Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Newest MSN Worm/Trojan help.


  • This topic is locked This topic is locked

#46
Angelboi

Angelboi

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 300 posts
"Administrator" - 07-01-16 17:50:00 Service Pack 2
ComboFix 07-01-14.2 - Running from: "C:\Documents and Settings\Administrator\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-16 to 2007-01-16 ))))))))))))))))))))))))))))))))))


2007-01-16 17:16 180,480 --a------ C:\WINDOWS\system32\drivers\yk51x86.sys
2007-01-16 16:48 <DIR> d-------- C:\WINDOWS\LastGood
2007-01-16 16:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\media dent meet coal
2007-01-16 16:42 <DIR> d-------- C:\WINDOWS\Prefetch
2007-01-16 16:28 0 --a------ C:\AUTOEXEC.BAT
2007-01-16 16:28 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-01-15 22:05 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-01-15 22:05 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-01-14 14:31 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-14 14:31 <DIR> d-------- C:\Program Files\Grisoft
2007-01-07 09:25 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\InstallShield
2006-12-27 23:20 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Activision
2006-12-27 23:19 <DIR> d--hs---- C:\WINDOWS\ftpcache
2006-12-27 23:01 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2006-12-27 23:01 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2006-12-27 23:01 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2006-12-22 21:31 <DIR> d--h----- C:\Program Files\Common Files\Uninstall Information
2006-12-20 20:47 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\IMVU
2006-12-20 20:46 <DIR> d-------- C:\Program Files\IMVU
2006-12-20 16:45 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2006-12-18 21:53 286,208 --a------ C:\WINDOWS\system32\cncs232.dll
2006-12-16 16:32 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2006-12-16 16:27 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2006-12-16 03:16 679,936 --a------ C:\WINDOWS\system32\D3DX81ab.dll
2006-12-16 03:13 <DIR> d-------- C:\Program Files\WinPcap


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-16 17:44 -------- d-------- C:\Program Files\flashget
2007-01-16 17:43 -------- d--h----- C:\Program Files\installshield installation information
2007-01-16 17:43 -------- d-------- C:\Program Files\thumbdrive guard
2007-01-15 16:21 -------- d-------- C:\Program Files\steam
2007-01-02 15:12 2560 --a------ C:\WINDOWS\system32\bitcometres.dll
2006-12-23 13:31 -------- d-------- C:\Program Files\starcraft
2006-12-20 22:30 -------- d-------- C:\Program Files\mozilla firefox
2006-12-20 16:31 -------- d-------- C:\Program Files\konami
2006-12-15 15:48 -------- d-------- C:\Program Files\Common Files\scanner
2006-12-13 16:41 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\cr120twn
2006-12-07 23:50 -------- d---s---- C:\DOCUME~1\ADMINI~1\Application Data\microsoft
2006-11-27 22:46 -------- d-------- C:\Program Files\msn messenger
2006-11-27 19:50 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-11-26 10:39 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\trojanhunter
2006-11-26 09:05 -------- d-------- C:\Program Files\trojanhunter 4.6
2006-11-25 22:50 -------- d-------- C:\Program Files\ca
2006-11-25 22:47 -------- d-------- C:\Program Files\norton antivirus
2006-11-25 22:47 -------- d-------- C:\Program Files\Common Files\symantec shared
2006-11-25 22:47 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\symantec
2006-11-25 22:46 -------- d-------- C:\Program Files\symantec
2006-11-20 05:01 -------- d-------- C:\Program Files\msxml 4.0
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-18 21:47 767488 --a------ C:\WINDOWS\system32\wmvsencd.dll
2006-10-18 21:47 656896 --a------ C:\WINDOWS\system32\wmvxencd.dll
2006-10-18 21:47 613376 --a------ C:\WINDOWS\system32\wmpmde.dll
2006-10-18 21:47 535040 --a------ C:\WINDOWS\system32\wmdrmsdk.dll
2006-10-18 21:47 38400 --a------ C:\WINDOWS\system32\wpdshextres.dll
2006-10-18 21:47 317440 --a------ C:\WINDOWS\system32\mp4sdecd.dll
2006-10-18 21:47 295936 --a------ C:\WINDOWS\system32\wmpeffects.dll
2006-10-18 21:47 284160 --a------ C:\WINDOWS\system32\portabledeviceapi.dll
2006-10-18 21:47 2603008 --a------ C:\WINDOWS\system32\wpdshext.dll
2006-10-18 21:47 259072 --a------ C:\WINDOWS\system32\mpg4decd.dll
2006-10-18 21:47 259072 --a------ C:\WINDOWS\system32\mp43decd.dll
2006-10-18 21:47 212992 --a------ C:\WINDOWS\system32\mfplat.dll
2006-10-18 21:47 199168 --a------ C:\WINDOWS\system32\portabledevicewmdrm.dll
2006-10-18 21:47 166912 --a------ C:\WINDOWS\system32\portabledevicetypes.dll
2006-10-18 21:47 1574912 --a------ C:\WINDOWS\system32\wmvencod.dll
2006-10-18 21:47 1543680 --a------ C:\WINDOWS\system32\wmvdecod.dll
2006-10-18 21:47 1382912 --a------ C:\WINDOWS\system32\wmvsdecd.dll
2006-10-18 21:47 133632 --a------ C:\WINDOWS\system32\wpdshserviceobj.dll
2006-10-18 21:47 132096 --a------ C:\WINDOWS\system32\portabledevicewiacompat.dll
2006-10-18 21:47 130048 --a------ C:\WINDOWS\system32\wmpps.dll
2006-10-18 21:47 101888 --a------ C:\WINDOWS\system32\portabledeviceclassextension.dll
2006-10-18 20:00 249856 --a------ C:\WINDOWS\system32\drmupgds.exe
2006-10-18 20:00 17408 --a------ C:\WINDOWS\system32\wpdshextautoplay.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"DAEMON Tools-1033"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"MultiRes"="C:\\Program Files\\MultiRes\\MultiRes.exe"
@=""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SsAAD.exe"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"cctray"="\"C:\\Program Files\\CA\\CA Internet Security Suite\\cctray\\cctray.exe\""
"cafwc"="C:\\Program Files\\CA\\CA Internet Security Suite\\CA Personal Firewall\\cafw.exe -cl"
"capfaem"="C:\\Program Files\\CA\\CA Internet Security Suite\\CA Personal Firewall\\capfaem.exe"
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.2\\THGuard.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"WinVNC"="\"C:\\Program Files\\UltraVNC\\WinVNC.exe\" -servicehelper"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"MPFExe"="C:\\PROGRA~1\\McAfee.com\\PERSON~1\\MpfTray.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1143733202\\ee\\AOLSoftware.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink DVD Solution\\PowerDVD\\PDVDServ.exe\""
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Qurb {EBA5BE5C}"=""
"ccube_Cleanup"="\"C:\\DOCUME~1\\ADMINI~1\\LOCALS~1\\Temp\\cacu_001.exe\" /cleanup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Exif Launcher.lnk"
"backup"="C:\\WINDOWS\\pss\\Exif Launcher.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\FINEPI~1\\QuickDCF.exe "
"item"="Exif Launcher"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Loadout Manager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Loadout Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\Loadout Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Belkin\\Nostromo\\nost_LM.exe -startup"
"item"="Loadout Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apdproxy"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cli"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="VM_STI"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\VM_STI.EXE Yht PC Camera"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R200 Series]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="E_S4I2H1"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2H1.EXE /P30 \"EPSON Stylus Photo R200 Series\" /O6 \"USB001\" /M \"Stylus Photo R200\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Application Launcher"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SsAAD"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{566c3e43-5d0e-11d9-a228-806d6172696f}]
Shell\AutoRun\command E:\setup.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fc7c326a-2a79-11db-a380-00112fd5870f}]
Shell\AutoRun\command G:\AutoRun.exe
Shell\configure\command G:\ThumbDriveGuardSetup.exe
Shell\install\command G:\ThumbDriveGuardSetup.exe

Completion time: 07-01-16 18:06:12
C:\ComboFix2.txt ... 07-01-14 22:20
  • 0

Advertisements


#47
Angelboi

Angelboi

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 300 posts
So... anyway to eliminate the Windows Installer issue? Ill take a screenshot if you want.
  • 0

#48
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Delete next folder:

C:\Documents and Settings\All Users\Application Data\media dent meet coal

I would like to let you know I have uninstalled CA Anti-virus and ThumbDrive Guard.

Now im only using Ewido and AVG.


Then you should post new logs though, because above logs don't make sense anymore as both are still showing the presence of Thumbguard and CA Antivirus + Norton Antivirus.

Did you purchase Trojan Hunter? If not, uninstall it.

Also, Ewido is an outdated version and has been changed to AVG Antispyware, so uninstall Ewido.

To fully remove Norton AntiVirus, you should go here and download the files and print the instructions for removal, and follow them after uninstalling NAV:
How to uninstall Norton AntiVirus 2003/2004/2005/2006/2007 (note: this removes ALL Norton 2003/2004/2005/2006/2007 products from your computer)
How to uninstall Norton AntiVirus 2000/2001/2002

Also read this article in case you're having problems with uninstalling Norton if above instructions didn't work, or noticed problems after uninstalling Norton:
http://basconotw.mvps.org/SymRem.htm

Once you've done all above, then we can deal with the Windows Installer issue.
When does this exactly open? Because you say when you open Explorer windows. Is this Internet Explorer you mean? Because Explorer and Internet Explorer is different.
What is the Windows Installer asking for? To install What?

What's present in your E-drive?
Because I see an extra Mountpoint being present, calling your E:\setup.exe
These mountpoints can indeed be a cause when you open explorer windows that you get an error or ask for Windows installer or whatever.
And since the ThumbDriveGuard also created these, it *may be a cause when corrupted. That's why I asked you to uninstall it.

Once it's uninstalled, then we can search further and remove leftovers. If that didn't solve the problem, then we can search for other causes.

So, post a new Hijackthislog and new Combofix log in your next reply and let me know what this Windows Installer is asking to install or to what it refers and when you exactly get it (Internet Explorer or Explorer)
  • 0

#49
Angelboi

Angelboi

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 300 posts
It happens whenever I open a new "Internet Explorer" or Whenever an Internet related pop-up appears, e.g. Javascript popups or just advertisement, or when "Open link in a new window."

It also occurs When (I don't know if you're familiar with the program)
Steam pop's up the "News Update" page which is also connected to the internet.

And I can't seem to fully Uninstall CA anti-virus. Something about insufficient access, but im the only user and Administrator of my computer...

Volume E is my CD/DVD drive. The Drive is currently empty.

Ill post another Hijack this log but Combofix will have to wait till after school ( about 7 hours from this post)
  • 0

#50
Angelboi

Angelboi

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 300 posts
The following items have been removed from Add/remove programs and Manually deleted from Program files:

Ewido Anti-Spyware
Symantec Live update (I do not see any traces of Norton but ill use the Uninstaller you provided)
Trojan Hunter
Trojan Guard.

And I do not see traces of the Thumbdrive anymore, maybe I need to reboot, and ill do so before posting the Hijack This log.
  • 0

#51
Angelboi

Angelboi

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 300 posts
Would it be a bad idea just to delete the whole CA-AntiVirus folder from the Program Files?


Logfile of HijackThis v1.99.1
Scan saved at 8:01:02 AM, on 17/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MultiRes\MultiRes.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfaem.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\Administrator\Desktop\Comp Protection\Mike screwing up\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Flashget Catch Url Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Documents and Settings\Administrator\Desktop\BitComet_0.80\tools\BitCometBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MultiRes] C:\Program Files\MultiRes\MultiRes.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfaem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfaem.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1143733202\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Documents and Settings\Administrator\Desktop\BitComet_0.80\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Documents and Settings\Administrator\Desktop\BitComet_0.80\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Documents and Settings\Administrator\Desktop\BitComet_0.80\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All with FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard....des/cabs/si.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v4.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1138938344945
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} (HGPlugin7USA Class) - http://gamedownload....GPlugin7USA.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BC5E698E-77CF-45EF-80A3-090A4B6AAF83} (HGPlugin8USA Class) - http://gamedownload....GPlugin8USA.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload....GPlugin9USA.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by121fd.bay12...ex/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: PFW - C:\WINDOWS\SYSTEM32\UmxWnp.Dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe (file missing)
O23 - Service: Btentlmc - Unknown owner - (no file)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe
O23 - Service: SmartProtection Agent Service - Unknown owner - C:\Program Files\ThumbDrive Guard\SmartProtectionService.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\UltraVNC\WinVNC.exe" -service (file missing)
  • 0

#52
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Don't remove anything manually yet before you break some more. I see CA Internet Security Suite is still up and running.
So uninstall anything related with CA via add/remove programs. And yes, when you uninstall something, it is important you reboot afterwards.

By the way, I also do NOT recommend the BitComet ClickCapture toolbar.
  • 0

#53
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Some other things I noticed.... and I wonder how you actually uninstall something, because files get removed, but related keys won't get deleted.

So let's clean up a bit more of the leftovers after you uninstalled Trojan Guard, Trojan Hunter, ThumbDrive Guard etc..

I also see Ahead\InCD is not present anymore because it also shows as File missing, I don't see it in your running processes either. But related registry keys are still there - same for McAfee.

We won't touch CA products through Hijackthis yet, because it is important that you get it uninstalled. Deleting it manually may cause problems.

Good advise for the future.... Next time if you want to install Security Software and you are not planning to buy it anyway in the future, don't install it then, but install a free alternative instead. This because, when you install Trial software, it will expire, so it won't be able to update anymore and won't protect you either anymore.
What happens in such cases? People install another Security Suite on top, or another Antivirus, because the current one has expired. And that's a big mistake, since having more than one Antivirus and Firewall can cause A LOT of problems!!!

Extra addition. Did you purchase Flashget? In case you didn't, uninstall it, because as far as I know, the free version is bundled with Spyware.

Actually, this is a general rule. When you are using trial versions (no matter what software you are using), you should uninstall it when the trial has expired - or buy it.

So do next please.. (I'll also let you fix some unnecessary startup items)

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O23 - Service: Btentlmc - Unknown owner - (no file)
O23 - Service: InCD Helper (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe (file missing)
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: SmartProtection Agent Service - Unknown owner - C:\Program Files\ThumbDrive Guard\SmartProtectionService.exe (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, go to start > run and copy and paste next commands one by one in in the field and hit enter after each command:

sc delete Btentlmc

sc delete InCDsrv

sc delete LiveUpdate

sc delete "SmartProtection Agent Service"


Do you still have UltraVNC installed? Let me know.

Concerning the Windows Installer problem. You say that you have it when you open a new Internet Explorer Window, when you get popups (those popups should be gone now) etc..
So this is most probably related with a BHO interfering/causing this.
I remember that Yahoo toolbar may interfere with opening new windows, but normally it shouldn't display the Windows Installer issue.

In anyway, to find out what may causing this, do next..


1. Open Internet Explorer.
2. On the Tools menu, click Manage Add-ons.
3. In the Show box, click the set of add-ons that you want to see.

Select next ones:

yt.dll
AcroIEHelper.dll
jccatch.dll
BitCometBHO.dll
SDHelper.dll
getflash.dll

and choose to disable them for each.

Also, in your Internet Explorer, choose toolbars and disable the Flashget Toolbar there.

This is how we can to try to figure out what is causing these Windows installer popping up all the time, because BHO's and Toolbars *may cause this.

After performing ALL the above, post a new Hijackthislog.
  • 0

#54
Angelboi

Angelboi

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 300 posts
it says I do not have sufficient Privileges to remove CA AntiSpyware. Which is awkward since im the Administrator.

ThumbGuard, Trojan Guard and Trojan Hunter should all be removed already.

UltraVNC shouldn't be installed in this computer... It was in my old one, traces of its files might come from whatever I backed up.

Lastly,
I do not have any BitComet tool bar
and Flashget never specifies whether its a Free Trial or not, but Ill uninstall it anyways.
  • 0

#55
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

it says I do not have sufficient Privileges to remove CA AntiSpyware

The CA AntiSpyware is your CA Pest Patrol. I am talking about all CA related products you have installed. Don't only uninstall your CA Pest Patrol/Anti Spyware.
This is a common issue with CA Anti spyware as mentioned here:
http://crm.my-etrust...U...=&Analyst=0
They say there to remove the CA Anti Spyware manually (I am only talking about the CA Antispyware here, I am not talking about the other CA products you have installed, those you should UNINSTALL using add/remove)

Above link shows it for an earlier version of CA Antispyware (pest-patrol), couldn't find instructions for the latest one. But in your case, this is the main related service:

O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe

So check above entry in your Hijackthis and reboot.

After reboot, remove next folder:

C:\Program Files\CA\SharedComponents\PPRT (that's the folder only related with CA Pest Patrol/AntiSpyware)

Then uninstall the other CA Products.

Lastly,
I do not have any BitComet tool bar

It is a BHO (Browser Helper Object) and you do have it though.. These are the related entries in your Hijackthislog:

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Documents and Settings\Administrator\Desktop\BitComet_0.80\tools\BitCometBHO.dll
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Documents and Settings\Administrator\Desktop\BitComet_0.80\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Documents and Settings\Administrator\Desktop\BitComet_0.80\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Documents and Settings\Administrator\Desktop\BitComet_0.80\BitComet.exe/AddAllLink.htm

I don't know how it is called in add/remove programs, but I guess it will be called Bitcomet Clickcapture or so.

UltraVNC shouldn't be installed in this computer... It was in my old one, traces of its files might come from whatever I backed up.


In that case, go to start > run and copy and paste next command in the field:

sc delete winvnc Hit enter

Edited by miekiemoes, 17 January 2007 - 06:08 PM.

  • 0

Advertisements


#56
Angelboi

Angelboi

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 300 posts
"Administrator" - 07-01-17 15:44:19 Service Pack 2
ComboFix 07-01-14.2 - Running from: "C:\Documents and Settings\Administrator\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-12-17 to 2007-01-17 ))))))))))))))))))))))))))))))))))


2007-01-16 17:16 180,480 --a------ C:\WINDOWS\system32\drivers\yk51x86.sys
2007-01-16 16:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\media dent meet coal
2007-01-16 16:42 <DIR> d-------- C:\WINDOWS\Prefetch
2007-01-16 16:28 0 --a------ C:\AUTOEXEC.BAT
2007-01-15 22:05 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-01-15 22:05 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-01-14 14:31 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-14 14:31 <DIR> d-------- C:\Program Files\Grisoft
2007-01-07 09:25 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\InstallShield
2006-12-27 23:20 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Activision
2006-12-27 23:19 <DIR> d--hs---- C:\WINDOWS\ftpcache
2006-12-27 23:01 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2006-12-27 23:01 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2006-12-27 23:01 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2006-12-22 21:31 <DIR> d--h----- C:\Program Files\Common Files\Uninstall Information
2006-12-20 20:47 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\IMVU
2006-12-20 20:46 <DIR> d-------- C:\Program Files\IMVU
2006-12-20 16:45 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2006-12-18 21:53 286,208 --a------ C:\WINDOWS\system32\cncs232.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-17 15:41 -------- d-------- C:\Program Files\yahoo!
2007-01-17 15:40 -------- d-------- C:\Program Files\flashget
2007-01-17 15:35 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-01-17 07:55 -------- d-------- C:\Program Files\ewido anti-malware
2007-01-16 18:23 -------- d-------- C:\Program Files\steam
2007-01-16 17:43 -------- d--h----- C:\Program Files\installshield installation information
2007-01-02 15:12 2560 --a------ C:\WINDOWS\system32\bitcometres.dll
2006-12-23 13:31 -------- d-------- C:\Program Files\starcraft
2006-12-20 22:30 -------- d-------- C:\Program Files\mozilla firefox
2006-12-20 16:31 -------- d-------- C:\Program Files\konami
2006-12-16 16:32 -------- d-------- C:\Program Files\windows media connect 2
2006-12-16 03:13 -------- d-------- C:\Program Files\winpcap
2006-12-15 15:48 -------- d-------- C:\Program Files\Common Files\scanner
2006-12-13 16:41 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\cr120twn
2006-12-07 23:50 -------- d---s---- C:\DOCUME~1\ADMINI~1\Application Data\microsoft
2006-11-27 22:46 -------- d-------- C:\Program Files\msn messenger
2006-11-27 19:50 76560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-11-26 10:39 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\trojanhunter
2006-11-25 22:50 -------- d-------- C:\Program Files\ca
2006-11-25 22:47 -------- d-------- C:\Program Files\norton antivirus
2006-11-25 22:47 -------- d-------- C:\DOCUME~1\ADMINI~1\Application Data\symantec
2006-11-20 05:01 -------- d-------- C:\Program Files\msxml 4.0
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-18 21:47 767488 --a------ C:\WINDOWS\system32\wmvsencd.dll
2006-10-18 21:47 656896 --a------ C:\WINDOWS\system32\wmvxencd.dll
2006-10-18 21:47 613376 --a------ C:\WINDOWS\system32\wmpmde.dll
2006-10-18 21:47 535040 --a------ C:\WINDOWS\system32\wmdrmsdk.dll
2006-10-18 21:47 38400 --a------ C:\WINDOWS\system32\wpdshextres.dll
2006-10-18 21:47 317440 --a------ C:\WINDOWS\system32\mp4sdecd.dll
2006-10-18 21:47 295936 --a------ C:\WINDOWS\system32\wmpeffects.dll
2006-10-18 21:47 284160 --a------ C:\WINDOWS\system32\portabledeviceapi.dll
2006-10-18 21:47 2603008 --a------ C:\WINDOWS\system32\wpdshext.dll
2006-10-18 21:47 259072 --a------ C:\WINDOWS\system32\mpg4decd.dll
2006-10-18 21:47 259072 --a------ C:\WINDOWS\system32\mp43decd.dll
2006-10-18 21:47 212992 --a------ C:\WINDOWS\system32\mfplat.dll
2006-10-18 21:47 199168 --a------ C:\WINDOWS\system32\portabledevicewmdrm.dll
2006-10-18 21:47 166912 --a------ C:\WINDOWS\system32\portabledevicetypes.dll
2006-10-18 21:47 1574912 --a------ C:\WINDOWS\system32\wmvencod.dll
2006-10-18 21:47 1543680 --a------ C:\WINDOWS\system32\wmvdecod.dll
2006-10-18 21:47 1382912 --a------ C:\WINDOWS\system32\wmvsdecd.dll
2006-10-18 21:47 133632 --a------ C:\WINDOWS\system32\wpdshserviceobj.dll
2006-10-18 21:47 132096 --a------ C:\WINDOWS\system32\portabledevicewiacompat.dll
2006-10-18 21:47 130048 --a------ C:\WINDOWS\system32\wmpps.dll
2006-10-18 21:47 101888 --a------ C:\WINDOWS\system32\portabledeviceclassextension.dll
2006-10-18 20:00 249856 --a------ C:\WINDOWS\system32\drmupgds.exe
2006-10-18 20:00 17408 --a------ C:\WINDOWS\system32\wpdshextautoplay.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"DAEMON Tools-1033"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"MultiRes"="C:\\Program Files\\MultiRes\\MultiRes.exe"
@=""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SsAAD.exe"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"cctray"="\"C:\\Program Files\\CA\\CA Internet Security Suite\\cctray\\cctray.exe\""
"cafwc"="C:\\Program Files\\CA\\CA Internet Security Suite\\CA Personal Firewall\\cafw.exe -cl"
"capfaem"="C:\\Program Files\\CA\\CA Internet Security Suite\\CA Personal Firewall\\capfaem.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"WinVNC"="\"C:\\Program Files\\UltraVNC\\WinVNC.exe\" -servicehelper"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1143733202\\ee\\AOLSoftware.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink DVD Solution\\PowerDVD\\PDVDServ.exe\""
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"IPHSend"="C:\\Program Files\\Common Files\\AOL\\IPHSend\\IPHSend.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Exif Launcher.lnk"
"backup"="C:\\WINDOWS\\pss\\Exif Launcher.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\FINEPI~1\\QuickDCF.exe "
"item"="Exif Launcher"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Loadout Manager.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Loadout Manager.lnk"
"backup"="C:\\WINDOWS\\pss\\Loadout Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Belkin\\Nostromo\\nost_LM.exe -startup"
"item"="Loadout Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apdproxy"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cli"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BigDogPath]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="VM_STI"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\VM_STI.EXE Yht PC Camera"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo R200 Series]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="E_S4I2H1"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2H1.EXE /P30 \"EPSON Stylus Photo R200 Series\" /O6 \"USB001\" /M \"Stylus Photo R200\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Application Launcher"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Sony Ericsson\\Mobile2\\Application Launcher\\Application Launcher.exe\" /startoptions"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SsAAD"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Sony\\SONICS~1\\SsAAD.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fc7c326a-2a79-11db-a380-00112fd5870f}]
Shell\AutoRun\command G:\AutoRun.exe
Shell\configure\command G:\ThumbDriveGuardSetup.exe
Shell\install\command G:\ThumbDriveGuardSetup.exe

Completion time: 07-01-17 15:50:34
C:\ComboFix2.txt ... 07-01-16 18:06
C:\ComboFix3.txt ... 07-01-14 22:20
  • 0

#57
Angelboi

Angelboi

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 300 posts
yt.dll
jjcatch.dll
getflash.dll

couldn't be found.
  • 0

#58
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
I see the Mountpoints in the registrt for the ThumbDriveGuard are not removed.
So to remove it,

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{fc7c326a-2a79-11db-a380-00112fd5870f}]

Save this as fixthumbguard.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Since you uninstalled Norton, Ewido and Trojanhunter, remove next folders:

C:\Program Files\norton antivirus
C:\DOCUME~1\ADMINI~1\Application Data\symantec
C:\Program Files\Common Files\symantec shared
C:\DOCUME~1\ADMINI~1\Application Data\trojanhunter
C:\Program Files\ewido anti-malware

Did you also read my steps concerning the Windows Installer and disabling toolbars/BHO's?

1. Open Internet Explorer.
2. On the Tools menu, click Manage Add-ons.
3. In the Show box, click the set of add-ons that you want to see.

Select next ones:

yt.dll
AcroIEHelper.dll
jccatch.dll
BitCometBHO.dll
SDHelper.dll
getflash.dll

and choose to disable them for each.

Also, in your Internet Explorer, choose toolbars and disable the Flashget Toolbar there.

This is how we can to try to figure out what is causing these Windows installer popping up all the time, because BHO's and Toolbars *may cause this.


Do you still get the Windows installer then?

edit, just saw your previous post:

yt.dll
jjcatch.dll
getflash.dll

couldn't be found.


that's because you uninstalled flashget.
Did you uninstall Yahoo as well? Because yt.dll is related with Yahoo.

Edited by miekiemoes, 17 January 2007 - 06:25 PM.

  • 0

#59
Angelboi

Angelboi

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 300 posts
Windows Installer still present
Yes I removed Yahoo.


Logfile of HijackThis v1.99.1
Scan saved at 4:31:17 PM, on 17/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MultiRes\MultiRes.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfaem.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Administrator\Desktop\Comp Protection\Mike screwing up\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Documents and Settings\Administrator\Desktop\BitComet_0.80\tools\BitCometBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [MultiRes] C:\Program Files\MultiRes\MultiRes.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl
O4 - HKLM\..\Run: [capfaem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfaem.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1143733202\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Documents and Settings\Administrator\Desktop\BitComet_0.80\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Documents and Settings\Administrator\Desktop\BitComet_0.80\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Documents and Settings\Administrator\Desktop\BitComet_0.80\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard....des/cabs/si.cab
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.c.../acclaim_v4.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1138938344945
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {A2E05F45-F127-4092-B9F7-9A02C3E04C77} (HGPlugin7USA Class) - http://gamedownload....GPlugin7USA.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BC5E698E-77CF-45EF-80A3-090A4B6AAF83} (HGPlugin8USA Class) - http://gamedownload....GPlugin8USA.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload....GPlugin9USA.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by121fd.bay12...ex/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: PFW - C:\WINDOWS\SYSTEM32\UmxWnp.Dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - Unknown owner - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
  • 0

#60
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
When I compare logs...
The very first log you posted and the latest log, you have been installing A LOT of programs in a meanwhile.
I also see in your latest log Nvidia installed (related with your Videocard), but missing again?

23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc32.exe (file missing)

These Nvidia related files weren't present in your very first log.
Can you explain what you did here as well?

This one is also suddenly installed and missing, because that one wasn't present in your first log either:

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe (file missing)

You have to understand that this is really confusing if programs are getting installed, uninstalled, manually deleted, while the first priority actually was cleaning up malware first.
And because of all these actions, some of these may cause that Windows Installer thing, because something was not properly removed.

Please download this utility:
http://support.microsoft.com/kb/290301

Run the program and you'll see a list of all your installed programs using the Windows Installer.
Select the ones you know you UNINSTALLED/removed previously and click Clear for each of them. Don't select any of the programs you still have installed.

Also, please proceed with uninstalling all the CA products via add/remove programs, because A LOT of them are still running (Firewall, Antivirus)

Then get a free Antivirus and Firewall instead (look in my signature)
Don't install an Antivirus and Firewall as long as all the CA products are not removed, because then you'll have problems.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP