list, and so could not be checked and fixed...

015 - Trusted Zone: *.p0rt.com
023 - Service: cmcfg32.exe - Unknown owner - C:\WINDOWS\system32\cmcfg32.exe (file missing)
023 - Service: nvrsno.exe - Unknown owner - C:\WINDOWS\system32\nvrsno.exe (file missing)
023 - Service: wdfapi.exe - Unknown owner - C:\WINDOWS\system32\wdfapi.exe (file missing)

I notice these last 3 all had their Start-Up type changed to Disabled earlier in your procedure...is this any connection to them not being in the list?


Yes, I tend to adopt a belt and braces approach to malware removal.

The version of AVG you asked me to download crashed immediately upon applying fixes to all problems it found after it's complete system scan in Safe Mode. I ran the scan again, but AVG crashed again. I saved a report regardless, though is this still useful baring the crash in mind? I'm not certain if AVG applied all the fixes before it crashed. I don't think it did, becasue when I ran the second scan, the same problem seemed to be present. In leiu of this, is it okay to run the AVG scan in normal mode?

This may be due to the amount of malware still on your PC. After doing this fix, please try again in either mode.

After clicking 'fix checked' in HijackThis is Safe Mode, an error message appeared, stating...

'an unexpected error has occurred at procedure: modBackup_MakeBackup (s/tem=020-Applnit_DLLs:dxclib303562752.dll) Error #5 - Invalid procedure call or argument. Please email me at [email protected], reporting the following - *what you were trying to fix when the error occurred, if applicable * how you can reproduce the error *a complete HijackThis scan log, if possible. Windows version - Windows NT 5.01.2600 MSIE version - 6.0.2900.2180 HijackThis version - 1.99.1 This message has been copied to your clipboard. Click OK to continue scan.'

I hit OK and the scan seemed to continue fine, so I'm not sure just how important the error message was.


This is quite a common error message and continuing is the correct procedure. I would ask Merijn what causes it but I am sure I would not understand the answer.

When in add/remove programs - when I tried to uninstall 'J2SE Runtime Environment 5.0 Update 3', a message appeared, stating, 'The Windows Install Service could not be accessed'. There was also an Update 6 in the list, which also threw up the same message. Due to this, I was unable to remove both entires from the list.

You need to keep update 6, but 3 is just clutter. It won't do any harm.

C:\Program Files\Deluxe Communications proved difficult to remove, but I was eventually able to remove it with Ccleaner. Windows couldn't remove it, and kept insisting it was being used by another person or application.

If the files are reported as being in use, then you will have to delete in safe mode, if they still resist, it's because their "hook" files are still present.

From the populated list in add/remove programs, I did not recognise the following -

Adobe Download Manager
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
PIF Designer (now removed)
Toolbar 888 (now removed)

I hope it was okay to remove these last two.


Toolbar888 is malware, PIF Designer is a legitimate Epson printer programme. Adobe is legit as are the J2SE Java programmes.

OK, I want to make you aware of the problems of P2P programmes, which explain why you are here. It is intended as informative rather than a lecture.

P2P Security Risks

P2P (peer-to-peer) file-sharing is a very popular and easy way for users to share music, movies, videos, and other files over the Internet. However, using P2P software is very risky, because it makes you very susceptible to infection, attack, exposure of personal or company information, and even copyright infringement issues

Installation Of Malware
If you use P2P applications, it is difficult, if not impossible, to verify that the sources of the shared files are safe. P2P applications are often used by attackers to transmit malware (malicious software). The files may contain spyware, viruses, Trojan horses, or worms. When you download the files, your computer can become infected. Currently, experts have estimated that over 70% of the programmes shared on P2P networks contain some sort of malware.

Exposure Of Sensitive Information
When using P2P applications, you may unknowingly give other users access to personal or sensitive information that is stored on your computer. People may be able to access your financial or medical data, personal documents, sensitive corporate information, or other private information. If your computer contains other people's or companies' information, you may even become legally liable if their information gets released in this way.

Vulnerability To Unwanted Attacks
Many P2P applications require you to open specific ports on your firewall to send and receive the shared files through. However, by opening those ports, you may give attackers access to the information on your computer or enable them to attack your computer by taking advantage of any security vulnerabilities that may exist.

Self-Induced Denial Of Service
Downloading files with these applications causes a significant amount of traffic over your internet connection; it also relies on certain processes to happen on your computer. This activity may adversely limit or even block your access to the Internet while you are running these types of programmes.

Prosecution Due To Copyright Infringement

Downloading or sharing copyrighted software, music or videos is illegal. If you download them, even unknowingly, you may be faced with fines or other legal actions.

Conclusion
This article lists only a few of the risks that P2P programmes can open you up to. I urge you to strongly consider not using these types of programmes. If you still choose to use them, research what the best security settings are for the P2P programme you choose using your favourite search engine, use a very good firewall, run daily scans of your system with your antivirus and antispyware applications, constantly monitor the activity and file content in the shared directories to help ensure you don't violate any laws or expose your own data there.

Now for the fix which is just going to be a deletion of bad files.

Please install Killbox by Option^Explicit.
  • Please double-click Killbox.exe to run it.
  • Select Delete on Reboot
  • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\DIBL.exe
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\OBKP.exe
C:\WINDOWS\system32\BJNI.exe
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\JQKT.exe
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\7.exe
C:\WINDOWS\system32\QFLS.exe
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\KOSF.exe
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\LDEP.exe
C:\WINDOWS\system32\OPLHA.exe
C:\WINDOWS\system32\DSRF.exe
C:\WINDOWS\system32\5.exe
C:\ C:\WINDOWS\system32\vig.exe
C:\WINDOWS\system32\OEKPI.exe
C:\WINDOWS\system32\BMEDK.exe
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Please run AVGas in any mode you can. Please ensure that you have altered the recommended actions to Quarantine prior to scanning. Please post the log.

Post back a fresh HijackThis log (from normal mode) and I will take another look.

Hopefully, your PC is now running a lot better. Please let me know if you are still having problems.
  • 0

#5
Chris Owen

Chris Owen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi again Phil,

Thanks a lot for your prompt reply.

Okay, I've done what you instructed and the latest logs are below.

I have to add that since doing everything you instructed, all the original symptoms of malware have gone. No pops ups, no ads, no virus being found every few minutes.....my PC is operating as it normally does. There's just no sign of what made me post my original problem. This is a great relief. Give yourself a pat on the back!

So if you feel no further logs/checks/scans are necessary, I wanted to thank you for all your help. Can I buy you a few cyber pints? I've kept all the software you told me to download, and have printed the instructions in case I need them again.

Thanks again matey, MUCH appreciated.

- Chris Owen


AVG LOG

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 06:14:34 23/10/2006

+ Scan result:



C:\System Volume Information\_restore{200371D4-4CB5-4347-A24A-B247F85BE789}\RP280\A0105731.dll -> Adware.Minibug : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{200371D4-4CB5-4347-A24A-B247F85BE789}\RP280\A0105729.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{200371D4-4CB5-4347-A24A-B247F85BE789}\RP280\A0105730.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{200371D4-4CB5-4347-A24A-B247F85BE789}\RP280\A0105726.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{200371D4-4CB5-4347-A24A-B247F85BE789}\RP280\A0105727.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{200371D4-4CB5-4347-A24A-B247F85BE789}\RP280\A0105728.dll -> Adware.SurfSide : Cleaned with backup (quarantined).


::Report end





HIJACKTHIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 03:50:42, on 24/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Desktop\Soulseek.exe
C:\Program Files\Java\jre1.5.0_06\bin\javaw.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Chris.OWEN-S0JMZQBWPK\Desktop\Documents\Downloaded Software Installers\utorrent.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R220 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIE.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB001" /M "Stylus Photo R220"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ipxrip] C:\WINDOWS\system32\ipxrip.exe
O4 - HKCU\..\RunOnce: [CyberScurb] "C:\PROGRA~1\CYBERS~1\silent.exe" /R
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM [email protected] 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrad...raderMediaX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1141702308341
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1146016606019
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{38311A06-06C4-47BC-B0F8-B39CE7A938B1}: NameServer = 212.139.132.4 212.139.132.5
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#6
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Chris

I'm glad to hear that your PC is running well, however, in your latest HJT log I see one Trojan, but I'd like you to scan your PC for something quite nasty.

There is a new Trojan downloader around that is replacing legitimate files with malware named exactly the same. This makes a visual inspection rather difficult as all appears to be OK. However the malware has a certain size and moves the legitimate files to a folder called bak. This tool will make a search of your PC for files of that exact size, and for any folders named bak

Please download: FindAWF

Save the tool to the desktop and run it. You will see a DOS screen throughout which will close and a file named awf.txt will open. Please post the awf.txt file in your reply.

Please note:-

If a DOS window does not stay open throughout the search (approx a minute) you need to change how the programme runs. Here’s how:
  • Locate the file
  • Right-click and select Properties
  • Select Compatibility and select Run this programme in compatibility mode for: Windows 98/Windows ME and click OK.
  • The tool should now work.
Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following:

O4 - HKCU\..\Run: [ipxrip] C:\WINDOWS\system32\ipxrip.exe

Click on Fix Checked when finished and exit HijackThis.

Please install Killbox by Option^Explicit.
  • Please double-click Killbox.exe to run it.
  • Select Delete on Reboot
  • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\ipxrip.exe
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Post back a fresh HijackThis log, from normal mode, and I will take another look.
  • 0

#7
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
I will be away from the forum until Thursday 9th November 2006
  • 0

#8
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP