Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Spyware/malware/adware/popup problem [RESOLVED]


  • This topic is locked This topic is locked

#1
wai_2j

wai_2j

    Member

  • Member
  • PipPip
  • 36 posts
Hi, i've scanned my computer with every possible spyware detector program but still cannot get rid of this annoying popup problem. Please could you help me. My hijackthis log it below:

Logfile of HijackThis v1.99.1
Scan saved at 15:05:15, on 02/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\DOCUME~1\Simon\LOCALS~1\Temp\20059103518_mcinfo.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AOL 9.0b\waol.exe
C:\Program Files\AOL 9.0b\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btopenworld.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = +w
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btopenworld.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\awvtt.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HDAudio Driver] C:\WINDOWS\system32\kusbrcg.exe
O4 - HKLM\..\Run: [msci] C:\DOCUME~1\Simon\LOCALS~1\Temp\20059103518_mcinfo.exe /insfin
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0b\aoltray.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com/
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: Yahoo! MahJong - http://download.game...nts/y/ot0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {37B630E3-3FED-4F4A-B8BE-46AB443C51A9} (Finctl Control) - http://64.186.136.51/a/setup.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager...unttracking.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.nullsoft....ayx_vp6_mp3.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft....ayx_vp6_aac.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.telewest....tivePreQual.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futurema...lobal/msc34.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup145.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.bto...twebcontrol.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{238208D5-2A82-448F-BC4A-7EADABA08681}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{238208D5-2A82-448F-BC4A-7EADABA08681}: NameServer = 205.188.146.145
O20 - Winlogon Notify: awvtt - C:\WINDOWS\system32\awvtt.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements


#2
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hello and welcome!

Please download VundoFix.zip to your desktop.
  • Double-click VundoFix.zip and extract it to your C:\ directory.
  • Copy the instructions below and paste them into Notepad for reference.
    • All other windows need to be closed while doing this fix!
  • Navigate to the new folder C:\VundoFix
  • Double click on KillVundo.bat
    • When it starts running it will tell you that you need an active internet connection then ask you to press any key once you do.
  • Please press any key to continue.
  • Wait for HiJackThis to open.
  • When HiJackThis opens, click Do a system scan only. Place a check next to the following items, if found:

    O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system32\awvtt.dll

    O20 - Winlogon Notify: awvtt - C:\WINDOWS\system32\awvtt.dll

  • Once they all have a check next to them, click the FIX CHECKED button, then close HiJackThis.
You will once again be prompted to press any key. Upon doing so this time you will receive a "Blue Screen Of Death". Don't worry, this is normal! Let the computer reboot. If it doesn't boot straight to windows, manually turn the computer off and then back on.

Once the computer is rebooted post a new HiJackThis log as well as the contents of vundofix.txt which can be found in this folder: C:\VundoFix

- Rawe :tazz:
  • 0

#3
wai_2j

wai_2j

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
thanks for the reply and instructions. I did everything accordingly. The hijackthis log is below with the vundofix text after.

Logfile of HijackThis v1.99.1
Scan saved at 15:31:48, on 02/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AOL 9.0b\waol.exe
C:\Program Files\AOL 9.0b\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btopenworld.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = +w
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btopenworld.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HDAudio Driver] C:\WINDOWS\system32\kusbrcg.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0b\aoltray.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com/
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: Yahoo! MahJong - http://download.game...nts/y/ot0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {37B630E3-3FED-4F4A-B8BE-46AB443C51A9} (Finctl Control) - http://64.186.136.51/a/setup.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager...unttracking.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125670567328
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.nullsoft....ayx_vp6_mp3.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft....ayx_vp6_aac.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.telewest....tivePreQual.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futurema...lobal/msc34.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup145.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.bto...twebcontrol.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{238208D5-2A82-448F-BC4A-7EADABA08681}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{238208D5-2A82-448F-BC4A-7EADABA08681}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Vundofix

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Suspending PID 648 'smss.exe'
Threads [652][656][660]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 272 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 720 'winlogon.exe'
Killing PID 720 'winlogon.exe'
Sucessfully Deleted
  • 0

#4
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Run a scan with HiJackThis and check the following objects for removal:

O17 - HKLM\System\CCS\Services\Tcpip\..\{238208D5-2A82-448F-BC4A-7EADABA08681}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{238208D5-2A82-448F-BC4A-7EADABA08681}: NameServer = 205.188.146.145


Make sure they are checked, close ALL open windows except for HiJackThis and hit FIX CHECKED.

Reboot and run the following online scan, post it's results here in a reply:

Panda Activescan :tazz:
  • 0

#5
wai_2j

wai_2j

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
hi thanks for the help. I tried scanning my computer with panda scan several times, but internet explorer seems to close itself everytime after a few minutes into the scan.
  • 0

#6
wai_2j

wai_2j

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
I think the winfixer popup has gone, since i haven't seen it since... but i still have the problem of the paypopup.com popup. Any help would be very much appreciated thanks
  • 0

#7
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Please do an online scan with Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Standard
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This program will start to scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#8
wai_2j

wai_2j

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
ok, just finished scanning with Kaspersky. Here are the results:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, September 02, 2005 22:08:46
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 2/09/2005
Kaspersky Anti-Virus database records: 138673
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 99651
Number of viruses found: 32
Number of infected objects: 85
Number of suspicious objects: 1
Duration of the scan process: 7526 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Simon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\tick.class-769deb75-429708f5.class Infected: Trojan-Downloader.Win32.Small.bhf
C:\Documents and Settings\Simon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\tock.class-7038857b-575ad377.class Infected: Trojan-Downloader.Win32.Small.bhf
C:\Documents and Settings\Simon\My Documents\Programs\Ahead.Nero.Burning.ROM.v6.3.1.20.Ultra.Edition.Incl.Keygen-ORiON.zip/Keygen.exe Infected: Trojan-Dropper.Win32.Delf.fl
C:\Documents and Settings\Simon\My Documents\Programs\Ahead.Nero.Burning.ROM.v6.3.1.20.Ultra.Edition.Incl.Keygen-ORiON.zip Infected: Trojan-Dropper.Win32.Delf.fl
C:\Documents and Settings\Simon\My Documents\Programs\Virtual Dub Mod\VirtualDub.exe Infected: Trojan-Dropper.Win32.Delf.dh
C:\Documents and Settings\Simon\My Documents\Programs\VirtualDub 1.5.4 P4 Optimized.rar/VirtualDub.exe Infected: Trojan-Dropper.Win32.Delf.dh
C:\Documents and Settings\Simon\My Documents\Programs\VirtualDub 1.5.4 P4 Optimized.rar Infected: Trojan-Dropper.Win32.Delf.dh
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\QFle09022005012810325187.asw Infected: Trojan-Downloader.JS.IstBar.j
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\QFle09022005012810325201.asw Infected: Trojan-Downloader.JS.IstBar.j
C:\Program Files\Norton AntiVirus\Quarantine\04FB1691.class Infected: Trojan-Downloader.Win32.Small.aaq
C:\Program Files\Norton AntiVirus\Quarantine\04FB1691.exe Infected: Trojan-Downloader.Win32.Small.aaq
C:\Program Files\Norton AntiVirus\Quarantine\072245F9.dat Infected: P2P-Worm.Win32.Tanked.14
C:\Program Files\Norton AntiVirus\Quarantine\089B060F.class Infected: Trojan-Downloader.Win32.Small.aaq
C:\Program Files\Norton AntiVirus\Quarantine\089B060F.exe Infected: Trojan-Downloader.Win32.Small.aaq
C:\Program Files\Norton AntiVirus\Quarantine\0D965D79.exe Infected: Net-Worm.Win32.Dedler.u
C:\Program Files\Norton AntiVirus\Quarantine\18C52B87.exe Infected: Trojan-Downloader.Win32.Stubby.a
C:\Program Files\Norton AntiVirus\Quarantine\19CA284A.class Infected: Trojan-Downloader.Win32.Small.aaq
C:\Program Files\Norton AntiVirus\Quarantine\19CA284A.exe Infected: Trojan-Downloader.Win32.Small.aaq
C:\Program Files\Norton AntiVirus\Quarantine\1A472C47.class Infected: Trojan-Downloader.Win32.Small.aaq
C:\Program Files\Norton AntiVirus\Quarantine\1A472C47.exe Infected: Trojan-Downloader.Win32.Small.aaq
C:\Program Files\Norton AntiVirus\Quarantine\1E2C4545.exe Infected: Worm.Win32.Pinom.gen
C:\Program Files\Norton AntiVirus\Quarantine\20DE3E6A.exe Infected: P2P-Worm.Win32.SpyBot.gen
C:\Program Files\Norton AntiVirus\Quarantine\296357A1.class Infected: Trojan-Downloader.Win32.Small.aaq
C:\Program Files\Norton AntiVirus\Quarantine\2A1838D1.exe Infected: P2P-Worm.Win32.SpyBot.gen
C:\Program Files\Norton AntiVirus\Quarantine\2CA47DBA.exe Infected: Backdoor.Win32.Gobot.p
C:\Program Files\Norton AntiVirus\Quarantine\2CDC477D.exe Infected: Backdoor.Win32.Gobot.p
C:\Program Files\Norton AntiVirus\Quarantine\2D173B3D.exe Infected: Backdoor.Win32.Gobot.p
C:\Program Files\Norton AntiVirus\Quarantine\2D7C50CD.exe Infected: Backdoor.Win32.Gobot.p
C:\Program Files\Norton AntiVirus\Quarantine\2E043E3C.exe Infected: P2P-Worm.Win32.SpyBot.gen
C:\Program Files\Norton AntiVirus\Quarantine\32426F96.htm Suspicious: Exploit.HTML.DialogArg
C:\Program Files\Norton AntiVirus\Quarantine\3B9648D4.exe Infected: Trojan-Downloader.Win32.Agent.jc
C:\Program Files\Norton AntiVirus\Quarantine\3E3D15FB.exe Infected: Worm.Win32.Pinom.gen
C:\Program Files\Norton AntiVirus\Quarantine\43EA7E76.class Infected: Trojan-Downloader.Win32.Small.aaq
C:\Program Files\Norton AntiVirus\Quarantine\43EA7E76.exe Infected: Trojan-Downloader.Win32.Small.aaq
C:\Program Files\Norton AntiVirus\Quarantine\469C4745.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\469C4745.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\469C4745.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\469C4745.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\469C4745.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\4823673E.class Infected: Trojan-Downloader.Win32.Small.aaq
C:\Program Files\Norton AntiVirus\Quarantine\4823673E.exe Infected: Trojan-Downloader.Win32.Small.aaq
C:\Program Files\Norton AntiVirus\Quarantine\487E389D.class Infected: Trojan-Downloader.Win32.Small.aaq
C:\Program Files\Norton AntiVirus\Quarantine\487E389D.exe Infected: Trojan-Downloader.Win32.Small.aaq
C:\Program Files\Norton AntiVirus\Quarantine\4E202348.dat Infected: P2P-Worm.Win32.Tanked.14
C:\Program Files\Norton AntiVirus\Quarantine\4F4D39FD.dat Infected: P2P-Worm.Win32.Tanked.11
C:\Program Files\Norton AntiVirus\Quarantine\51B30F5A.dat Infected: P2P-Worm.Win32.Tanked.11
C:\Program Files\Norton AntiVirus\Quarantine\55213818.exe Infected: Backdoor.Win32.Webdor.x
C:\Program Files\Norton AntiVirus\Quarantine\57AA7401.exe Infected: Worm.Win32.Pinom.gen
C:\Program Files\Norton AntiVirus\Quarantine\58B65F6B.htm Infected: Trojan-Clicker.HTML.IFrame.a
C:\Program Files\Norton AntiVirus\Quarantine\5A3725C9.exe Infected: Worm.Win32.Pinom.c
C:\Program Files\Norton AntiVirus\Quarantine\5B6A1078.exe Infected: Worm.Win32.Pinom.gen
C:\Program Files\Norton AntiVirus\Quarantine\5F445118 Infected: Trojan-Downloader.Win32.VB.bo
C:\Program Files\Norton AntiVirus\Quarantine\5FBC69F5.exe Infected: P2P-Worm.Win32.SpyBot.gen
C:\Program Files\Norton AntiVirus\Quarantine\5FBD3BDA.class Infected: Trojan-Downloader.Win32.Small.aaq
C:\Program Files\Norton AntiVirus\Quarantine\5FBD3BDA.exe Infected: Trojan-Downloader.Win32.Small.aaq
C:\Program Files\Norton AntiVirus\Quarantine\60404D01.exe Infected: Backdoor.Win32.Delf.ic
C:\Program Files\Norton AntiVirus\Quarantine\6410620E Infected: Trojan.Win32.Starter.a
C:\Program Files\Norton AntiVirus\Quarantine\658B5E69.exe Infected: Backdoor.Win32.Gobot.p
C:\Program Files\Norton AntiVirus\Quarantine\65913262.exe Infected: Backdoor.Win32.Gobot.p
C:\Program Files\Norton AntiVirus\Quarantine\65955C5F.exe Infected: Backdoor.Win32.Gobot.p
C:\Program Files\Norton AntiVirus\Quarantine\6598065B.exe Infected: Backdoor.Win32.Gobot.p
C:\Program Files\Norton AntiVirus\Quarantine\68D20F0C.dat Infected: P2P-Worm.Win32.Tanked.14
C:\Program Files\Norton AntiVirus\Quarantine\6BC81BCA.dat Infected: P2P-Worm.Win32.Tanked.14
C:\Program Files\Norton AntiVirus\Quarantine\6BDB41A7.class Infected: Trojan-Downloader.Win32.Small.aaq
C:\Program Files\Norton AntiVirus\Quarantine\6BDB41A7.exe Infected: Trojan-Downloader.Win32.Small.aaq
C:\Program Files\Norton AntiVirus\Quarantine\6C947B41/[From <big@boss.com>][Date Wed, 26 Mar 2003 19:06:50 -0000]/Movie_0074.mpeg.pif Infected: Email-Worm.Win32.Sobig.a
C:\Program Files\Norton AntiVirus\Quarantine\6C947B41 Infected: Email-Worm.Win32.Sobig.a
C:\Program Files\Norton AntiVirus\Quarantine\6D901C2C/[From <big@boss.com>][Date Fri, 11 Apr 2003 19:24:00 +0100]/Untitled1.pif Infected: Email-Worm.Win32.Sobig.a
C:\Program Files\Norton AntiVirus\Quarantine\6D901C2C Infected: Email-Worm.Win32.Sobig.a
C:\Program Files\Norton AntiVirus\Quarantine\6ECB3125.exe Infected: Worm.Win32.Pinom.gen
C:\Program Files\Norton AntiVirus\Quarantine\70B2014C.exe Infected: Trojan-DDoS.Win32.Boxed.w
C:\Program Files\Norton AntiVirus\Quarantine\72CD2500.exe Infected: Worm.Win32.Pinom.gen
C:\Program Files\Norton AntiVirus\Quarantine\73CF3910.dat Infected: P2P-Worm.Win32.Tanked.14
C:\Program Files\Norton AntiVirus\Quarantine\7429527E.dat Infected: P2P-Worm.Win32.Apsiv
C:\Program Files\Norton AntiVirus\Quarantine\754F74E5.htm Infected: Trojan.JS.Seeker
C:\Program Files\Norton AntiVirus\Quarantine\764065A6 Infected: Trojan-DDoS.Win32.Boxed.n
C:\Program Files\Norton AntiVirus\Quarantine\76CD5EB0.exe Infected: P2P-Worm.Win32.SpyBot.gen
C:\Program Files\Norton AntiVirus\Quarantine\77766D32.exe Infected: Trojan-Downloader.Win32.Agent.jc
C:\Program Files\Norton AntiVirus\Quarantine\7B4B7ECB.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton AntiVirus\Quarantine\7F74259A.htm Infected: Trojan-Clicker.HTML.IFrame.a
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP286\A0083534.exe Infected: Trojan-Downloader.Win32.Small.bhf
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP286\A0083535.exe Infected: Trojan-Downloader.Win32.Small.bhf
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP288\A0085530.exe/data0001 Infected: Trojan-Downloader.Win32.IstBar.ja
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP288\A0085530.exe Infected: Trojan-Downloader.Win32.IstBar.ja
C:\WINDOWS\SYSTEM32\awvtr.dll Infected: Trojan-Downloader.Win32.ConHook.i
C:\WINDOWS\SYSTEM32\jkhhg.dll Infected: Trojan-Downloader.Win32.ConHook.i

Scan process completed.
  • 0

#9
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) Select "Delete on Reboot".

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\SYSTEM32\awvtr.dll
C:\WINDOWS\SYSTEM32\jkhhg.dll


6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

Next..

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
    • Click "Next", read the agreement, Click "Next"
    • Choose "Custom" click "Next".
    • Leave the default installation directoy as it is, then click "Next".
    • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
    • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
    • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
    Disable SpySweeper Shields
    • Click Shields on the left.
    • Click Internet Explorer and uncheck all items.
    • Click Windows System and uncheck all items.
    • Click Startup Programs and uncheck all items.
  • Once the definitions are installed and shields disabled, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

  • 0

#10
wai_2j

wai_2j

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Thanks for all your help ppl, the spy sweeper log is posted below:

********
00:33: |··· Start of Session, 04 September 2005 ···|
00:33: Spy Sweeper started
00:33: Sweep initiated using definitions version 526
00:33: Starting Memory Sweep
00:37: Memory Sweep Complete, Elapsed Time: 00:03:28
00:37: Starting Registry Sweep
00:37: Registry Sweep Complete, Elapsed Time:00:00:11
00:37: Starting Cookie Sweep
00:37: Found Spy Cookie: 2o7.net cookie
00:37: simon@122.2o7[1].txt (ID = 1958)
00:37: Found Spy Cookie: websponsors cookie
00:37: simon@a.websponsors[2].txt (ID = 3665)
00:37: Found Spy Cookie: yieldmanager cookie
00:37: simon@ad.yieldmanager[1].txt (ID = 3751)
00:37: Found Spy Cookie: adknowledge cookie
00:37: simon@adknowledge[1].txt (ID = 2072)
00:37: Found Spy Cookie: hbmediapro cookie
00:37: simon@adopt.hbmediapro[2].txt (ID = 2768)
00:37: Found Spy Cookie: belointeractive cookie
00:37: simon@ads.belointeractive[2].txt (ID = 2295)
00:37: Found Spy Cookie: atwola cookie
00:37: simon@atwola[2].txt (ID = 2255)
00:37: Found Spy Cookie: a cookie
00:37: simon@a[1].txt (ID = 2027)
00:37: Found Spy Cookie: belnk cookie
00:37: simon@belnk[1].txt (ID = 2292)
00:37: simon@belointeractive[1].txt (ID = 2294)
00:37: Found Spy Cookie: bluestreak cookie
00:37: simon@bluestreak[1].txt (ID = 2314)
00:37: Found Spy Cookie: burstnet cookie
00:37: simon@burstnet[2].txt (ID = 2336)
00:37: Found Spy Cookie: gostats cookie
00:37: simon@c4.gostats[2].txt (ID = 2748)
00:37: Found Spy Cookie: clickbank cookie
00:37: simon@clickbank[2].txt (ID = 2398)
00:37: Found Spy Cookie: com.com cookie
00:37: simon@com[2].txt (ID = 2445)
00:37: simon@dist.belnk[2].txt (ID = 2293)
00:37: Found Spy Cookie: adbureau cookie
00:37: simon@etype.adbureau[1].txt (ID = 2060)
00:37: simon@gostats[2].txt (ID = 2747)
00:37: Found Spy Cookie: maxserving cookie
00:37: simon@maxserving[1].txt (ID = 2966)
00:37: Found Spy Cookie: touchclarity cookie
00:37: simon@msn.touchclarity[1].txt (ID = 3566)
00:37: simon@mysa.belointeractive[1].txt (ID = 2295)
00:37: Found Spy Cookie: nuker cookie
00:37: simon@nuker[1].txt (ID = 3085)
00:37: Found Spy Cookie: offeroptimizer cookie
00:37: simon@offeroptimizer[2].txt (ID = 3087)
00:37: Found Spy Cookie: realmedia cookie
00:37: simon@realmedia[1].txt (ID = 3235)
00:37: Found Spy Cookie: reunion cookie
00:37: simon@reunion[2].txt (ID = 3255)
00:37: Found Spy Cookie: webtrendslive cookie
00:37: simon@S111319[1].txt (ID = 3670)
00:37: Found Spy Cookie: server.iad.liveperson cookie
00:37: simon@server.iad.liveperson[1].txt (ID = 3341)
00:37: Found Spy Cookie: statcounter cookie
00:37: simon@statcounter[2].txt (ID = 3447)
00:37: Found Spy Cookie: reliablestats cookie
00:37: simon@stats1.reliablestats[2].txt (ID = 3254)
00:37: Found Spy Cookie: winantiviruspro cookie
00:37: simon@www.winantiviruspro[2].txt (ID = 3690)
00:37: Found Spy Cookie: xmatch cookie
00:37: simon@xmatch[1].txt (ID = 3719)
00:37: simon@yieldmanager[1].txt (ID = 3749)
00:37: Cookie Sweep Complete, Elapsed Time: 00:00:11
00:37: Starting File Sweep
00:38: Warning: Failed to read file "c:\documents and settings\simon\local settings\temp\~dfdcca.tmp". System Error. Code: 2.
The system cannot find the file specified
00:38: Warning: Failed to read file "c:\documents and settings\simon\local settings\temp\~df300e.tmp". System Error. Code: 2.
The system cannot find the file specified
00:41: Warning: Failed to read file "c:\documents and settings\simon\local settings\temp\~dfb428.tmp". System Error. Code: 2.
The system cannot find the file specified
00:42: Warning: Failed to read file "c:\documents and settings\simon\local settings\temp\~df3004.tmp". System Error. Code: 2.
The system cannot find the file specified
00:43: File Sweep Complete, Elapsed Time: 00:06:06
00:43: Full Sweep has completed. Elapsed time 00:10:02
00:43: Traces Found: 32
00:49: Removal process initiated
00:49: Quarantining All Traces: 2o7.net cookie
00:49: Quarantining All Traces: websponsors cookie
00:49: Quarantining All Traces: yieldmanager cookie
00:49: Quarantining All Traces: adknowledge cookie
00:49: Quarantining All Traces: hbmediapro cookie
00:49: Quarantining All Traces: belointeractive cookie
00:49: Quarantining All Traces: atwola cookie
00:49: Quarantining All Traces: a cookie
00:49: Quarantining All Traces: belnk cookie
00:49: Quarantining All Traces: bluestreak cookie
00:49: Quarantining All Traces: burstnet cookie
00:49: Quarantining All Traces: gostats cookie
00:49: Quarantining All Traces: clickbank cookie
00:49: Quarantining All Traces: com.com cookie
00:49: Quarantining All Traces: adbureau cookie
00:49: Quarantining All Traces: maxserving cookie
00:49: Quarantining All Traces: touchclarity cookie
00:49: Quarantining All Traces: nuker cookie
00:49: Quarantining All Traces: offeroptimizer cookie
00:49: Quarantining All Traces: realmedia cookie
00:49: Quarantining All Traces: reunion cookie
00:49: Quarantining All Traces: webtrendslive cookie
00:49: Quarantining All Traces: server.iad.liveperson cookie
00:49: Quarantining All Traces: statcounter cookie
00:49: Quarantining All Traces: reliablestats cookie
00:49: Quarantining All Traces: winantiviruspro cookie
00:49: Quarantining All Traces: xmatch cookie
00:49: Removal process completed. Elapsed time 00:00:06
********
  • 0

Advertisements


#11
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Please print these instructions out, or write them down, as you can't read them during the fix.

Update Ewido to the latest definitions.

Download CleanUp
Install the program, dont run it yet, we will later.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Now open Ewido and do a scan of your system.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • Clean anything it finds.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close Ewido.

Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp
  • Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
  • When CleanUp starts go to the Options button (right side of CleanUp screen)
  • Move the arrow down to "Custom CleanUp!"
  • Now place a checkmark next to the following (Make sure nothing else is checked!):
    • Delete Cookies
      This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
    • Empty Recycle Bins
    • Delete Prefetch files
    • Cleanup! All Users
  • Click OK
  • Then click on the CleanUp button. This will take a short while, let it do its thing.
  • When asked to reboot system select YES
  • Close CleanUp
Boot up into normal mode and post the Ewido log along with a fresh HiJackThis log in a reply. :tazz:
  • 0

#12
wai_2j

wai_2j

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
Hi, thanks for the reply.

I have the new Ewido and hijackthis logs below:

Ewido
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 15:22:30, 08/09/2005
+ Report-Checksum: EDF2CF3C

+ Scan result:

:mozilla.6:C:\Documents and Settings\Simon\Application Data\Mozilla\Firefox\Profiles\frv77acf.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Simon\Cookies\simon@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Simon\Cookies\simon@ad1.clickhype[1].txt -> Spyware.Cookie.Clickhype : Cleaned with backup
C:\Documents and Settings\Simon\Cookies\simon@adopt.euroclick[1].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Simon\Cookies\simon@e-2dj6wjkokhcpsap.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Simon\Cookies\simon@e-2dj6wjkyegdpogq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Simon\Cookies\simon@e-2dj6wjlyancjsfo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Simon\Cookies\simon@ilead.itrack[1].txt -> Spyware.Cookie.Itrack : Cleaned with backup
C:\Documents and Settings\Simon\Cookies\simon@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Simon\Cookies\simon@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Simon\Local Settings\Temp\Cookies\simon@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Simon\Local Settings\Temp\Cookies\simon@adopt.euroclick[2].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Simon\Local Settings\Temp\Cookies\simon@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Simon\My Documents\Programs\Ahead.Nero.Burning.ROM.v6.3.1.20.Ultra.Edition.Incl.Keygen-ORiON.zip/Keygen.exe -> TrojanDropper.Delf.fl : Error during cleaning
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP289\A0085974.dll -> Spyware.Yahoo : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP289\A0085975.exe -> Spyware.IGetNet : Cleaned with backup


::Report End

Hijackthis
Logfile of HijackThis v1.99.1
Scan saved at 15:44:54, on 08/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btopenworld.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = +w
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btopenworld.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HDAudio Driver] C:\WINDOWS\system32\kusbrcg.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0b\aoltray.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.btopenworld.com/
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct1_x.cab
O16 - DPF: Yahoo! MahJong - http://download.game...nts/y/ot0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {37B630E3-3FED-4F4A-B8BE-46AB443C51A9} (Finctl Control) - http://64.186.136.51/a/setup.cab
O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager...unttracking.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125670567328
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.nullsoft....ayx_vp6_mp3.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft....ayx_vp6_aac.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.telewest....tivePreQual.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futurema...lobal/msc34.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abac...abasetup145.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.bto...twebcontrol.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks for all your help
  • 0

#13
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Sorry for the late reply...

Do you still have problems? :tazz:
  • 0

#14
wai_2j

wai_2j

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts
No problems that i know of now, which is good! Thanks for all your help ppl, really appreciate your efforts!
  • 0

#15
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Great job, it appears your system is clean :tazz:

Let's clear out your restore points now.

Disable System Restore;

1. Click Start > Programs > Accessories > Windows Explorer
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Check the "Turn off System Restore"
5. Click Apply. An message shows up.
6. Click "Yes" to do this.
7. Confirm with "Ok".


Reboot.

Enable System Restore;

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck the "Turn off System Restore" check box.
5. Click Apply, and then click "OK".


Be sure to set a new restore point. :)

Here's some tips for future to prevent spyware;

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed. (My favourite)
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kaspersky, this is a must have.
  • Firewall <= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice;
So how did I get infected in the first place? (My favourite)

If you want to learn how to help people with malware problems like I helped you, feel free to take a look at this thread; http://www.geekstogo...here-t4817.html :)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP