Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Newbie to internet - adware problems [RESOLVED]


  • This topic is locked This topic is locked

#1
Grumpy Surfer

Grumpy Surfer

    Member

  • Member
  • PipPip
  • 13 posts
Having for years resisted the temptation to get an internet connection I now have one and now find that I have an infection of some sort.

The main issues are:-

When I go to certain sites or do a search in Google I get adverts that are related to the site I just accessed/searched for. I believe this is called targeted adware. The ad appears in a new instance of the browser. It happens in IE 7 and Firefox 3.0 but not in Safari (I am a PC user). Also, I keep getting an advert saying that my system is under threat. The URL is fp.pc-on-internet.com.

Please can someone guide me as to the procedures I should follow to get rid of this. I have scanned my system using AVG (full version) & Spyware detector V 2.0. Neither report anything amiss.

I am at a compete loss of what I should do.

Any help would be most appreciated. I am a complete novice to all this so please treat me as a newbie idiot and give advice accordingly. I do not really want to have to use Safari as my web browser.
  • 0

Advertisements


#2
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Hi and welcome to the forums. Sorry for the delay in getting to your post here.

We need a HijackThis log to get some information on your PC.

Please read through and follow the steps in the following link below. If the steps do not work then post a HijackThis log as advised at the end of the post. Post the HijackThis log back here by using the Add Reply button, do not start a new topic.

You Must Read This Before Posting A Hijackthis Log, Malware Cleaning Guide
  • 0

#3
Grumpy Surfer

Grumpy Surfer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi there,

Thanks for responding. I have done the following as requested.

Preparation:

Did as told.

Step one:

I ran the two programs to test for spyware/malware. Neither found anything.

Step Two:

Ran Panda Activescan. This seems to have found something (it ran for about 5 hours !). Report produced is as follows:-


ANALYSIS: 2008-06-03 00:22:19
PROTECTIONS: 1
MALWARE: 4
SUSPECTS: 0
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
AVG Internet Security 8.0 Yes Yes
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Mick Holden\Application Data\Mozilla\Firefox\Profiles\7l2yp4v9.default\cookies.txt[.apmebf.com/]
00224391 adware/startpage.amb Adware No 0 Yes No c:\documents and settings\mick holden\favorites\online games
01077299 Generic Malware Virus/Trojan No 0 Yes No C:\Tom Clancy's Splinter Cell Double Agent\SCDA-Offline\System\win2log.exe
02889322 Adware/SpywareDetect Adware No 0 No No P:\spywaredetector.exe
02889322 Adware/SpywareDetect Adware No 0 Yes No C:\Downloads\Spyware\spywaredetector.exe
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location 7
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description 7
;===============================================================================
================================================================================
=
===================
170907 HIGH MS07-046 7
170904 HIGH MS07-043 7
;===============================================================================
================================================================================
=
===================

Steps three and four:

System already updated with service pack 2 and later critical updates.

Step 5:

Hijack This Log-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:41:03, on 03/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\AVG\AVG8\avgwdsvc.exe
C:\AVG\AVG8\avgfws8.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\AVG\AVG8\avgam.exe
C:\AVG\AVG8\avgrsx.exe
C:\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\CNAB4RPK.EXE
C:\WINDOWS\system32\RTDCPL.EXE
C:\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\CardDetector\ICON225\CardDetector.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
C:\Logitech\Profiler\lwemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\NetMeter\NetMeter.exe
C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\documents and settings\mick holden\local settings\application data\xoizedm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Microsoft Office 97\Office\OSA.EXE
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\AlertModule\0\AlertModule.exe
C:\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Office 03\Office10\EXCEL.EXE
C:\Program Files\Windows Live\Mail\wlmail.exe
E:\PhoneConnectorVMC.exe
C:\Program Files\vodafone\vmclite\vmc.exe
C:\Safari\Safari.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Spyware Doctor\pctsGui.exe
C:\Spyware Doctor\pctsAuxs.exe
C:\Spyware Doctor\pctsSvc.exe
C:\Spyware Doctor\pctsTray.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0seenus/saos01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\AVG\AVG8\avgtoolbar.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\AVG\AVG8\avgtoolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [RTDCPL] RTDCPL.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [BEWINTERNET-UK-IEWSessionManager] C:\Program Files\OrangeBS\IEWInternetUK\SessionManager\SessionManager.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG8_TRAY] C:\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CardDetectorICON225] C:\Program Files\CardDetector\ICON225\CardDetector.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [RCAutoLiveUpdate] C:\Program Files\Max Registry Cleaner\MaxLiveUpdateRC.exe -AUTO
O4 - HKLM\..\Run: [RCSystemTray] C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
O4 - HKLM\..\Run: [ISTray] "C:\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [C:\NetMeter\NetMeter.exe] C:\NetMeter\NetMeter.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [xoizedm] c:\documents and settings\mick holden\local settings\application data\xoizedm.exe xoizedm
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Microsoft Office 97\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Office 03\Office10\OSA.EXE
O4 - Global Startup: Office Startup.lnk = C:\Microsoft Office 97\Office\OSA.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\OFFICE~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1208101504375
O17 - HKLM\System\CCS\Services\Tcpip\..\{684BA69D-8E68-41F5-8657-511831C1F9CE}: NameServer = 10.203.129.68 10.203.129.68
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\AVG\AVG8\avgfws8.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom SA - C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Spyware Doctor\pctsSvc.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe

--
End of file - 12176 bytes

The uninstall list-

Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.1.0
AGEIA PhysX v7.05.06
AnyDVD
AOL Coach Version 1.0(Build:20040229.1 uk)
AOL Connectivity Services
AOL Spyware Protection
AOL UK (Choose which version to remove)
AOL You've Got Pictures Screensaver
Apple Mobile Device Support
Apple Software Update
ARTEuro
Audacity 1.2.6
AVG 8.0
BackgammonMasters Client
Belarc Advisor 7.0
BitComet 1.01
Black & White® 2
Bonjour
Canon LBP2900
Card Detector for Option Icon 225
CinepPlayer 30 Update
Cool MP3 Splitter 2.0
Cool Mp3 Splitter Joiner 2.15
Corel Paint Shop Pro X
Corel Photo Album 6
Creative MediaSource
DEC
Dell CinePlayer
Dell Driver Reset Tool
Dell Media Experience
Dell Support 5.0.0 (630)
DivX
DivX Player
DVD Decrypter (Remove Only)
DVD Ripper Platinum 4
DVD Shrink 3.1.7
EAX4 Unified Redist
eMule
Favorit
FixTunes (remove only)
Gothic III Release Update
GTA San Andreas
Guild Wars
Hauppauge English Help Files and Resources
Hauppauge TvTv Sync
Hauppauge WinTV Scheduler
Hauppauge WinTV Soft PVR
Hauppauge WinTV2000
Heroes of Might & Magic V: Hammers of Fate
Heroes of Might and Magic V
Heroes of Might and Magic® IV
Highlight Viewer (Windows Live Toolbar)
HijackThis 2.0.2
Hollywood FX 5.5 Additional Effects
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB935448)
HP Deskjet 5900 series
HP Extended Capabilities 5.0
HP Image Zone 5.0
HP Imaging Device Functions 5.0
HP Software Update
HP Solution Center & Imaging Support Tools 5.0
Indeo® software
Internet Everywhere uninstall
InterVideo FilterSDK for Hauppauge
InterVideo WinDVD 4
iTunes
Jade Empire
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 5
Java™ 6 Update 6
Learn2 Player (Uninstall Only)
Lemmings Revolution
LimeWire 4.16.7
Logitech Gaming Software
Logitech SetPoint
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
Max Registry Cleaner
MCU
MediaLife
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Excel 97
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 Redistributable
Microsoft Word 97
Microsoft Works 7.0
Mozilla Firefox (2.0.0.14)
MSN
MSXML 4.0 SP2 (KB936181)
MUSICMATCH® Jukebox
Nero 7 Premium
Nero Sipps
NetMeter 1.1.3
Neverwinter Nights
Neverwinter Nights 2
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager
Online Manuals for WinTV (English)
Overlord
Panda ActiveScan 2.0
PCFriendly
Pinnacle Hollywood FX for Studio
Play65
proDAD Heroglyph 1.0
Psychonauts
Puzzler Sudoku
QuickTime
RealArcade
RealPlayer Basic
RipIt4Me
Roxio DVDMAX Player
Safari
Scrabble® 2003 Edition
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
SexyGirlStripSaver
Shareaza 2.3.1.0
Smart Menus (Windows Live Toolbar)
SmartSound Quicktracks Plugin
Sonic Activation Module
Sonic Update Manager
Sound Blaster X-Fi
SpyHunter
Spyware Doctor 5.5
SpywareBlaster 4.0
SpyZooka
Studio 9
Studio 9 Content CD/DVD
Studio 9.4 Patch
SUPERAntiSpyware Free Edition
Texas Hold'em 3D XP Championship
THE SETTLERS - Rise of an Empire
The Witcher
Tiscali Internet
Titan Quest
Titan Quest Immortal Throne
Tom Clancy's Splinter Cell Double Agent
Tomb Raider: Anniversary 1.0
Two Worlds
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Viewpoint Media Player
Vodafone Mobile Connect Lite
Wanadoo Europe Installer
What's Running 2.2
Windows Imaging Component
Windows Internet Explorer 7
Windows Live Favorites for Windows Live Toolbar
Windows Live installer
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Writer
Windows Media Format Runtime
Windows Media Video 9 Advanced Profile Codec
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB896626
WinRAR archiver
World Series Of Poker
WWTBAM 2nd Edition

Other scans performed:-

Spyzooka report-[/color

Have attached the report. It finds some suspicious things:

[color="#FF0000"]Spyware Doctor-


Have attached the report. It also finds some nasties.

I hope you can help me out here as it looks as if I have more than just adware problems.

Attached Files


Edited by Grumpy Surfer, 03 June 2008 - 07:33 PM.

  • 0

#4
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Run HijackThis. Click Do a System Scan Only. Put a Check in the box on the left side on this:

O4 - HKCU\..\Run: [xoizedm] c:\documents and settings\mick holden\local settings\application data\xoizedm.exe xoizedm

Then close all windows except HijackThis and press Fix checked.


Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    c:\documents and settings\mick holden\local settings\application data\xoizedm.exe

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
*If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.
**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")


Click "Exit" to close OTMoveIt.
  • 0

#5
Grumpy Surfer

Grumpy Surfer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
OK. That all went fine.

Results:-


c:\documents and settings\mick holden\local settings\application data\xoizedm.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06042008_024243
  • 0

#6
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Sorry forgot to ask....can you please post a new HijackThis log too.
  • 0

#7
Grumpy Surfer

Grumpy Surfer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
New hijack log:-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:50:08, on 04/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\AVG\AVG8\avgwdsvc.exe
C:\AVG\AVG8\avgfws8.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\AVG\AVG8\avgam.exe
C:\AVG\AVG8\avgrsx.exe
C:\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\CNAB4RPK.EXE
C:\WINDOWS\system32\RTDCPL.EXE
C:\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\CardDetector\ICON225\CardDetector.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\SpywareDetector\SDSystemTray.exe
C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
C:\Logitech\Profiler\lwemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\NetMeter\NetMeter.exe
C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Microsoft Office 97\Office\OSA.EXE
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\AlertModule\0\AlertModule.exe
C:\SUPERAntiSpyware\SUPERAntiSpyware.exe
E:\PhoneConnectorVMC.exe
C:\Program Files\vodafone\vmclite\vmc.exe
C:\Spyware Doctor\pctsGui.exe
C:\Spyware Doctor\pctsAuxs.exe
C:\Spyware Doctor\pctsSvc.exe
C:\Spyware Doctor\pctsTray.exe
C:\Safari\Safari.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0seenus/saos01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\AVG\AVG8\avgtoolbar.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\AVG\AVG8\avgtoolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [RTDCPL] RTDCPL.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [BEWINTERNET-UK-IEWSessionManager] C:\Program Files\OrangeBS\IEWInternetUK\SessionManager\SessionManager.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG8_TRAY] C:\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CardDetectorICON225] C:\Program Files\CardDetector\ICON225\CardDetector.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [RCAutoLiveUpdate] C:\Program Files\Max Registry Cleaner\MaxLiveUpdateRC.exe -AUTO
O4 - HKLM\..\Run: [RCSystemTray] C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
O4 - HKLM\..\Run: [ISTray] "C:\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [C:\NetMeter\NetMeter.exe] C:\NetMeter\NetMeter.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-21-466003701-440341560-2136042160-500\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'Administrator')
O4 - HKUS\S-1-5-21-466003701-440341560-2136042160-500\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'Administrator')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Microsoft Office 97\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Office 03\Office10\OSA.EXE
O4 - Global Startup: Office Startup.lnk = C:\Microsoft Office 97\Office\OSA.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\OFFICE~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1208101504375
O17 - HKLM\System\CCS\Services\Tcpip\..\{684BA69D-8E68-41F5-8657-511831C1F9CE}: NameServer = 10.203.129.68 10.203.129.68
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\AVG\AVG8\avgfws8.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom SA - C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Spyware Doctor\pctsSvc.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe

--
End of file - 12290 bytes
  • 0

#8
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Use ATF Cleaner to remove temp files,
cookies, cache, ect...

Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please do an online scan with Kaspersky WebScanner

You need to use Internet Explorer for this scan.

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Also post a new HJT log and let me know how it's running.
  • 0

#9
Grumpy Surfer

Grumpy Surfer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
OK, doing that now.

I am very impressed with you guys already !!!!
  • 0

#10
Grumpy Surfer

Grumpy Surfer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Got to go to bed now as it is 3.45 am here in England. The scan is going to take a long time to run. It only 2% complete and had been running for 15 minutes.

I will post the results later on today (or Tomorrow as it will be for you guys).


Many Thanks


(Less) Grumpy Surfer
  • 0

Advertisements


#11
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Hi,

When those scans are done there is something else I would like you to check for.

Please download Navilog1 by IL-MAFIOSO:
http://pagesperso-or...ix/Navilog1.exe
(*Alternate download location Here)

* Save it to your Desktop.
* Double-click on Navilog1.exe to install the program.
* When the installation is complete, the tool will start automatically.
* If it doesn't start automatically, please double-click on the Navilog1 shortcut on your Desktop to run it.
* Press E for English from the language Menu.
* Type 1 in the next Menu to select Search and press Enter.
* Wait for the Scan to finish (It may take a reasonable amount of time).
* Press any key as requested .
* A new document will be produced: fixnavi.txt.
* Please copy/paste the contents of this report in your next reply.

The report is also saved in the root of the directory, "%SystemDrive%\fixnavi.txt". (usually C:\fixnavi.txt)
  • 0

#12
Grumpy Surfer

Grumpy Surfer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi there,

1st set of scans completed. However, I am now even more confused as during the Kasersky run AVG active shield reported and attempt to open an infected file:-

C:\Program Files\Panda Security\Active Scan 2.0\pskavs.dll
Trojan horse Patched_c.PO detected on open
Process C:\Program Files\Internet Explorer\iexplore.exe

The file has been moved to the virus vault. Is this a real trojan. I got Panda Active Scan stuff as detailed on the "things to do before submitting a log" page.

Malwarebytes Report


Malwarebytes' Anti-Malware 1.14
Database version: 812

00:58:16 03/06/2008
mbam-log-6-3-2008 (00-58-16).txt

Scan type: Quick Scan
Objects scanned: 39290
Time elapsed: 5 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Kaspersky

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, June 04, 2008 11:04:34 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 4/06/2008
Kaspersky Anti-Virus database records: 827328
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
G:\
K:\
P:\
W:\
X:\
Y:\
Z:\

Scan Statistics:
Total number of scanned objects: 228426
Number of viruses found: 2
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 02:17:18

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Antispam\scoffset.bin.incr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\AvgAm\avgam.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\emc\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgam.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log.2 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgfw8u.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avglng.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgns.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgrs.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgui.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgwd.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\commonpriv.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\commonpub.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_50e417e0-e461-474b-96e2-077b80325612 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mick Holden\Application Data\Apple Computer\Safari\PubSub\Database\Database.sqlite3 Object is locked skipped
C:\Documents and Settings\Mick Holden\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mick Holden\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\Mick Holden\Local Settings\Application Data\Ahead\Nero Home\bl.db-journal Object is locked skipped
C:\Documents and Settings\Mick Holden\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\Mick Holden\Local Settings\Application Data\Ahead\Nero Home\is2.db-journal Object is locked skipped
C:\Documents and Settings\Mick Holden\Local Settings\Application Data\Apple Computer\Safari\Cache.db Object is locked skipped
C:\Documents and Settings\Mick Holden\Local Settings\Application Data\Apple Computer\Safari\WebpageIcons.db Object is locked skipped
C:\Documents and Settings\Mick Holden\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mick Holden\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mick Holden\Local Settings\Application Data\Microsoft\Windows Live Mail\edb.log Object is locked skipped
C:\Documents and Settings\Mick Holden\Local Settings\Application Data\Microsoft\Windows Live Mail\edbtmp.log Object is locked skipped
C:\Documents and Settings\Mick Holden\Local Settings\Application Data\Microsoft\Windows Live Mail\Mail.MSMessageStore Object is locked skipped
C:\Documents and Settings\Mick Holden\Local Settings\Application Data\Microsoft\Windows Live Mail\tmp.edb Object is locked skipped
C:\Documents and Settings\Mick Holden\Local Settings\Application Data\Microsoft\Windows Live Mail\WindowsLiveMail.log Object is locked skipped
C:\Documents and Settings\Mick Holden\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mick Holden\Local Settings\History\History.IE5\MSHist012008060420080605\index.dat Object is locked skipped
C:\Documents and Settings\Mick Holden\Local Settings\Temp\~DF3A61.tmp Object is locked skipped
C:\Documents and Settings\Mick Holden\Local Settings\Temp\~DF5FF.tmp Object is locked skipped
C:\Documents and Settings\Mick Holden\Local Settings\Temp\~DF7493.tmp Object is locked skipped
C:\Documents and Settings\Mick Holden\Local Settings\Temp\~DFB6B8.tmp Object is locked skipped
C:\Documents and Settings\Mick Holden\Local Settings\Temp\~DFD921.tmp Object is locked skipped
C:\Documents and Settings\Mick Holden\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Mick Holden\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mick Holden\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Mick Holden\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Downloads\Spyware\spywaredetector.exe/file024 Infected: not-a-virus:FraudTool.Win32.SpywareDetector.b skipped
C:\Downloads\Spyware\spywaredetector.exe Inno: infected - 1 skipped
C:\Program Files\Panda Security\ActiveScan 2.0\pskavs.dll Object is locked skipped
C:\Program Files\SpywareDetector\Log\SDLog.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP349\A0067050.exe Infected: Trojan.Win32.Obfuscated.aqn skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP359\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_HUAWEI Mobile Connect - 3G Modem.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{D3974FF5-AC98-4CAB-9B80-4A4C14027260}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\_nvidia_xxx_.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP359\change.log Object is locked skipped

Scan process completed.

Latest Hijack Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:02:08, on 04/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\AVG\AVG8\avgwdsvc.exe
C:\AVG\AVG8\avgfws8.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\RTDCPL.EXE
C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\CNAB4RPK.EXE
C:\AVG\AVG8\avgam.exe
C:\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\AVG\AVG8\avgrsx.exe
C:\iTunes\iTunesHelper.exe
C:\AVG\AVG8\avgnsx.exe
C:\Program Files\CardDetector\ICON225\CardDetector.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
C:\Spyware Doctor\pctsSvc.exe
C:\Spyware Doctor\pctsTray.exe
C:\Logitech\Profiler\lwemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\NetMeter\NetMeter.exe
C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Microsoft Office 97\Office\OSA.EXE
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\AVG\AVG8\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\wuauclt.exe
E:\PhoneConnectorVMC.exe
C:\Program Files\vodafone\vmclite\vmc.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Safari\Safari.exe
C:\AVG\AVG8\avgui.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0seenus/saos01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\AVG\AVG8\avgtoolbar.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\AVG\AVG8\avgtoolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [RTDCPL] RTDCPL.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [BEWINTERNET-UK-IEWSessionManager] C:\Program Files\OrangeBS\IEWInternetUK\SessionManager\SessionManager.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [AVG8_TRAY] C:\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CardDetectorICON225] C:\Program Files\CardDetector\ICON225\CardDetector.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [RCAutoLiveUpdate] C:\Program Files\Max Registry Cleaner\MaxLiveUpdateRC.exe -AUTO
O4 - HKLM\..\Run: [RCSystemTray] C:\Program Files\Max Registry Cleaner\MaxRCSystemTray.exe
O4 - HKLM\..\Run: [ISTray] "C:\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Logitech\Profiler\lwemon.exe" /noui
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [C:\NetMeter\NetMeter.exe] C:\NetMeter\NetMeter.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Documents and Settings\All Users\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Microsoft Office 97\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Office 03\Office10\OSA.EXE
O4 - Global Startup: Office Startup.lnk = C:\Microsoft Office 97\Office\OSA.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\OFFICE~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1208101504375
O17 - HKLM\System\CCS\Services\Tcpip\..\{684BA69D-8E68-41F5-8657-511831C1F9CE}: NameServer = 10.206.65.68 10.206.65.68
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\AVG\AVG8\avgwdsvc.exe
O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\AVG\AVG8\avgfws8.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: France Telecom Routing Table Service (FTRTSVC) - France Telecom SA - C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Spyware Doctor\pctsSvc.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe

--
End of file - 11869 bytes

I have also attached the Kaspersky results as a HTML file as it is easier to read. It says that I have infected objects but makes no sense to me. Just lists a lot of locked objects.

Doing the next test now.

Attached Files

  • Attached File  Kas.html   52.09KB   9 downloads

  • 0

#13
Grumpy Surfer

Grumpy Surfer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Navilog run. It has found something to do with xoizedm again !!!

Search Navipromo version 3.5.7 began on 04/06/2008 at 12:11:29.14

!!! Warning, this report may include legitimate files/programs !!!
!!! Post this report on the forum you are being helped !!!
!!! Don't continue with removal unless instructed by an authorized helper !!!
Fix running from C:\Program Files\navilog1
Actual User Account : "Mick Holden"

Updated on 11.05.2008 at 18h00 by IL-MAFIOSO


Microsoft Windows XP [Version 5.1.2600]
Version Internet Explorer : 7.0.5730.13
Filesystem type : NTFS

Search done in normal mode


*** Search folders in "C:\WINDOWS" ***


*** Search folders in "C:\Program Files" ***


*** Search folders in "c:\docume~1\alluse~1\applic~1" ***


*** Search folders in "c:\docume~1\alluse~1\startm~1\programs" ***


*** Search folders in "C:\Documents and Settings\Mick Holden\applic~1" ***


*** Search folders in "C:\DOCUME~1\ADMINI~1\applic~1" ***


*** Search folders in "C:\Documents and Settings\Mick Holden\locals~1\applic~1" ***


*** Search folders in "C:\DOCUME~1\ADMINI~1\locals~1\applic~1" ***


*** Search folders in "C:\Documents and Settings\Mick Holden\startm~1\programs" ***


*** Search folders in "C:\DOCUME~1\ADMINI~1\startm~1\programs" ***

*** Search with Catchme-rootkit/stealth malware detector by gmer ***
for more info : http://www.gmer.net

No file found


*** Search with GenericNaviSearch ***
!!! Possibility of legitimate files in the result !!!
!!! Must always be checked before manually deleting !!!

* Scan in "C:\WINDOWS\system32" *

* Scan in "C:\Documents and Settings\Mick Holden\locals~1\applic~1" *

* Scan in "C:\DOCUME~1\ADMINI~1\locals~1\applic~1" *



*** Search files ***



*** Search specific Registry keys ***


*** Complementary Search ***
(Search specific files)

1)Search new Instant Access files :


2)Heuristic Search :

* In "C:\WINDOWS\system32" :


* In "C:\Documents and Settings\Mick Holden\locals~1\applic~1" :

xoizedm.dat found !
xoizedm_nav.dat found !
xoizedm_navps.dat found !

* In "C:\DOCUME~1\ADMINI~1\locals~1\applic~1" :


3)Certificates Search :

Egroup certificate found !
Electronic-Group certificate found !
OOO-Favorit certificate found !
Sunny-Day-Design-Ltd certificate not found !

4)Search known files :



*** Search completed on 04/06/2008 at 12:21:05.51 ***
  • 0

#14
Grumpy Surfer

Grumpy Surfer

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Not sure how far we have got with the process so far. However, I do not seem to be getting the Adware problems now. Have we fixed it ?

And what about all the other things discovered by virus checkers etc ?

Thanks
  • 0

#15
IndiGenus

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Let's first finish dealing with the Navipromo infection, which was confirmed as you mentioned by the file found.

* Double-click on the Navilog1 shortcut icon from your Desktop to run it.
* Press E for English from the language Menu.
* Type 2 in the next Menu and press Enter.
* The tool will then advise you that it will restart your computer.
* Close all open windows and save personnal documents, if any are open.
* If your computer doesn't restart automatically, restart it manually.
* Choose your usual session.
* Wait for the *** Clean finished the ... *** message (It may take a reasonable amount of time)
* A new document will be produced.
* Please copy/paste the contents of this report in your next reply.
* Your Desktop will now appear.

Note : In the event you lose your Desktop, press CTRL+ALT+Delete and run Explorer.exe as a new task.

The report is also saved in the root directory, %SystemDrive%\cleannavi.txt.. (usually C:\cleannavi.txt)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP