View Full Version : I need help...can't get rid of viruses!
Mysticbear
2007-01-02, 06:14
I have contracted a virus through MSN Messenger and I can't get rid of it.
I have used the following virus scanners:
Spy Bot s&d
Spy Sweeper-Webroot
Ad-Aware
All of these have been unable to completely clear my computer of whatever it is that is not right.
When I do the Spy Bot scan it says that I have smitfraud.C and Microsoft.Windows.Redirectedhosts, NewDotNet, Avenue A, DoubleClick, CoreMetrics and AV-Gold but it won't fix the problem
I can not remember what it is telling me for Spy Sweeper or Ad Aware.
In my add or remove programs list it also said that I had Outerinfo...I got rid of it through HiJack.This(won't let me spell the whole word or my window shuts down) as well as Bar888
Some help would be greatly appreciated as I am a virus dummy!
Thank you in advance!
As well there is an icon that looks like mine on my desktop that says "Click to find and Fix errors"
Mysticbear
2007-01-02, 06:17
I also have had some luck with hijack.this and have been able to get a log I am not sure if it is right or not.
Also I tried to do an online scan and it won't let me visit any of the sites so I was unable to do so.
here is the hijack.this Log:
Logfile of HijackThis v1.99.1
Scan saved at 7:54:19 PM, on 1/1/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\01COM~1\WEBSER~1\Apache.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchosts.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\01COM~1\WEBSER~1\Apache.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\dyfrism\winlogon.exe
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RACLE~1\explorer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\??pPatch\?hkdsk.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\HJT\HJT.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - URLSearchHook: (no name) - {781E9D6F-78DD-5F21-DC7D-7A129544E6CF} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\System32\dyfrism\winlogon.exe
F3 - REG:win.ini: run=C:\WINDOWS\System32\dyfrism\winlogon.exe
O1 - Hosts: 1.1.1.1 ftp.f-secure.com
O1 - Hosts: 1.1.1.1 ftp.sophos.com
O1 - Hosts: 1.1.1.1 liveupdate.symantec.com
O1 - Hosts: 1.1.1.1 customer.symantec.com
O1 - Hosts: 1.1.1.1 rads.mcafee.com
O1 - Hosts: 1.1.1.1 securityresponse.symantec.com
O1 - Hosts: 1.1.1.1 service1.symantec.com
O1 - Hosts: 1.1.1.1 support.microsoft.com
O1 - Hosts: 1.1.1.1 symantec.com
O1 - Hosts: 1.1.1.1 www.symantec.com
O1 - Hosts: 1.1.1.1 update.symantec.com
O1 - Hosts: 1.1.1.1 updates.symantec.com
O1 - Hosts: 1.1.1.1 us.mcafee.com
O1 - Hosts: 1.1.1.1 vil.nai.com
O1 - Hosts: 1.1.1.1 grisoft.com
O1 - Hosts: 1.1.1.1 www.grisoft.com
O1 - Hosts: 1.1.1.1 free.grisoft.com
O1 - Hosts: 1.1.1.1 trendmicro.com
O1 - Hosts: 1.1.1.1 housecall.trendmicro.com
O1 - Hosts: 1.1.1.1 www.trendmicro.com
O1 - Hosts: 1.1.1.1 pandasoftware.com
O1 - Hosts: 1.1.1.1 www.pandasoftware.com
O1 - Hosts: 1.1.1.1 usa.kaspersky.com
O1 - Hosts: 1.1.1.1 ewido.net
O1 - Hosts: 1.1.1.1 www.ewido.net
O1 - Hosts: 1.1.1.1 zonelabs.com
O1 - Hosts: 1.1.1.1 www.zonelabs.com
O1 - Hosts: 1.1.1.1 bitdefender.com
O1 - Hosts: 1.1.1.1 www.bitdefender.com
O1 - Hosts: 1.1.1.1 download.bitdefender.com
O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
O1 - Hosts: 1.1.1.1 spywareinfo.com
O1 - Hosts: 1.1.1.1 www.spywareinfo.com
O1 - Hosts: 1.1.1.1 merijn.org
O1 - Hosts: 1.1.1.1 www.merijn.org
O1 - Hosts: 1.1.1.1 sysinternals.com
O1 - Hosts: 1.1.1.1 www.sysinternals.com
O1 - Hosts: 1.1.1.1 onguardonline.gov
O1 - Hosts: 1.1.1.1 www.onguardonline.gov
O1 - Hosts: 1.1.1.1 avast.com
O1 - Hosts: 1.1.1.1 www.avast.com
O1 - Hosts: 1.1.1.1 safety.live.com
O1 - Hosts: 1.1.1.1 www.paretologic.com
O1 - Hosts: 1.1.1.1 paretologic.com
O1 - Hosts: 1.1.1.1 virusscan.jotti.org
O1 - Hosts: 1.1.1.1 services.google.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PBHelper - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Oemji\Toolbar\PopupBlocker\PBHelper.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_48.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {8e533859-9309-4333-bab7-f3de4a5942c3} - C:\WINDOWS\system32\dbme32.dll (file missing)
O2 - BHO: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\WUTemp\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [ViewMgr] "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [ht5nkgki] C:\WINDOWS\System32\ht5nkgki.exe
O4 - HKLM\..\Run: [AcctMgr] "C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe" /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{CC2C697E-0821-1033-0421-041028030001}] "C:\Program Files\Common Files\{CC2C697E-0821-1033-0421-041028030001}\Update.exe" te-110-12-0000282
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [{CC2C697E-0822-1033-0421-041028030001}] "C:\Program Files\Common Files\{CC2C697E-0822-1033-0421-041028030001}\Update.exe" te-110-12-0000282
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Bano] "C:\WINDOWS\System32\RACLE~1\explorer.exe" -vt yazb
O4 - HKCU\..\Run: [Aqsz] C:\WINDOWS\??pPatch\?hkdsk.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480\GoogleToolbarNotifier.exe"
O4 - Startup: winlogon.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O20 - Winlogon Notify: dbme32 - dbme32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: 01Apache - Unknown owner - C:\PROGRA~1\01COM~1\WEBSER~1\Apache.exe" --ntservice (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000282 (file missing)
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Mysticbear
2007-01-02, 06:56
I tried this removal tool while I was waiting for a response. I figured it might help out some later on in this game!!!
Here is the log from the Smitfraudfix.exe
SmitFraudFix v2.132
Scan done at 21:46:47.73, Mon 01/01/2007
Run from C:\Documents and Settings\Mom and Dad\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
C:\WINDOWS\keyboard1.dat FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\svchosts.exe FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Mom and Dad
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Mom and Dad\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\MOMAND~1\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
I hope that this helps and doesn't mess anything else up!! Thanks
Mysticbear
2007-01-03, 20:31
I noticed that someone had the same problem as me and it has taken a while for me to get a reply so i have also tried this as suggeste to Giltrap by Mr_Jak3
Go to virustotal.com
Copy the following to the box next to "Browse" button:
C:\WINDOWS\system32\svchosts.exe
Click on Send
Wait for the scan to end.
Copy & Paste the scan results to here.
1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
This is the log I got from virustotal:
STATUS: FINISHEDComplete scanning result of "svchosts.exe", received in VirusTotal at 01.03.2007, 20:11:01 (CET).
Antivirus Version Update Result
AntiVir 7.3.0.21 01.03.2007 TR/Dldr.Agent.bca.11
Authentium 4.93.8 12.30.2006 no virus found
Avast 4.7.892.0 12.30.2006 no virus found
AVG 386 01.03.2007 Generic2.MHF
BitDefender 7.2 01.03.2007 Adware.Softomate.Z
CAT-QuickHeal 8.00 01.03.2007 no virus found
ClamAV devel-20060426 01.03.2007 no virus found
DrWeb 4.33 01.03.2007 no virus found
eSafe 7.0.14.0 01.02.2007 no virus found
eTrust-InoculateIT 23.73.103 01.03.2007 no virus found
eTrust-Vet 30.3.3299 01.03.2007 no virus found
Ewido 4.0 01.03.2007 Downloader.Agent.bca
Fortinet 2.82.0.0 01.03.2007 W32/Agent.BCA!tr.dldr
F-Prot 3.16f 01.02.2007 no virus found
F-Prot4 4.2.1.29 01.03.2007 no virus found
Ikarus T3.1.0.27 01.03.2007 no virus found
Kaspersky 4.0.2.24 01.03.2007 Trojan-Downloader.Win32.Agent.bca
McAfee 4931 01.03.2007 Matcash
Microsoft 1.1904 01.03.2007 no virus found
NOD32v2 1954 01.03.2007 no virus found
Norman 5.80.02 12.31.2007 W32/Softomate.ES.dropper
Panda 9.0.0.4 01.03.2007 Adware/Maxifiles
Prevx1 V2 01.03.2007 Trojan.SystemPoser
Sophos 4.13.0 01.02.2007 no virus found
Sunbelt 2.2.907.0 12.18.2006 no virus found
TheHacker 6.0.3.141 01.01.2007 no virus found
UNA 1.83 01.03.2007 no virus found
VBA32 3.11.1 01.03.2007 no virus found
VirusBuster 4.3.19:9 01.03.2007 no virus found
Aditional Information
File size: 36864 bytes
MD5: 7b69c00ba9f072dd06d61411fc09ded5
SHA1: c080169d9b2824399e3dd7a9678487e67841f4c5
norman sandbox: [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File length: 36864 bytes.
[ Changes to filesystem ]
* Deletes file C:WINDOWS{837F873E-0000-1044--popo0000}.
* Creates directory C:WINDOWS{837F873E-0000-1044--popo0000}.
* Creates file C:WINDOWS{837F873E-0000-1044--popo0000}directorexe.lzma.
* Creates file C:WINDOWS{837F873E-0000-1044--popo0000}Update.exe.
* Deletes file C:WINDOWS{837F873E-0000-1044--popo0000}directorexe.lzma.
* Deletes file C:WINDOWS{837F873E-0000-1044--popo0000}directordll.lzma.
[ Changes to registry ]
* Creates key "HKLMSoftwareHARDWAREDESCRIPTIONSystemCentralProcessor
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=42b766636399
and the log i got from combofix:
Mom and Dad - 07-01-03 11:15:42.45 Service Pack 1
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Mom and Dad\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\taskkill.com
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\{3C2C697E-0821-1033-0421-041028030001}
C:\Program Files\Common Files\{CC2C697E-0822-1033-0421-041028030001}
C:\Program Files\Common Files\{CC2C697E-0821-1033-0421-041028030001}
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\QooBox\Purity\WINDOWS\PPATCH~1
C:\QooBox\Purity\WINDOWS\PPATCH~1\?hkdsk.exe
C:\QooBox\Purity\WINDOWS\system32\RACLE~1
C:\QooBox\Purity\WINDOWS\system32\RACLE~1\explorer.exe
C:\QooBox\Purity\WINDOWS\system32\RACLE~1\?racle
((((((((((((((((((((((((((((((( Files Created from 2006-12-03 to 2007-01-03 ))))))))))))))))))))))))))))))))))
2007-01-03 11:19 <DIR> d-------- C:\Program Files\Common Files\{CC2C697E-0822-1033-0421-041028030001}
2007-01-01 21:46 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-01-01 21:46 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-01-01 21:46 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-01-01 21:46 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-01-01 21:46 3,670 --a------ C:\WINDOWS\system32\tmp.reg
2007-01-01 21:46 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-01-01 21:46 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-01-01 19:34 <DIR> d-------- C:\Program Files\HJT
2007-01-01 16:04 684,032 --a------ C:\WINDOWS\system32\libeay32.dll
2007-01-01 16:04 155,648 --a------ C:\WINDOWS\system32\ssleay32.dll
2007-01-01 16:04 15,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-01-01 16:04 15,360 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-01-01 16:04 14,848 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-01-01 16:04 122,368 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-01-01 16:04 <DIR> d-------- C:\Program Files\Webroot
2007-01-01 16:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-01-01 16:02 <DIR> d-------- C:\Documents and Settings\Mom and Dad\Application Data\Webroot
2006-12-31 01:00 <DIR> d--h----- C:\Program Files\Common Files\Uninstall Information
2006-12-31 00:30 <DIR> d-------- C:\Program Files\PeDevice
2006-12-30 20:59 <DIR> d-------- C:\Program Files\Lavasoft
2006-12-30 20:59 <DIR> d-------- C:\Documents and Settings\Mom and Dad\Application Data\Lavasoft
2006-12-30 20:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2006-12-30 20:57 2 --a------ C:\WINDOWS\system32\wnsapiit.exe
2006-12-30 20:57 <DIR> d-------- C:\Program Files\Outerinfo
2006-12-30 20:27 <DIR> d-------- C:\Program Files\Ipwindows
2006-12-30 20:25 92,485 --a------ C:\gp.exe
2006-12-30 20:25 36,864 --a------ C:\WINDOWS\system32\svchosts.exe
2006-12-30 20:24 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-30 20:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-30 18:12 <DIR> d--hs---- C:\WINDOWS\system32\dyfrism
2006-12-23 09:12 <DIR> d-------- C:\Program Files\Santa
2006-12-12 06:43 183,808 --a-s---- C:\WINDOWS\NDNuninstall7_48.exe
2006-12-03 20:50 <DIR> d-------- C:\Program Files\QuickTime
2006-12-03 20:49 <DIR> d-------- C:\Program Files\iTunes
2006-12-03 20:48 38,229 --------- C:\WINDOWS\system32\drivers\StMp3Rec.sys
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-01-03 11:19 -------- d-------- C:\Program Files\Common Files\{CC2C697E-0822-1033-0421-041028030001}
2007-01-03 11:19 -------- d-------- C:\Program Files\Common Files
2007-01-01 16:27 -------- d-------- C:\Program Files\Windows NT
2007-01-01 16:27 -------- d-------- C:\Program Files\Windows Media Player
2007-01-01 16:27 -------- d-------- C:\Program Files\Internet Explorer
2006-12-30 20:58 -------- d-------- C:\Program Files\Google
2006-12-30 20:38 -------- d-a-s---- C:\Program Files\NewDotNet
2006-12-30 20:38 -------- d-------- C:\Program Files\Free Offers from Freeze.com
2006-12-23 19:41 1226 --a------ C:\Documents and Settings\Mom and Dad\Application Data\AdobeDLM.log
2006-12-03 20:47 -------- d-------- C:\Program Files\iPod
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"Bano"="\"C:\\WINDOWS\\System32\\RACLE~1\\explorer.exe\" -vt yazb"
"Aqsz"="C:\\WINDOWS\\??pPatch\\?hkdsk.exe"
"swg"="\"C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.2480\\GoogleToolbarNotifier.exe\""
"winlogon"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"VTTimer"="VTTimer.exe"
"SoundMan"="SOUNDMAN.EXE"
"NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"OpwareSE2"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\""
"QuickFinder Scheduler"="\"C:\\WUTemp\\Programs\\QFSCHD100.EXE\""
"ViewMgr"="\"C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_04\\bin\\jusched.exe\""
"ht5nkgki"="C:\\WINDOWS\\System32\\ht5nkgki.exe"
"AcctMgr"="\"C:\\Program Files\\Norton SystemWorks\\Password Manager\\AcctMgr.exe\" /startup"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"{CC2C697E-0821-1033-0421-041028030001}"="\"C:\\Program Files\\Common Files\\{CC2C697E-0821-1033-0421-041028030001}\\Update.exe\" te-110-12-0000282"
"{CC2C697E-0822-1033-0421-041028030001}"="\"C:\\Program Files\\Common Files\\{CC2C697E-0822-1033-0421-041028030001}\\Update.exe\" te-110-12-0000282"
"SpySweeper"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"
"winlogon"=""
"New.net Startup"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,ClientStartup -s"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoAdminPage"="1"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcctMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AcctMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Norton SystemWorks\\Password Manager\\AcctMgr.exe /startup"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GhostStartTrayApp"
"hkey"="HKLM"
"command"="C:\\Program Files\\Norton SystemWorks\\Norton Ghost\\GhostStartTrayApp.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dbme32
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
C:\WINDOWS\tasks\Symantec Drmc.job
C:\WINDOWS\tasks\wrSpySweeper_66D7702AC3264E8FAE2BDA71DAFD43F6.job
Completion time: 07-01-03 11:19:52.17
C:\ComboFix.txt ... 07-01-03 11:19
C:\ComboFix2.txt ... 07-01-03 11:14
Hope this helps some anyways!
Mysticbear
2007-01-03, 20:46
Logfile of HijackThis v1.99.1
Scan saved at 11:44:36 AM, on 1/3/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\01COM~1\WEBSER~1\Apache.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\01COM~1\WEBSER~1\Apache.exe
C:\WINDOWS\System32\svchosts.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\dyfrism\winlogon.exe
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\Common Files\{CC2C697E-0822-1033-0421-041028030001}\Update.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HJT\HJT.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - URLSearchHook: (no name) - {781E9D6F-78DD-5F21-DC7D-7A129544E6CF} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\System32\dyfrism\winlogon.exe
F3 - REG:win.ini: run=C:\WINDOWS\System32\dyfrism\winlogon.exe
O1 - Hosts: 1.1.1.1 f-secure.com
O1 - Hosts: 1.1.1.1 www.f-secure.com
O1 - Hosts: 1.1.1.1 ftp.f-secure.com
O1 - Hosts: 1.1.1.1 ftp.sophos.com
O1 - Hosts: 1.1.1.1 liveupdate.symantec.com
O1 - Hosts: 1.1.1.1 customer.symantec.com
O1 - Hosts: 1.1.1.1 dispatch.mcafee.com
O1 - Hosts: 1.1.1.1 download.mcafee.com
O1 - Hosts: 1.1.1.1 rads.mcafee.com
O1 - Hosts: 1.1.1.1 mast.mcafee.com
O1 - Hosts: 1.1.1.1 my-etrust.com
O1 - Hosts: 1.1.1.1 www.my-etrust.com
O1 - Hosts: 1.1.1.1 nai.com
O1 - Hosts: 1.1.1.1 www.nai.com
O1 - Hosts: 1.1.1.1 networkassociates.com
O1 - Hosts: 1.1.1.1 secure.nai.com
O1 - Hosts: 1.1.1.1 securityresponse.symantec.com
O1 - Hosts: 1.1.1.1 service1.symantec.com
O1 - Hosts: 1.1.1.1 sophos.com
O1 - Hosts: 1.1.1.1 www.sophos.com
O1 - Hosts: 1.1.1.1 support.microsoft.com
O1 - Hosts: 1.1.1.1 symantec.com
O1 - Hosts: 1.1.1.1 www.symantec.com
O1 - Hosts: 1.1.1.1 update.symantec.com
O1 - Hosts: 1.1.1.1 updates.symantec.com
O1 - Hosts: 1.1.1.1 us.mcafee.com
O1 - Hosts: 1.1.1.1 vil.nai.com
O1 - Hosts: 1.1.1.1 viruslist.com
O1 - Hosts: 1.1.1.1 www.viruslist.com
O1 - Hosts: 1.1.1.1 grisoft.com
O1 - Hosts: 1.1.1.1 www.grisoft.com
O1 - Hosts: 1.1.1.1 free.grisoft.com
O1 - Hosts: 1.1.1.1 trendmicro.com
O1 - Hosts: 1.1.1.1 housecall.trendmicro.com
O1 - Hosts: 1.1.1.1 www.trendmicro.com
O1 - Hosts: 1.1.1.1 pandasoftware.com
O1 - Hosts: 1.1.1.1 www.pandasoftware.com
O1 - Hosts: 1.1.1.1 usa.kaspersky.com
O1 - Hosts: 1.1.1.1 ewido.net
O1 - Hosts: 1.1.1.1 www.ewido.net
O1 - Hosts: 1.1.1.1 zonelabs.com
O1 - Hosts: 1.1.1.1 www.zonelabs.com
O1 - Hosts: 1.1.1.1 bitdefender.com
O1 - Hosts: 1.1.1.1 www.bitdefender.com
O1 - Hosts: 1.1.1.1 download.bitdefender.com
O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
O1 - Hosts: 1.1.1.1 spywareinfo.com
O1 - Hosts: 1.1.1.1 www.spywareinfo.com
O1 - Hosts: 1.1.1.1 merijn.org
O1 - Hosts: 1.1.1.1 www.merijn.org
O1 - Hosts: 1.1.1.1 sysinternals.com
O1 - Hosts: 1.1.1.1 www.sysinternals.com
O1 - Hosts: 1.1.1.1 onguardonline.gov
O1 - Hosts: 1.1.1.1 www.onguardonline.gov
O1 - Hosts: 1.1.1.1 avast.com
O1 - Hosts: 1.1.1.1 www.avast.com
O1 - Hosts: 1.1.1.1 safety.live.com
O1 - Hosts: 1.1.1.1 www.paretologic.com
O1 - Hosts: 1.1.1.1 paretologic.com
O1 - Hosts: 1.1.1.1 virusscan.jotti.org
O1 - Hosts: 1.1.1.1 services.google.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_48.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\WUTemp\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [ViewMgr] "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [ht5nkgki] C:\WINDOWS\System32\ht5nkgki.exe
O4 - HKLM\..\Run: [AcctMgr] "C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe" /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{CC2C697E-0821-1033-0421-041028030001}] "C:\Program Files\Common Files\{CC2C697E-0821-1033-0421-041028030001}\Update.exe" te-110-12-0000282
O4 - HKLM\..\Run: [{CC2C697E-0822-1033-0421-041028030001}] "C:\Program Files\Common Files\{CC2C697E-0822-1033-0421-041028030001}\Update.exe" te-110-12-0000282
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Bano] "C:\WINDOWS\System32\RACLE~1\explorer.exe" -vt yazb
O4 - HKCU\..\Run: [Aqsz] C:\WINDOWS\??pPatch\?hkdsk.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480\GoogleToolbarNotifier.exe"
O4 - Startup: winlogon.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: dbme32 - dbme32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: 01Apache - Unknown owner - C:\PROGRA~1\01COM~1\WEBSER~1\Apache.exe" --ntservice (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000282 (file missing)
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Hi and welcome to the Forums :)
You got quite nice collection of infections there...
Please Download LSPFix from http://www.cexx.org/lspfix.htm
Don't use it yet.
You should print these instructions or save these to a text file. Follow these instructions carefully.
At first you need to disable a few realtime protections. These may interfere with our cleaning process.
We'll enable these when you're clean...
Disable SpySweeper's realtime protection.
Open Spysweeper and click on Options
Choose Program Options and uncheck "load at windows startup".
On the left click "shields" and then uncheck everything.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".
Exit the program.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
==================
Open Control Panel -> Add/Remove programs -> Remove all the of the following or similar entries if found:
NewDotNet
New.Net
Viewpoint
Free Offers from Freeze.com
Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
or anything similar with Oin or Outerinfo in it.
Zolero
Tizzletalk
MediaTickets
Cowabanga
MarketScore
Relevant Knowledge
and any other programs you didn't install or don't recognize - if your not sure please ask first
Restart the computer.
===========
If you can't access the internet after the reboot, run LSPFIX. Disconnect from the Internet and close all Internet Explorer Windows. Check the "I know what I'm doing" Button and place all listings of mkls.dll into the remove section by clicking on the button that points to the right. When all instances of this dll are in the Remove section. Press the finish button.
Then Reboot and you should be able to connect to the internet.
==========
Stop the following processes using Task Manager (press ctrl+alt+del, select the Processes tab, highlight the first process in the list and click End Process). Continue through the list (one at a time) until all processes have been ended. If something isn't found, please continue with the next process in the list.
Update.exe
svchosts.exe <-- svchostS, svchost is legitimate
Disable bad services
Start
Run
Type services.msc to the field and press enter.
A window opens, scroll down to COM+ Messages
Rightclick it and choose Stop
Then choose Properties
Set Startup to Disabled
Click Apply and OK.
Then, open HijackThis.
Open the Misc Tools section
Delete an NT service
Copy the following line to the box and press OK; COM+ Messages
Answer Yes
Close HIjackThis
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - URLSearchHook: (no name) - {781E9D6F-78DD-5F21-DC7D-7A129544E6CF} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\System32\dyfrism\winlogon.exe
F3 - REG:win.ini: run=C:\WINDOWS\System32\dyfrism\winlogon.exe
O1 - Hosts: 1.1.1.1 f-secure.com
O1 - Hosts: 1.1.1.1 www.f-secure.com
O1 - Hosts: 1.1.1.1 ftp.f-secure.com
O1 - Hosts: 1.1.1.1 ftp.sophos.com
O1 - Hosts: 1.1.1.1 liveupdate.symantec.com
O1 - Hosts: 1.1.1.1 customer.symantec.com
O1 - Hosts: 1.1.1.1 dispatch.mcafee.com
O1 - Hosts: 1.1.1.1 download.mcafee.com
O1 - Hosts: 1.1.1.1 rads.mcafee.com
O1 - Hosts: 1.1.1.1 mast.mcafee.com
O1 - Hosts: 1.1.1.1 my-etrust.com
O1 - Hosts: 1.1.1.1 www.my-etrust.com
O1 - Hosts: 1.1.1.1 nai.com
O1 - Hosts: 1.1.1.1 www.nai.com
O1 - Hosts: 1.1.1.1 networkassociates.com
O1 - Hosts: 1.1.1.1 secure.nai.com
O1 - Hosts: 1.1.1.1 securityresponse.symantec.com
O1 - Hosts: 1.1.1.1 service1.symantec.com
O1 - Hosts: 1.1.1.1 sophos.com
O1 - Hosts: 1.1.1.1 www.sophos.com
O1 - Hosts: 1.1.1.1 support.microsoft.com
O1 - Hosts: 1.1.1.1 symantec.com
O1 - Hosts: 1.1.1.1 www.symantec.com
O1 - Hosts: 1.1.1.1 update.symantec.com
O1 - Hosts: 1.1.1.1 updates.symantec.com
O1 - Hosts: 1.1.1.1 us.mcafee.com
O1 - Hosts: 1.1.1.1 vil.nai.com
O1 - Hosts: 1.1.1.1 viruslist.com
O1 - Hosts: 1.1.1.1 www.viruslist.com
O1 - Hosts: 1.1.1.1 grisoft.com
O1 - Hosts: 1.1.1.1 www.grisoft.com
O1 - Hosts: 1.1.1.1 free.grisoft.com
O1 - Hosts: 1.1.1.1 trendmicro.com
O1 - Hosts: 1.1.1.1 housecall.trendmicro.com
O1 - Hosts: 1.1.1.1 www.trendmicro.com
O1 - Hosts: 1.1.1.1 pandasoftware.com
O1 - Hosts: 1.1.1.1 www.pandasoftware.com
O1 - Hosts: 1.1.1.1 usa.kaspersky.com
O1 - Hosts: 1.1.1.1 ewido.net
O1 - Hosts: 1.1.1.1 www.ewido.net
O1 - Hosts: 1.1.1.1 zonelabs.com
O1 - Hosts: 1.1.1.1 www.zonelabs.com
O1 - Hosts: 1.1.1.1 bitdefender.com
O1 - Hosts: 1.1.1.1 www.bitdefender.com
O1 - Hosts: 1.1.1.1 download.bitdefender.com
O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
O1 - Hosts: 1.1.1.1 spywareinfo.com
O1 - Hosts: 1.1.1.1 www.spywareinfo.com
O1 - Hosts: 1.1.1.1 merijn.org
O1 - Hosts: 1.1.1.1 www.merijn.org
O1 - Hosts: 1.1.1.1 sysinternals.com
O1 - Hosts: 1.1.1.1 www.sysinternals.com
O1 - Hosts: 1.1.1.1 onguardonline.gov
O1 - Hosts: 1.1.1.1 www.onguardonline.gov
O1 - Hosts: 1.1.1.1 avast.com
O1 - Hosts: 1.1.1.1 www.avast.com
O1 - Hosts: 1.1.1.1 safety.live.com
O1 - Hosts: 1.1.1.1 www.paretologic.com
O1 - Hosts: 1.1.1.1 paretologic.com
O1 - Hosts: 1.1.1.1 virusscan.jotti.org
O1 - Hosts: 1.1.1.1 services.google.com
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_48.dll
O2 - BHO: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [ViewMgr] "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe"
O4 - HKLM\..\Run: [ht5nkgki] C:\WINDOWS\System32\ht5nkgki.exe
O4 - HKLM\..\Run: [{CC2C697E-0821-1033-0421-041028030001}] "C:\Program Files\Common Files\{CC2C697E-0821-1033-0421-041028030001}\Update.exe" te-110-12-0000282
O4 - HKLM\..\Run: [{CC2C697E-0822-1033-0421-041028030001}] "C:\Program Files\Common Files\{CC2C697E-0822-1033-0421-041028030001}\Update.exe" te-110-12-0000282
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: "C:\WINDOWS\System32\RACLE~1\explorer.exe" -vt yazb
O4 - HKCU\..\Run: [Aqsz] C:\WINDOWS\??pPatch\?hkdsk.exe
O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/Activ...veLauncher.cab
O20 - Winlogon Notify: dbme32 - dbme32.dll (file missing)
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following files (if present):
C:\WINDOWS\system32\wnsapiit.exe
C:\WINDOWS\System32\ht5nkgki.exe
C:\gp.exe
C:\WINDOWS\system32\svchosts.exe
Go to the My Computer and delete the following folders (if present):
C:\Program Files\MarketScore
C:\Program Files\Relevant Knowledge
C:\Program Files\Outerinfo
C:\Program Files\Ipwindows
C:\Program Files\Common Files\{CC2C697E-0822-1033-0421-041028030001}
C:\Program Files\NewDotNet
C:\Program Files\Free Offers from Freeze.com
C:\WINDOWS\System32\dyfrism
C:\Program Files\Viewpoint
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on[b] Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
We'll reset your hosts file. If you used a customized hosts file you need to set that again after the cleaning. Download free! Hoster v3.5 from here: http://www.funkytoad.com/content/view/13/
When you have it click on the button to "Restore Microsoft's Hosts File", follow any prompts.
================
When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
Mysticbear, still with us?
Mysticbear
2007-01-12, 04:12
Yeah...I am still trying to figure this out....Hopefully tomorrow I will have it done!
Mysticbear
2007-01-12, 18:41
It will not let me go to this site:
http://www.ewido.net/en/download/
I dont' want to accidently download something else so is there another link for AVG Anit Spyware?
Thank you
Hi :)
Please see if this link works --> AVG Anti-Spyware 7.5 Free (http://free.grisoft.com/softw/70free/setup/avg75free_432a904.exe)
Let me know :bigthumb:
Mysticbear
2007-01-12, 23:42
Nope that one is not working!
It just comes up as
Cannot find server-Microsoft Internet Explorer
and on the acutal page itself it says
THe page connot be displayed!
Mysticbear
2007-01-13, 06:42
I found a back door to downloading AVG Anti-Spyware
But my screen keeps closing on me everytime that I try to
Start
Run
Type services.msc to the field and press enter.
A window opens, scroll down to COM+ Messages
Rightclick it and choose Stop
Then choose Properties
Set Startup to Disabled
Click Apply and OK
It won't let me Set Startup to Disabled...It just keeps closing on me before I can even find where to click it!!!
Ok...you still have nasties there...Let's try the following
You should print these instructions or save these to a text file. Follow these instructions carefully.
Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log
Mysticbear
2007-01-15, 12:47
Here is the updated Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 3:34:48 AM, on 1/15/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\01COM~1\WEBSER~1\Apache.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\01COM~1\WEBSER~1\Apache.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HJT\HJT.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R3 - URLSearchHook: (no name) - {781E9D6F-78DD-5F21-DC7D-7A129544E6CF} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\System32\dyfrism\winlogon.exe
F3 - REG:win.ini: run=C:\WINDOWS\System32\dyfrism\winlogon.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\WUTemp\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [ht5nkgki] C:\WINDOWS\System32\ht5nkgki.exe
O4 - HKLM\..\Run: [AcctMgr] "C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe" /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480\GoogleToolbarNotifier.exe"
O4 - Startup: winlogon.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\mkls.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: 01Apache - Unknown owner - C:\PROGRA~1\01COM~1\WEBSER~1\Apache.exe" --ntservice (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Here is the log from Dr.Web Cureit:
01_-_Eight_easy_steps.mp3;C:\Documents and Settings\Megan\Local Settings\Temp;Trojan.DownLoader.1729;Deleted.;
blake shelton-blake shelton-some beach.mp3;C:\Documents and Settings\Megan\Local Settings\Temp;Trojan.DownLoader.1729;Deleted.;
p2psetup.exe\data001;C:\Documents and Settings\Megan\Local Settings\Temp\p2psetup.exe;Adware.PeerNet;;
p2psetup.exe;C:\Documents and Settings\Megan\Local Settings\Temp;Archive contains infected objects;Moved.;
Process.exe;C:\Documents and Settings\Mom and Dad\Desktop\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\Mom and Dad\Desktop\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
Blake Shelton - Blake Shelton - 5 - Ol' Red.wma;C:\My Downloads;Trojan.DownLoader.1729;Deleted.;
Blake Shelton - Ol' Red - 5.wma;C:\My Downloads;Trojan.DownLoader.1729;Deleted.;
blake shelton-some beach-blake shelton.mp3;C:\My Downloads;Trojan.DownLoader.1729;Deleted.;
Gonna Be My Girl.wma;C:\My Downloads;Trojan.DownLoader.1729;Deleted.;
rdesktop.exe;C:\Program Files\01 Com\I'm InTouch\BIN;Probably DLOADER.Trojan;Incurable.Moved.;
adwarefilter-log.txt;C:\Program Files\AdwareFilter-savelogs;Probably MACRO.SCRIPT.IRC.WORM.Virus;Incurable.Moved.;
GoogleUpdaterInstallMgr.exe;C:\Program Files\Google\Google Updater\2.0.711.37800;Probably DLOADER.Trojan;Incurable.Moved.;
ipwins.dll;C:\Program Files\Ipwindows;Adware.Maxifiles;Incurable.Moved.;
ipwins.exe;C:\Program Files\Ipwindows;Adware.Maxifiles;Incurable.Moved.;
OemjiPls.dll;C:\Program Files\Oemji\OemjiSearchPlus;Adware.IEFriend;Incurable.Moved.;
NDNuninstall6_98.exe;C:\WINDOWS;Adware.NewDotNet;Incurable.Moved.;
NDNuninstall7_48.exe;C:\WINDOWS;Adware.NewDotNet;Incurable.Moved.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;Incurable.Moved.;
__delete_on_reboot__s_w_i_n_r_p_e_x_._e_x_e_;C:\WINDOWS\system32;Adware.ZenoSearch;Incurable.Moved.;
Also....It wouldn't let me save the scan report for AVG. I am unsure as why but the AVG example that you have on the screen looks nothing like the one that I have downloaded.
Also this is a list of the Program Files.. ..Some of them look suspicious(SP?) So if you could take a look and tell me if I should delete some that would be great!
Thank you!
found.000-----folder
boot.ini.bak------bak file
Config----Systemfile
NT Detect---------MS DOS Application
ntldr------system file
pagefile-------system file
rapport-----notepad
UNWISE------Icon that looks like a trash can
The above are one in the C:Drive and the one below are in the Program Files in C:Drive and are all folders
OICOM-----Folder
Netmeeting------Folder
NoAdware3
PeDevice
Xldfoyy
Windows NT
Yaplock
noadware------is a computer software Icon!
Hi :)
Please don't delete anything yet, most of those were legitimate.
We'll check one thing before continuing:
Please run a GMER Rootkit scan:
Download GMER's application from here:
http://www.majorgeeks.com/GMER_d5198.html
Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.
Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.
Warning ! Please, do not select the "Show all" checkbox during the scan.
Mysticbear
2007-01-15, 17:45
GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-01-15 08:29:22
Windows 5.1.2600 Service Pack 1
---- System - GMER 1.0.12 ----
SSDT 85399718 ZwAllocateVirtualMemory
SSDT 853B48B0 ZwCreateKey
SSDT 85399C40 ZwCreateProcess
SSDT 85399BC8 ZwCreateProcessEx
SSDT 853999E8 ZwCreateThread
SSDT 8537D0A8 ZwDeleteKey
SSDT 85399CB8 ZwDeleteValueKey
SSDT 85399790 ZwQueueApcThread
SSDT 85399628 ZwReadVirtualMemory
SSDT 8538D0A8 ZwRenameKey
SSDT 85399880 ZwSetContextThread
SSDT 85399DA8 ZwSetInformationKey
SSDT 85399AD8 ZwSetInformationProcess
SSDT 853998F8 ZwSetInformationThread
SSDT 85399D30 ZwSetValueKey
SSDT 85399A60 ZwSuspendProcess
SSDT 85399808 ZwSuspendThread
SSDT 85399B50 ZwTerminateProcess
SSDT 85399970 ZwTerminateThread
SSDT 853996A0 ZwWriteVirtualMemory
---- Kernel code sections - GMER 1.0.12 ----
.text ntoskrnl.exe!ZwCallbackReturn + 2048 804FBD5C 8 Bytes [ 40, 9C, 39, 85, C8, 9B, 39, ... ]
.text ntoskrnl.exe!ZwCallbackReturn + 231C 804FC030 8 Bytes [ D8, 9A, 39, 85, F8, 98, 39, ... ]
.text ntoskrnl.exe!ZwCallbackReturn + 2380 804FC094 8 Bytes [ 60, 9A, 39, 85, 08, 98, 39, ... ]
.text ntoskrnl.exe!ZwCallbackReturn + 2390 804FC0A4 8 Bytes [ 50, 9B, 39, 85, 70, 99, 39, ... ]
.text ntdll.dll!NtClose 77F5B5C8 5 Bytes JMP 72033FAA
.text ntdll.dll!NtCreateProcess 77F5B728 5 Bytes JMP 72034135
.text ntdll.dll!NtCreateProcessEx 77F5B738 5 Bytes JMP 72034019
.text ntdll.dll!NtCreateSection 77F5B758 5 Bytes JMP 72033FC8
---- User code sections - GMER 1.0.12 ----
.text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1900] kernel32.dll!CreateThread + 18 77E7BE6B 4 Bytes [ C1, 2F, 5D, 88 ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!NlsMbOemCodePageTag + FFF8D928 77F51000 53 Bytes [ 76, F2, FF, FF, 68, E1, FF, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!NlsMbOemCodePageTag + FFF8D960 77F51038 65 Bytes [ 98, 2E, 00, FF, AD, 3F, 00, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!NlsMbOemCodePageTag + FFF8D9A2 77F5107A 1 Byte [ 00 ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!NlsMbOemCodePageTag + FFF8D9A4 77F5107C 61 Bytes [ 89, 23, 00, DF, BD, 4B, 00, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!NlsMbOemCodePageTag + FFF8D9E2 77F510BA 1 Byte [ 00 ]
.text ...
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!LdrDisableThreadCalloutsForDll + 50 77F55484 96 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!LdrDisableThreadCalloutsForDll + B1 77F554E5 146 Bytes [ 14, 4C, EB, 16, 45, DA, 12, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!LdrDisableThreadCalloutsForDll + 144 77F55578 121 Bytes [ FF, FF, FF, FF, FF, FF, FD, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!LdrDisableThreadCalloutsForDll + 1BE 77F555F2 15 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!LdrDisableThreadCalloutsForDll + 1CF 77F55603 4 Bytes [ FF, FF, FF, FF ]
.text ...
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlNormalizeProcessParams + 4D 77F556AF 64 Bytes [ 74, FF, FF, FF, FF, FF, FF, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlInitNlsTables + A 77F556F0 9 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlInitNlsTables + 14 77F556FA 9 Bytes [ FF, FF, FF, FF, 74, 74, FF, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlInitNlsTables + 1E 77F55704 208 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlInitializeCriticalSection + 3 77F557D5 106 Bytes JMP 56C717C6
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlInitializeCriticalSection + 6E 77F55840 67 Bytes [ FF, FF, FF, FA, F9, FA, FA, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlCreateHeap + 33 77F55884 2 Bytes [ FF, FF ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlCreateHeap + 36 77F55887 3 Bytes [ FF, FF, FF ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlCreateHeap + 3A 77F5588B 72 Bytes [ FF, FF, FF, 74, 74, FF, FF, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlCreateHeap + 83 77F558D4 92 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlCreateHeap + E0 77F55931 165 Bytes [ FF, FF, FF, F7, E7, EF, BC, ... ]
.text ...
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!LdrLoadDll + BE 77F56FD9 12 Bytes [ FF, FF, FF, FF, FF, 74, 74, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!LdrLoadDll + CB 77F56FE6 76 Bytes [ FF, D1, A0, FF, C6, 7B, F1, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!LdrLoadDll + 118 77F57033 67 Bytes [ FE, FF, FF, FC, D8, B3, FF, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!LdrLoadDll + 15D 77F57078 10 Bytes [ FF, FF, FF, FF, FF, FF, 74, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!LdrLoadDll + 168 77F57083 2 Bytes [ FF, FF ]
.text ...
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!LdrGetDllHandle + 89 77F57217 78 Bytes [ FF, FF, ED, F1, FB, 99, BE, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!LdrGetDllHandle + D8 77F57266 97 Bytes [ FF, FF, FF, FC, FC, FD, A1, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!LdrGetDllHandle + 13A 77F572C8 125 Bytes [ 20, 58, FC, 1E, 51, EB, 1B, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!LdrGetDllHandle + 1B8 77F57346 195 Bytes [ CA, 96, EC, ED, EB, FF, FF, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!LdrGetDllHandle + 27C 77F5740A 25 Bytes [ FF, 1B, 54, F7, 24, 54, E6, ... ]
.text ...
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlAllocateHeap + 17 77F57BC5 278 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlAllocateHeap + 12E 77F57CDC 25 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlAllocateHeap + 148 77F57CF6 10 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlAllocateHeap + 153 77F57D01 6 Bytes [ FF, FF, FF, FF, FF, FF ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlAllocateHeap + 15B 77F57D09 54 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text ...
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlFreeHeap + 87 77F58AC5 10 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlFreeHeap + 94 77F58AD2 16 Bytes [ 00, 00, 30, AC, 30, FF, 00, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlFreeHeap + A5 77F58AE3 52 Bytes [ 00, BA, 8C, 7D, FF, E4, C3, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlFreeHeap + DA 77F58B18 5 Bytes [ 10, 70, 10, FF, 00 ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlFreeHeap + E1 77F58B1F 67 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text ...
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlLockHeap 77F59726 55 Bytes [ 00, 00, 00, 00, 00, 00, EC, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlLockHeap + 39 77F5975F 3 Bytes [ 00, 00, 00 ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlLockHeap + 3E 77F59764 5 Bytes [ 00, 00, 00, 00, 00 ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlLockHeap + 45 77F5976B 13 Bytes [ 00, 00, 00, 00, 00, 77, 5B, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlLockHeap + 53 77F59779 40 Bytes [ 5B, 4B, 10, 00, 00, 00, 00, ... ]
.text ...
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlUnlockHeap + 2D 77F59817 10 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlUnlockHeap + 39 77F59823 66 Bytes [ 00, 2F, 5C, E3, 10, 2C, 5C, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlUnlockHeap + 7E 77F59868 47 Bytes [ 00, 66, 00, EF, 57, B5, 6C, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlUnlockHeap + AE 77F59898 6 Bytes [ 00, 00, 00, 00, 00, 00 ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlUnlockHeap + B5 77F5989F 12 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlSetCurrentDirectory_U + C 77F598AC 60 Bytes [ F1, BE, 93, FF, FF, FF, FF, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlSetCurrentDirectory_U + 4A 77F598EA 23 Bytes [ 00, 00, 00, 00, 00, 00, 77, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlSetCurrentDirectory_U + 64 77F59904 25 Bytes [ 00, 00, 00, 00, 00, 00, 00, ... ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlSetCurrentDirectory_U + 7F 77F5991F 3 Bytes [ 00, 00, 00 ]
.text C:\PROGRA~1\Grisoft\AVG7\avgw.exe[2372] ntdll.dll!RtlSetCurrentDirectory_U + 84 77F59924 50 Bytes [ E3, B2, 8D, FF, FF, FF, FF, ... ]
Hi again, we'll continue :)
GMER log was big, I've edited the unnecessary parts out.
You should print these instructions or save these to a text file. Follow these instructions carefully.
Download Lspfix (http://www.cexx.org/lspfix.zip). Extract(unzip) it to its own folder. Disconnect from the internet, and close all browser windows. Run LSPFix. Click the "I know what I'm doing" button. In the left hand pane, hilite all instances of mkls.dll (and nothing else), move them to the "Remove" pane and by clicking the >> button. Click Finish. Reboot to complete the process.
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - URLSearchHook: (no name) - {781E9D6F-78DD-5F21-DC7D-7A129544E6CF} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\System32\dyfrism\winlogon.exe
F3 - REG:win.ini: run=C:\WINDOWS\System32\dyfrism\winlogon.exe
O4 - HKLM\..\Run: [ht5nkgki] C:\WINDOWS\System32\ht5nkgki.exe
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following files (if present):
c:\documents and settings\default\start menu\programs\startup\winlogon.lnk (may not have that .lnk but delete if you find just winlogon)
C:\WINDOWS\System32\ht5nkgki.exe
Go to the My Computer and delete the following folders (if present):
C:\WINDOWS\System32\dyfrism
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Restart to the normal mode.
Please run the F-Secure Online Scanner (http://support.f-secure.com/enu/home/ols3.shtml#)
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction Here (http://support.f-secure.com/enu/home/ols3.shtml) for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.
================
When you're ready, please post the following logs to here:
- F-Secures report
- a fresh HijackThis log
Mysticbear
2007-01-17, 06:41
Scanning Report
Tuesday, January 16, 2007 21:05:11 - 21:39:27
Computer name: TEMP-JY4Q3NS0LW
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
--------------------------------------------------------------------------------
Result: 3 malware found
Malware.TopAntiSpyware (spyware)
System (Disinfected)
Tracking Cookie (spyware)
System (Disinfected)
Windows (spyware)
System (Disinfected)
--------------------------------------------------------------------------------
Statistics
Scanned:
Files: 23094
System: 3784
Not scanned: 16
Actions:
Disinfected: 3
Renamed: 0
Deleted: 0
None: 0
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{BB82C9DC-7F25-4E83-96FC-FE18942FA4D2}.BIN
C:\WINDOWS\$NTUNINSTALLQ828026$\MSDXM.OCX
C:\WINDOWS\$NTUNINSTALLKB839645$\FLDRCLNR.DLL
C:\WINDOWS\$NTUNINSTALLKB837001$\DAO360.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\CALLCONT.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\RTCDLL.DLL
C:\WINDOWS\$NTUNINSTALLKB828741$\CATSRV.DLL
C:\WINDOWS\$NTUNINSTALLKB828035$\MSGSVC.DLL
C:\WINDOWS\$NTUNINSTALLKB826939$\ACCWIZ.EXE
C:\WINDOWS\$NTUNINSTALLKB824141$\USER32.DLL
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCRST.DLL
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSYS.DLL
C:\DOCUMENTS AND SETTINGS\MOM AND DAD\DESKTOP\LOGFILE OF HIJACK.THIS.DOC
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\DSS\MACHINEKEYS\FD385DD2BAA7D926802E1DA7535DA7CA_6F28A56A-3A20-4342-9268-ED23C42D5001
--------------------------------------------------------------------------------
Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-01-16
F-Secure AVP: 7.0.171, 2007-01-17
F-Secure Orion: 1.2.37, 2007-01-17
F-Secure Blacklight: 1.0.53, 0000-00-00
F-Secure Draco: 1.0.35, 0260-02-44
F-Secure Pegasus: 1.19.0, 2006-11-19
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics
Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 9:41:04 PM, on 1/16/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\01COM~1\WEBSER~1\Apache.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\01COM~1\WEBSER~1\Apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\DOCUME~1\MOMAND~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
C:\DOCUME~1\MOMAND~1\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HJT\HJT.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\WUTemp\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [AcctMgr] "C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe" /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480\GoogleToolbarNotifier.exe"
O4 - Startup: winlogon.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: 01Apache - Unknown owner - C:\PROGRA~1\01COM~1\WEBSER~1\Apache.exe" --ntservice (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Mysticbear
2007-01-17, 08:27
I am unable to use the volume on my speakers....It just won't play anything and when you go into the control panel it won't let you click on anything to fix it.
Also Outerino is in my all programs but the whole time I was in safe mode I couldn't figure out where it might be.
THanks
Hi :)
Please go to My computer and locate & delete the following file:
c:\documents and settings\default\start menu\programs\startup\winlogon.lnk (may not have that .lnk but delete if you find just winlogon)
When did you lose your sound ? Have you tried updating your audio drivers ?
Then you should be able to install AVG Anti-Spyware now...
You should print these instructions or save these to a text file. Follow these instructions carefully.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
================
When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
Mysticbear
2007-01-20, 03:32
I couldn't delete this file:
c:\documents and settings\default\start menu\programs\startup\winlogon.lnk (may not have that .lnk but delete if you find just winlogon)
I couldn't find it anywhere....
My sound was lost somethime in during the virus cleanup.
I don't know how to update my audio drivers so I have yet to try that, if you could give me some info that would be great!
Also here are the reports:
Logfile of HijackThis v1.99.1
Scan saved at 6:29:09 PM, on 1/19/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\01COM~1\WEBSER~1\Apache.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\01COM~1\WEBSER~1\Apache.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HJT\HJT.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\WUTemp\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [AcctMgr] "C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe" /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480\GoogleToolbarNotifier.exe"
O4 - Startup: winlogon.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: 01Apache - Unknown owner - C:\PROGRA~1\01COM~1\WEBSER~1\Apache.exe" --ntservice (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
And the other:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 6:24:08 PM 1/19/2007
+ Scan result:
C:\Program Files\PeDevice\PeDev.dll -> Adware.Delfin : Cleaned.
C:\Documents and Settings\Mom and Dad\DoctorWeb\Quarantine\ipwins.dll -> Adware.Maxifiles : Cleaned.
C:\WINDOWS\system32\e9nrl8rc.exe -> Adware.SAHAgent : Cleaned.
C:\Documents and Settings\Mom and Dad\Local Settings\Temporary Internet Files\Content.IE5\FY5IS86J\callme.nm[1] -> Not-A-Virus.Exploit.HTML.VML.b : Cleaned.
C:\RECYCLER\NPROTECT\00136721.TXT -> TrackingCookie.Addynamix : Cleaned.
C:\RECYCLER\NPROTECT\00136729.TXT -> TrackingCookie.Addynamix : Cleaned.
C:\RECYCLER\NPROTECT\00136847.TXT -> TrackingCookie.Addynamix : Cleaned.
C:\RECYCLER\NPROTECT\00137686.TXT -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\Mom and Dad\Cookies\mom and dad@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Mom and Dad\Cookies\mom and dad@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\RECYCLER\NPROTECT\00136835.TXT -> TrackingCookie.Atdmt : Cleaned.
C:\RECYCLER\NPROTECT\00137702.TXT -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Mom and Dad\Cookies\mom and dad@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\RECYCLER\NPROTECT\00136705.TXT -> TrackingCookie.Falkag : Cleaned.
C:\RECYCLER\NPROTECT\00136706.TXT -> TrackingCookie.Falkag : Cleaned.
C:\RECYCLER\NPROTECT\00136707.TXT -> TrackingCookie.Falkag : Cleaned.
C:\RECYCLER\NPROTECT\00136708.TXT -> TrackingCookie.Falkag : Cleaned.
C:\RECYCLER\NPROTECT\00136709.TXT -> TrackingCookie.Falkag : Cleaned.
C:\RECYCLER\NPROTECT\00136710.TXT -> TrackingCookie.Falkag : Cleaned.
C:\RECYCLER\NPROTECT\00136711.TXT -> TrackingCookie.Falkag : Cleaned.
C:\RECYCLER\NPROTECT\00136712.TXT -> TrackingCookie.Falkag : Cleaned.
C:\RECYCLER\NPROTECT\00136713.TXT -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Mom and Dad\Cookies\mom and dad@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\RECYCLER\NPROTECT\00136737.TXT -> TrackingCookie.Fastclick : Cleaned.
C:\RECYCLER\NPROTECT\00136738.TXT -> TrackingCookie.Fastclick : Cleaned.
C:\RECYCLER\NPROTECT\00136739.TXT -> TrackingCookie.Fastclick : Cleaned.
C:\RECYCLER\NPROTECT\00136740.TXT -> TrackingCookie.Fastclick : Cleaned.
C:\RECYCLER\NPROTECT\00136837.TXT -> TrackingCookie.Linksynergy : Cleaned.
C:\RECYCLER\NPROTECT\00136838.TXT -> TrackingCookie.Linksynergy : Cleaned.
C:\RECYCLER\NPROTECT\00136839.TXT -> TrackingCookie.Linksynergy : Cleaned.
C:\RECYCLER\NPROTECT\00137689.TXT -> TrackingCookie.Linksynergy : Cleaned.
C:\RECYCLER\NPROTECT\00136899.TXT -> TrackingCookie.Liveperson : Cleaned.
C:\RECYCLER\NPROTECT\00136900.TXT -> TrackingCookie.Liveperson : Cleaned.
C:\RECYCLER\NPROTECT\00137684.TXT -> TrackingCookie.Liveperson : Cleaned.
C:\RECYCLER\NPROTECT\00136692.TXT -> TrackingCookie.Paypopup : Cleaned.
C:\RECYCLER\NPROTECT\00136693.TXT -> TrackingCookie.Paypopup : Cleaned.
C:\RECYCLER\NPROTECT\00136694.TXT -> TrackingCookie.Paypopup : Cleaned.
C:\RECYCLER\NPROTECT\00136695.TXT -> TrackingCookie.Paypopup : Cleaned.
C:\RECYCLER\NPROTECT\00136696.TXT -> TrackingCookie.Paypopup : Cleaned.
C:\RECYCLER\NPROTECT\00136697.TXT -> TrackingCookie.Paypopup : Cleaned.
C:\RECYCLER\NPROTECT\00136700.TXT -> TrackingCookie.Paypopup : Cleaned.
C:\RECYCLER\NPROTECT\00136701.TXT -> TrackingCookie.Paypopup : Cleaned.
C:\RECYCLER\NPROTECT\00136702.TXT -> TrackingCookie.Paypopup : Cleaned.
C:\RECYCLER\NPROTECT\00136703.TXT -> TrackingCookie.Paypopup : Cleaned.
C:\RECYCLER\NPROTECT\00136704.TXT -> TrackingCookie.Paypopup : Cleaned.
C:\RECYCLER\NPROTECT\00136747.TXT -> TrackingCookie.Shopathomeselect : Cleaned.
C:\RECYCLER\NPROTECT\00136748.TXT -> TrackingCookie.Shopathomeselect : Cleaned.
C:\RECYCLER\NPROTECT\00136749.TXT -> TrackingCookie.Shopathomeselect : Cleaned.
C:\RECYCLER\NPROTECT\00136750.TXT -> TrackingCookie.Shopathomeselect : Cleaned.
C:\RECYCLER\NPROTECT\00136751.TXT -> TrackingCookie.Shopathomeselect : Cleaned.
C:\RECYCLER\NPROTECT\00136752.TXT -> TrackingCookie.Shopathomeselect : Cleaned.
C:\RECYCLER\NPROTECT\00136753.TXT -> TrackingCookie.Shopathomeselect : Cleaned.
C:\RECYCLER\NPROTECT\00136754.TXT -> TrackingCookie.Shopathomeselect : Cleaned.
C:\RECYCLER\NPROTECT\00136755.TXT -> TrackingCookie.Shopathomeselect : Cleaned.
C:\RECYCLER\NPROTECT\00136756.TXT -> TrackingCookie.Shopathomeselect : Cleaned.
C:\RECYCLER\NPROTECT\00136757.TXT -> TrackingCookie.Shopathomeselect : Cleaned.
C:\RECYCLER\NPROTECT\00136758.TXT -> TrackingCookie.Shopathomeselect : Cleaned.
C:\RECYCLER\NPROTECT\00136759.TXT -> TrackingCookie.Shopathomeselect : Cleaned.
C:\RECYCLER\NPROTECT\00136760.TXT -> TrackingCookie.Shopathomeselect : Cleaned.
C:\RECYCLER\NPROTECT\00136761.TXT -> TrackingCookie.Shopathomeselect : Cleaned.
C:\RECYCLER\NPROTECT\00136762.TXT -> TrackingCookie.Shopathomeselect : Cleaned.
C:\RECYCLER\NPROTECT\00136763.TXT -> TrackingCookie.Shopathomeselect : Cleaned.
C:\RECYCLER\NPROTECT\00136764.TXT -> TrackingCookie.Shopathomeselect : Cleaned.
C:\RECYCLER\NPROTECT\00136834.TXT -> TrackingCookie.Shopathomeselect : Cleaned.
C:\RECYCLER\NPROTECT\00137691.TXT -> TrackingCookie.Shopathomeselect : Cleaned.
C:\RECYCLER\NPROTECT\00136805.TXT -> TrackingCookie.Sidefind : Cleaned.
C:\RECYCLER\NPROTECT\00137697.TXT -> TrackingCookie.Sidefind : Cleaned.
C:\Documents and Settings\Mom and Dad\Cookies\mom and dad@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\RECYCLER\NPROTECT\00137696.TXT -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Mom and Dad\Cookies\mom and dad@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
::Report end
THank you for you help I really appreciate it!!!!:)
Ok looking quite good :)
How is the computer running ?
Open HijackThis.
Open the Misc Tools section
Delete a file on Reboot
Copy the following line to the filenamebox and press Open; c:\documents and settings\default\start menu\programs\startup\winlogon.lnk
Answer Yes
Reboot the computer if it isn't restarted automatically
Post a fresh HijackThis log :bigthumb:
Mysticbear
2007-01-21, 02:19
Logfile of HijackThis v1.99.1
Scan saved at 5:18:35 PM, on 1/20/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\01COM~1\WEBSER~1\Apache.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\PROGRA~1\01COM~1\WEBSER~1\Apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HJT\HJT.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\WUTemp\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [AcctMgr] "C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe" /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480\GoogleToolbarNotifier.exe"
O4 - Startup: winlogon.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: 01Apache - Unknown owner - C:\PROGRA~1\01COM~1\WEBSER~1\Apache.exe" --ntservice (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Hi :)
A tool called SDFix has been updated and it should do the job...
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.zip) and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
Mysticbear
2007-01-24, 20:45
The program doesn't have this file:
Open the extracted folder and double click RunThis.bat to start the script
and everytime i just try to open it and run it it tells me that I have to open the extracted folder(which I am) to run it!!!
Mysticbear
2007-01-24, 23:46
My sound still doesn't work.
I am not sure what happened to it but it doesn't play anything from Windows Media...It just gets a red ! and says:
Cannot playback the audio stream: no audio hardware is available, or the hardware is not responding.
I am not sure what to do about this but I would love it if you could give me some insight!
Thanks a bunch!
Hi :)
We'll get to the audio problem but let's get you cleaned first.
Ok looks that intructions aren't accurate...
When you extract the contents of SDFIC.zip and run the file SDFix.exe, the contents are extracted to C:\SDFix folder.
Go to C:\SDFix folder and run the file Runthis.bat
Let me know if it doesn't work, sorry for the inconvenience :bigthumb:
Mysticbear
2007-01-27, 08:18
Here is the SDFix report:
SDFix: Version 1.61
Fri 01/26/2007 - 23:11:01.78
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Name:
Path:
Restoring Windows Registry Entries
Restoring Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Files will be copied to Backups folder and removed:
C:\Documents and Settings\Mom and Dad\Start Menu\Programs\Startup\winlogon.lnk - Deleted
C:\WINDOWS\system32\netstat.com - Deleted
C:\WINDOWS\system32\taskkill.com - Deleted
C:\WINDOWS\system32\unsvchosts.lzma - Deleted
Alternate Streams Check:
C:\WINDOWS\system32
No streams found.
Final Check:
Remaining Services:
------------------
Remaining Files:
---------------
Backups Folder: - C:\SDFix\backups\backups.zip
Checking For Files with Hidden Attributes :
C:\NTDETECT.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\3COM 3c509 Packet\3C5X9PD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\3COM 3c556 Packet\3C556.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\3COM 3c59x Packet\3C59XPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1200 Packet\EC32PD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1203 Packet\PCIPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1204 Packet\VLNWPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207 Packet\PCIPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207C Packet\PCIPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207D Packet\ACCPKT.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207F Packet\EN5251PD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1207TX Packet\PCIPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1208 Packet\1208PD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1625 Packet\NEPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1640 Packet\NWPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1650 Packet\NWPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1651 Packet\NWPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1652 Packet\NWPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1653 Packet\NE2PD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1656 Packet\NWPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1657 Packet\NWPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN1658 Packet\NWPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN166X Packet\NWPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2216 Packet\PCMPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2218 Packet\PCMPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2228 Packet\PCMPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\ACCTON EN2320 Packet\EN5251PD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DEVICE.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\KEYB.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MODE.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MOUSE.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\NETBIND.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\Paralink.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\pcdos\command.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\pcdos\IBMBIO.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\pcdos\IBMDOS.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DEC EtherWORKS DE450 Packet\DE450.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DEC EtherWORKS DE500 Packet\DE500.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DEC EtherWorks ISA (DE305) Packet\DE305.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DLink DE400 Packet\De400pd.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DLink DMF560-TX Packet\Lmpd.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\DLink DT620 Packet\Dt620pd.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\IBM Crystal LAN Packet\Epktisa.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Kingston EtheRx KNE110TX Packet\Ktc110p.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD 10-100AL Packet\L100al.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD-CDF Packet\Ldcdt.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Laneed LD-PCI2TL Packet\Ldpcil.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Melco LPC2-T\Lpchkat2.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FNW9x00T - ENW8300T Packet\fetpkt.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FW-100TX Fast Ethernet Packet\FETPKT.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Planex FW-100TX Fast Ethernet Packet\Rtspkt.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\PXE Packet Driver\Undipd.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\SN 2000p Packet\PNPPD.COM
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\WaveLAN Packet\Wvlan42.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom CBE10-100BTX Packet\Cbepd.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet II PS Packet\Xpspd.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom RE10 - RE100 Packet\Ce3pd.com
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\CMDS.EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\CMDS16.EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\E.EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\GUEST.EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\MSCDEX.EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\Net.exe
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\OHCI.EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\PROTMAN.EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\UHCI.EXE
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom CBE10-100BTX\Cbendis.exe
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet 10-100 + Modem\Cbendis.exe
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Ethernet II PS\Xpsndis.exe
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom PE3-10Bx\Pe3ndis.exe
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom Re-100Btx + Ce3B-100Btx\Ce3ndis.exe
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\Xircom RE10BT\Ce3ndis.exe
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\QooBox\Purity\WINDOWS\PPATCH~1\?hkdsk.exe
C:\WINDOWS\system32\cdplayer.exe.manifest
C:\WINDOWS\system32\logonui.exe.manifest
C:\IO.SYS
C:\MSDOS.SYS
C:\pagefile.sys
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\CATC USB Ethernet\Elndis.sys
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\CATC USB Ethernet\Usbd.sys
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI1394.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI2DOS.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI4DOS.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI8DOS.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPI8U2.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPICD.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPIEHCI.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPIOHCI.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\ASPIUHCI.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BOOTSRV.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\bootsrv16.sys
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BTCDROM.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\BTDOSM.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\COUNTRY.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DISPLAY.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\DLSHELP.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\FLASHPT.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\HIMEM.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\KEYBOARD.SYS
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\msbootsrv16.sys
C:\Documents and Settings\All Users\Application Data\Symantec\Ghost\Template\common\OAKCDROM.SYS
C:\Documents and Settings\Megan\Local Settings\Temp\DXM179.tmp
C:\Documents and Settings\Megan\Local Settings\Temp\DXM17A.tmp
C:\Documents and Settings\Megan\Local Settings\Temp\DXM17B.tmp
Finished
And here is the log report for Hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 11:18:22 PM, on 1/26/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\01COM~1\WEBSER~1\Apache.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\01COM~1\WEBSER~1\Apache.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_04\bin\jucheck.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\HJT\HJT.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\WUTemp\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [AcctMgr] "C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe" /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480\GoogleToolbarNotifier.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O23 - Service: 01Apache - Unknown owner - C:\PROGRA~1\01COM~1\WEBSER~1\Apache.exe" --ntservice (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Hope I did it right!
OK very good :)
How is the computer running at the moment ?
You coud try updating your soundcard drivers, looks llike you have a C-Media soundcard there -> C-Media (http://www.cmedia.com.tw/?q=en/driver)
Let me know how things are running :bigthumb:
Mysticbear
2007-01-28, 01:48
Okay so I downloaded the CM320 Driver but my sound is still not working.
I downloaded it to my desktop. Should I have downloaded it to somewhere else?? Or should I have downloaded something else? DO I have to do something to get it activated?
My computer is running fine.
I still have winlogon in my system32 folder(I found it but it said that access was denied when I tried deleting it.)
I also have Outerinfo in my start Menu>All Programs.
I am not sure how to delete it or anything
THank you for your help!
Hi :)
Yes you need to install the drivers too.
Extract the contents of the zip file (a folder) to C-drive.
Then go to that folder and run the file setup.exe, follow the promts.
When ready, reboot.
winlogon.exe in system32 folder is a legitimate Windows component, do not delete it !
Thn the Outerinfo leftover, rigthclick it with your mouse and choose "Delete" from the menu. Answer yes.
Let me know it worked :bigthumb:
Mysticbear
2007-01-29, 00:17
Hi,
I extracted the files to my C Drive but when I double click setup.exe it tells me to Please Plug In C Media USB Card Reader
I am not sure what to do with it now.
THank you
I think that it is not the rigth driver for you...
Do you know the type of your soundcard ?
Mysticbear
2007-01-30, 00:14
i think that it is called realtek Ac97 or something along that
it might just be ac 97
Ok good :)
Please try this -> http://www.majorgeeks.com/Realtek_AC97_Drivers_d4400.html
Let me know :bigthumb:
Mysticbear
2007-01-31, 03:07
Thank you so much!
My computer runs much faster now and the sound WORKS!!!
Thank you for all your help!!
Nice to hear that, you're very welcome :)
Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools we used.
Then you should update your Java to the latest version (6.0) Start
Control Panel
Add/Remove Programs
Delete the old Java, J2SE Runtime Environment 5.0 Update 4
Download the latest version of Java Runtime Environment (JRE) 6.0 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Install it
Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
=============
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.
Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)
Glad we could help, as the problem appears to be resolved this topic has been archived.
If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.