Pop ups and viruses

Mr_PieChee · Jun 16, 2006

i've been using spybo adaware and norton together for ages, and they've delt with everything fine. more recently i've been using CCleaner as well to sort out the rubbish in my registry.

2 days ago i downloaded a file for a game, but it turned out to be a big explosion of just about everything you can think of. i norton scaned it before i opened it to be on the safe side but it didn't pick anthing up. when i opened the file it disapeared, and opened a tabless/menuless window to a porn site. i scaned my comp almost emidatly, to find lots of spyware malware etc etc. i also did a norton scan and found nothing, but since then it has found to viruses and sucessfully deleted them, and one trojon whihc it got confused about giving me loads of pop ups, the first telling me it couldn't delete it but quartined it, then told me it was restricted, there a load more finally telling me it couldn't solve it.

any way, even though i got rid of the stuff i could find and before the trojon, i kept getting pop ups to dodgy looking 'windows fixing' sites. the first was the same as the windows installer/help window, only it was inside explorer, and the second was some sort of cleaning program (but it didn't look cosher). i also keep getting new processes with these, two of which were deleted by norton, and many others i have been stoping (i went throuh everything in task manager searching for what it was and deleting the malware ones).
i also keep getting a pop up that dosn't have a start bar tab, and that i can't find a process for (its some online caseino thing).
and i've just had another pop up for winantivirus pro, which had no bottom to the browser.

heres the panda scan log:

Incident Status Location

Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\8zs3x588.xn vngd\cookies.txt[.clickbank.net/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\8zs3x588.xn vngd\cookies.txt[.statcounter.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\8zs3x588.xn vngd\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\8zs3x588.xn vngd\cookies.txt[.com.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\8zs3x588.xn vngd\cookies.txt[.atdmt.com/]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\8zs3x588.xn vngd\cookies.txt[.bfast.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\8zs3x588.xn vngd\cookies.txt[.realmedia.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\8zs3x588.xn vngd\cookies.txt[.advertising.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\8zs3x588.xn vngd\cookies.txt[.mediaplex.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Matt\Cookies\matt@questionmarket[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Matt\Cookies\matt@stats1.reliablestats[1].txt
Adware:Adware/Searchcontrol Not disinfected C:\Documents and Settings\Matt\Local Settings\Temp\win69.tmp.exe
Adware:Adware/StartPage.ASV Not disinfected C:\Documents and Settings\Matt\Local Settings\Temp\win6F.tmp.exe
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Matt\Local Settings\Temp\win71.tmp.exe
Adware:Adware/SaveNow Not disinfected C:\Program Files\DAEMON Tools\SetupDTSB.exe
Adware:Adware/WinTools Not disinfected C:\WINXP\system32\grwinsthlp.exe
Potentially unwanted tool:Application/Restart Not disinfected C:\WINXP\system32\Tools\Restart.exe
Adware:Adware/IST.ISTBar Not disinfected C:\WINXP\winres.dll

and the hijack file

Logfile of HijackThis v1.99.1
Scan saved at 12:06:54, on 16/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINXP\system32\nvsvc32.exe
C:\WINXP\system32\Wt32exe.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINXP\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINXP\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINXP\system32\tblmouse.exe
C:\WINXP\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINXP\system32\RunDll32.exe
C:\WINXP\system32\ctfmon.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\comphelpspybot\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newage3.com/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINXP\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [tblfunc] tblmouse.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINXP\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CM-SmWizard] C:\WINXP\System\SmWizard.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXP\system32\ctfmon.exe
O4 - HKCU\..\Run: [321a9ce2.exe] C:\Documents and Settings\Matt\Local Settings\Application Data\321a9ce2.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.macromedia.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126358425546
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Program Files\xampp\filezillaftp\filezillaserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Tablet Service (TabletService) - Aiptek - C:\WINXP\system32\Wt32exe.exe

any help would be greatly appreciated

Mr_PieChee · Jun 16, 2006

yay

i think i may have solved it. i did a norton scan and it found the trojan Trojan.Nebuler, but couldn't remove it. it was using a file named winbue32.exe, where the bue was randomly generated. it basically sent info to 3 addresses, and they sent pop ups file and more viruses bk... any way symantec (the norton company) had a 'thing' on it whihc told me how to get rid of it so i tried that. i havn't been using my comp much since i deleted the file so i'm not positive its bk to normal, but i'll delete this thread if its fine in a day or two. thanks if anyone has tried to work out the problem, and so that i could have wasted your time.

what i did to fix it with detals of the trojan are found here.

Mr_PieChee · Jun 17, 2006

dear god why. it hasn't left me. i'm getting more pop ups still, and i can't get rid of the trojan. i'll do another norton scan when i go to work, but i think its still going to be there...

shelf life · Jun 17, 2006

hi Mr_PieChee,

one more download to get, then a boot into safe mode to run hjt and ewido:

1. Download Ewido and install
Ewido anti malware. It is a free trial version of the program:

http://www.ewido.net/en/download/

2. Install ewido anti malware
3. Launch ewido, there should be an icon on your desktop double-click it.
4. The program will now go to the main screen

You will need to update ewido to the latest definition files.

1. On the left hand side of the main screen click update
2. Then click on Start Update

The update will start and a progress bar will show the updates being installed.
-------------------------------------
once its updated, boot computer into safe mode. how? you reach safe mode by tapping the f8 key during a computer restart, chose the first option from the list: safe mode. you might want to copy/paste the rest of this into notepad and save it so you can read it in safe mode, or print it out.
------------------------------------
ok once in safe mode:

scan with HJT, put a checkmark beside the items below, close all windows and click fix checked

O4 - HKCU\..\Run: [321a9ce2.exe] C:\Documents and Settings\Matt\Local Settings\Application Data\321a9ce2.exe

next run ewido anti malware:

Click on scanner
Click Complete System Scan and the scan will begin.
During the scan it will prompt you to clean files, click OK
When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
When the scan is finished, click the Save report button at the bottom of the screen.
Save the report to your desktop

Close Ewido
----------------------------------------------
using explorer(right click on start>explore) drill down to these >>> you want to delete whats >inside< the folder, not the folder itself<<

C:\Documents and Settings\-Your Profile-\Local Settings\Temp\

do this:
Empty your Temp folders. Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin
--------------------------------------------
reboot normally, get one of these, install, update and scan:
spybot search and destroy: http://www.safer-networking.org/en/index.html
lava softs ad aware: http://www.lavasoftusa.com/software/adaware/
-------------------------
rescan and post anew hjt log and the ewido log from safe mode

shelf life

Mr_PieChee · Jun 18, 2006

thansk for getting bk to me. i've done everything u've said. i did another norton scan and the trojan wasn't picked up, so i guess its gone, but what it downloeded still remains. the malware prog pick up 3 items.

the new hjk log is:
Logfile of HijackThis v1.99.1
Scan saved at 13:16:04, on 18/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINXP\system32\nvsvc32.exe
C:\WINXP\system32\Wt32exe.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINXP\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\tblmouse.exe
C:\WINXP\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINXP\system32\RunDll32.exe
C:\WINXP\system32\ctfmon.exe
C:\WINXP\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\comphelpspybot\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newage3.com/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINXP\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [tblfunc] tblmouse.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINXP\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CM-SmWizard] C:\WINXP\System\SmWizard.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXP\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.macromedia.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126358425546
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Program Files\xampp\filezillaftp\filezillaserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Tablet Service (TabletService) - Aiptek - C:\WINXP\system32\Wt32exe.exe

and the anti-malware report is:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 22:46:43, 17/06/2006
+ Report-Checksum: 973104D4

+ Scan result:

C:\Program Files\DAEMON Tools\SetupDTSB.exe -> Adware.SaveNow : Cleaned with backup
C:\WINXP\system32\qomjijg.dll -> Adware.Virtumonde : Cleaned with backup
C:\WINXP\winres.dll -> Downloader.IstBar.ff : Cleaned with backup

::Report End

thanks you form ur time and i hope its not that diffucult to sort out cause i am getting mroe pop ups at the moment, but most of them are for cleaning programs. they all open in IE even though my default browser is set to FF...

shelf life · Jun 18, 2006

hi Mr_PieChee,

download vundoFix.exe by Atri.

http://www.atribune.org/ccount/click.php?id=4

# Double-click VundoFix.exe to run it.
# Click the Scan for Vundo button.
# Once it's done scanning, click the Remove Vundo button.
# You will receive a prompt asking if you want to remove the files, click YES
# Once you click yes, your desktop will go blank as it starts removing Vundo.
# When completed, it will prompt that it will shutdown your computer, click OK.
# Turn your computer back on.

post the contents of C:\vundofix.txt and a new HiJackThis log.
----------------------------------------------

Mr_PieChee · Jun 18, 2006

VundoFix V4.2.84

Checking Java version...

Java version is 1.5.0.4

Java version is 1.5.0.6

Scan started at 22:51:39 18/06/2006

Listing files found while scanning....

C:\WINXP\system32\ghhkj.bak1
C:\WINXP\system32\ghhkj.bak2
C:\WINXP\system32\ghhkj.ini
C:\WINXP\system32\jkhhg.dll
Attempting to delete C:\WINXP\system32\ghhkj.bak1
C:\WINXP\system32\ghhkj.bak1 Has been deleted!

Attempting to delete C:\WINXP\system32\ghhkj.bak2
C:\WINXP\system32\ghhkj.bak2 Has been deleted!

Attempting to delete C:\WINXP\system32\ghhkj.ini
C:\WINXP\system32\ghhkj.ini Has been deleted!

Attempting to delete C:\WINXP\system32\jkhhg.dll
C:\WINXP\system32\jkhhg.dll Could not be deleted.

Performing Repairs to the registry.
Done!

--------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 22:55:34, on 18/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\csrss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINXP\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINXP\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINXP\system32\tblmouse.exe
C:\WINXP\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINXP\system32\RunDll32.exe
C:\WINXP\system32\ctfmon.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINXP\system32\nvsvc32.exe
C:\WINXP\system32\Wt32exe.exe
C:\WINXP\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINXP\System32\alg.exe
C:\WINXP\System32\wbem\wmiprvse.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINXP\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINXP\system32\wuauclt.exe
C:\Program Files\comphelpspybot\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newage3.com/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINXP\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [tblfunc] tblmouse.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINXP\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CM-SmWizard] C:\WINXP\System\SmWizard.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXP\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.macromedia.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126358425546
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Program Files\xampp\filezillaftp\filezillaserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Tablet Service (TabletService) - Aiptek - C:\WINXP\system32\Wt32exe.exe

------------------------------------------------------------------------

there we go, thank you for ur time, i don't seen to get pop ups when i leave my computer... when i view files i seem to get them alot, but not much other times... weird, well 2 me any way...

how do you work out what to do? what are you looking for/at?

shelf life · Jun 20, 2006

hi Mr_PieChee,

sorry for delay. try this, set files to show;

Set Windows to show Hidden files and folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

download this norton istbar removal tool:and run it
http://sarc.com/avcenter/venc/data/adware.istbar.html
------------------------------------------
now boot computer into SAFE MODE, tap f8 key at restart, chose first option.

while in safe mode: run the istbar removal tool once and run ewido once.
also see if you can find and delete this dll:
jkhhg.dll located here:C:\WINXP\system32
-------------------------------------------
shelf life

Mr_PieChee · Jun 20, 2006

thats ok, i'm thankfull that ur helping me!

i ran the istbar tool, and it found nothing. ewido on the other hand found 9 new items:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 14:00:54, 20/06/2006
+ Report-Checksum: D56F9383

+ Scan result:

HKU\S-1-5-21-1465058494-2018322775-2649032648-1005\Software\Video1\Dialers -> Dialer.Generic : Cleaned with backup
HKU\S-1-5-21-1465058494-2018322775-2649032648-1005\Software\Video1\Dialers\Hot_Tarts -> Dialer.Generic : Cleaned with backup
HKU\S-1-5-21-1465058494-2018322775-2649032648-1005\Software\Video1\Dialers\Virgins -> Dialer.Generic : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\8zs3x588.xn vngd\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\8zs3x588.xn vngd\cookies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\8zs3x588.xn vngd\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\8zs3x588.xn vngd\cookies.txt -> TrackingCookie.Bfast : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup

::Report End

and i couldn't delete that dll even in safe mode. i can go into the recover console and delete it through that if it does need removing. i also found ghhkj.bak2 and ghhjk.bak1 and a configure file for ghhkj. are they for the same file? it seems weird that there just spelt backwards.
i also found a file called pavas.exe that was created near the time i got the infection. i can't find anything about the exe on the net.

shelf life · Jun 20, 2006

hi Mr_PieChee,

its quite possible that those are harmless leftovers, you might try using hjt to delete the .dll

but before, please disable ewidos real time protection just in case it interferes:
Launch Ewido and in the main window click "Realtime protection" (in green indicating "Active") to change to inactive.

start hjt, click on "open misc tools section" htne "delete a file a reboot"
in the window either browse for the dll or copy/paste this: C:\WINXP\system32\jkhhg.dll
in the file name window then select open at the prompt reboot computer

if you can find the others:might as well delete them also
ghhkj.bak2 and ghhjk.bak1 and a configure file for ghhkj
and that pavas.exe

tracking cookies arent a big deal
----------------------------------------
also pick one of these for a online scan:
BitDefender Free Online Virus Scan
http://www.bitdefender.com/scan/licence.php
check AutoClean under Scan Options.

Panda ActiveScan
http://www.pandasoftware.com/produc...5D4-4DA2-B310-B1DBEC2971F2}&NRCACHEHINT=Guest

Kaspersky virus scanner
http://www.kaspersky.com/virusscanner

Housecall at TrendMicro
http://housecall.trendmicro.com/housecall/start_corp.asp
check Auto Clean.

F-Secure virus scanner
http://support.f-secure.com/enu/home/ols.shtml

eTrust Antivirus Web Scanner
http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

Mr_PieChee · Jun 21, 2006

well hjk woun't let me open the window. i click the button and it does nothing or closes its self

and i did a panda soft scan

Incident Status Location

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\8zs3x588.xn vngd\cookies.txt[.realmedia.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\8zs3x588.xn vngd\cookies.txt[.com.com/]
Adware:Adware/WinTools Not disinfected C:\WINXP\system32\grwinsthlp.exe
Potentially unwanted tool:Application/Restart Not disinfected C:\WINXP\system32\Tools\Restart.exe

one of them is a hacking tool, so i guess the most potent...

shelf life · Jun 22, 2006

ok lets try pocket killbox instead.

you can get it here:download it to your desktop

http://www.geekstogo.com/forum/index.php?act=dscript&CODE=showdetails&f_id=2

---------------------------------------------
run pocket killbox, check the Delete on reboot option, and click the single file box option--- copy and paste this:

C:\WINXP\system32\jkhhg.dll

in to the Full Path of File to Delete, click the red X.
at the delete on reboot prompt select yes. at the next prompt it will ask if you want to reboot now. select no. copy and paste the next two files below in the window, click red x, delete on reboot, no
when you copy/paste the last file, click red x, delete file on reboot, reboot now? yes.

C:\WINXP\system32\grwinsthlp.exe
C:\WINXP\system32\Tools\Restart.exe

shelf life

Mr_PieChee · Jun 22, 2006

lol.. kill box wouldn't restart, and wouldn't let me put mroe than one file in...

but i just used the recovery console form the windows disk and deleted them that way.

should that fix it all?

heres teh hjk file just in case:
Logfile of HijackThis v1.99.1
Scan saved at 10:06:58, on 22/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINXP\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINXP\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINXP\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINXP\system32\tblmouse.exe
C:\WINXP\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINXP\system32\RunDll32.exe
C:\WINXP\system32\ctfmon.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINXP\system32\nvsvc32.exe
C:\WINXP\system32\Wt32exe.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINXP\system32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\comphelpspybot\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newage3.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {B8A8A387-4AFF-4210-B674-0ABA882FEA2D} - C:\WINXP\system32\jkhhg.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton

AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINXP\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [tblfunc] tblmouse.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINXP\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CM-SmWizard] C:\WINXP\System\SmWizard.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXP\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.macromedia.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -

http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) -

http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) -

http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126358425546
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) -

http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -

http://messenger.zone.msn.com/binary/ZIntro.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) -

http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file

missing)
O20 - AppInit_DLLs:
O20 - Winlogon Notify: jkhhg - C:\WINXP\system32\jkhhg.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINXP\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Program

Files\xampp\filezillaftp\filezillaserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton

AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\Security Center\SymWSC.exe
O23 - Service: Tablet Service (TabletService) - Aiptek - C:\WINXP\system32\Wt32exe.exe

--------------------------------
it shows that the jkhhg file now has a missing dll. i'm going to run CCleaner now to remove that, and all the temp files etc.

shelf life · Jun 24, 2006

hi Mr_PieChee,

should that fix it all

yes, log looks ok. run hjt to remove these from the log:

O2 - BHO: (no name) - {B8A8A387-4AFF-4210-B674-0ABA882FEA2D} - C:\WINXP\system32\jkhhg.dll (file missing)

O20 - Winlogon Notify: jkhhg - C:\WINXP\system32\jkhhg.dll (file missing)

shelf life

Mr_PieChee · Jun 24, 2006

Thanks for all your help, its greatly appreciated!

LonnyRJones · Jul 1, 2006

Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.

If you should need to post another log for the same PC let one of us know via a PM (personal message).

Pop ups and viruses

Mr_PieChee

New member

Mr_PieChee

New member

Mr_PieChee

New member

shelf life

Emeritus

Mr_PieChee

New member

shelf life

Emeritus

Mr_PieChee

New member

shelf life

Emeritus

Mr_PieChee

New member

shelf life

Emeritus

Mr_PieChee

New member

shelf life

Emeritus

Mr_PieChee

New member

shelf life

Emeritus

Mr_PieChee

New member

LonnyRJones

Security Expert-Emeritus