PDA

View Full Version : Help me get rid of all the spyware!



gotkwah
2007-01-18, 18:14
I have run several anti spyware/adware programs in the last few days, yet symantec keeps showing me Trojan.Adclicker in C:\windows, the file is called pippdll.exe. It says it deletes it but it keeps coming back....

Here is a log from HijackThis.

Logfile of HijackThis v1.99.1
Scan saved at 11:12:41 AM, on 1/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Common Files\AOL\1116121944\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\common files\aol\1116121944\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
c:\program files\common files\aol\1116121944\ee\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Stan\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: WCNetMon Class - {3BE313C3-DAD6-4da6-801D-75860118A0B5} - D:\WCCSC\WCPStop\wcpstop.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1116121944\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [V0230Mon.exe] G:\DRIVERS\English\V0230Mon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Creative Live! Cam Manager] "C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - http://mpsnet.com/JavaVM3186.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://extraweb-americas.ey.com/home/extraweb/iNotes.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/19d3a9402ce90cc26415/netzip/RdxIE601.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164348265899
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\khltsvc.exe



Any help is much appreciated.

steamwiz
2007-01-18, 21:47
HI

Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-


O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/19d3a940...p/RdxIE601.cab

O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\khltsvc.exe


Reboot then find and delete :-

C:\WINDOWS\khltsvc.exe

THEN...

I presume you have followed the instructions here ?

http://forums.spybot.info/showthread.php?t=288

Please post the Pandascan log & any other on-line scan logs you may have...

THEN...

Download and install the 30 day trial of AVG Anti-Spyware from HERE :-

http://www.ewido.net/en/download/

1. Download it to your desktop
2. Doubleclick the AVG Anti-Spyware icon to start the ewido setup process...
3. update the definition files....
Click the Update icon then select the Update now link...
Select the Start Update button, the update will start and a progress bar will show the updates being installed.
4. select the Scanner icon at the top of the screen, then select the Settings tab
click on Recommended actions and then select Quarantine
5. Under Reports...
Select Automatically generate report after every scan
Un-Select Only if threats were found
6. Close AVG Anti-Spyware > Do not run the scan yet.

Boot your computer into Safemode

1. Go to Start> Shut Off your Computer> Restart
2. As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly, this will bring up a menu.
3. Use the Up and Down Arrow Keys to scroll up to SAFEMODE
4. Then press the Enter on your Keyboard

IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning process

1. Launch AVG Anti-Spyware by double-clicking the icon on your desktop.
2. Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan.
3. AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
4. Once the scan is complete do the following:
5. If you have any infections you will prompted, then select Apply all actions
6. Next select the Reports icon at the top.
7. Select the Save report as button in the lower left hand of the screen and save it to a text file on your system
8. make sure to remember where you saved that file, this is important
9. Close AVG Anti-Spyware
10. Copy & paste the AVG Anti-Spyware report in your next post

steam

gotkwah
2007-01-19, 01:44
here is the panda scan log after i fixed the 4 things u mentioned in HJT

going now to run spybot in safemode....


Incident Status Location

Adware:adware/ilookup Not disinfected c:\windows\system32\xbox31.ico
Adware:adware/beginto Not disinfected c:\windows\system32\cache32_rtneg4
Virus:Trj/Agent.gen Disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Documents and Settings/Stan/Local Settings/Temp/snuninst.exe]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq125.tmp]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq126.tmp]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq12B.tmp]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq12C.tmp]
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq12E.tmp]
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq12F.tmp]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq130.tmp]
Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq131.tmp]
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq134.tmp]
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq137.tmp]
Spyware:Cookie/Sextracker Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq138.tmp]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq13A.tmp]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq13B.tmp]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq13C.tmp]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq13D.tmp]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq13F.tmp]
Spyware:Cookie/PayCounter Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq140.tmp]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq141.tmp]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq144.tmp]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq16.tmp]
Spyware:Cookie/Versiontracker Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq167.tmp]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq17.tmp]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq18.tmp]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq19.tmp]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1A2.tmp]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1BE.tmp]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1BF.tmp]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1C1.tmp]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1C2.tmp]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1C4.tmp]
Spyware:Cookie/Bilbo.counted Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1C6.tmp]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1C8.tmp]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1C9.tmp]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1CA.tmp]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1CB.tmp]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1CD.tmp]
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1CE.tmp]
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1CF.tmp]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1D2.tmp]
Spyware:Cookie/Comclick Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1D3.tmp]
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1D7.tmp]
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1DA.tmp]
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1DB.tmp]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1DC.tmp]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1DF.tmp]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1E0.tmp]
Spyware:Cookie/Euniverseads Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1E7.tmp]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1E8.tmp]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1E9.tmp]

gotkwah
2007-01-19, 01:45
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1EA.tmp]
Spyware:Cookie/Findwhat Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1EB.tmp]
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1EC.tmp]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1EE.tmp]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1F1.tmp]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1F2.tmp]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1F4.tmp]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1F5.tmp]
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1F6.tmp]
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1FB.tmp]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1FD.tmp]
Spyware:Cookie/SexList Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq1FE.tmp]
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq203.tmp]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq205.tmp]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq206.tmp]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq24.tmp]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq25.tmp]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq26.tmp]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq4A.tmp]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq4B.tmp]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq4C.tmp]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq4D.tmp]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq4E.tmp]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq4F.tmp]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq90.tmp]
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Stan\Application Data\Business Logic\UWC\Backup\J38548.7324752199.WCU[C:/Program Files/Yahoo!/YPSR/Quarantine/ppq91.tmp]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Stan\Application Data\Mozilla\Firefox\Profiles\e2lh8ipa.Default User\cookies.txt[.advertising.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Stan\Application Data\Mozilla\Firefox\Profiles\e2lh8ipa.Default User\cookies.txt[.questionmarket.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Stan\Cookies\stan@2o7[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Stan\Cookies\stan@atwola[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Stan\Cookies\stan@burstnet[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Stan\Cookies\stan@questionmarket[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Stan\Cookies\stan@tribalfusion[1].txt
Adware:Adware/Popper Not disinfected C:\WINDOWS\khltsvc.exe
Potentially unwanted tool:Application/ServUBased.A Not disinfected F:\Serv-U.v4.1.0.3.Professional.Edition.Repack-MAGNUM\mgmsur43.zip[MGMsusetup.rar][susetup.exe][SERVUDAEMON.EXE]

gotkwah
2007-01-19, 08:35
Spybot found nothing in safe mode.

I started a scan using AVG, and left the house, when i got back someone had restarted the computer. so i will try again later...

here is the new HJT log

Logfile of HijackThis v1.99.1
Scan saved at 1:35:02 AM, on 1/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Common Files\AOL\1116121944\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
c:\program files\common files\aol\1116121944\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
c:\program files\common files\aol\1116121944\ee\aolsoftware.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Stan\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: WCNetMon Class - {3BE313C3-DAD6-4da6-801D-75860118A0B5} - D:\WCCSC\WCPStop\wcpstop.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1116121944\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [V0230Mon.exe] G:\DRIVERS\English\V0230Mon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - http://mpsnet.com/JavaVM3186.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://extraweb-americas.ey.com/home/extraweb/iNotes.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1164348265899
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/dd/install/guidedsolutions.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

steamwiz
2007-01-19, 21:05
HI

I asked you to find and delete this file :-

C:\WINDOWS\khltsvc.exe

Were you not able to find it ? or did you forget to delete it, or wouldn't it delete ?

because it's shown in your Pandascan :-

Adware:Adware/Popper Not disinfected C:\WINDOWS\khltsvc.exe

Your hijackthis log is clean...

Please post the AVG anti-spyware log when you have it...

Also to clean the entries in your Pandascan log, please do this :-

Run these 2 programs...

First ....

Download CCleaner from :-

http://www.filehippo.com/download_ccleaner/ (click the download tab)

During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.

doubleclick the ccsetup.exe file and install the program...

After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

Make sure the "windows" tab is selected

Under "internet explorer" tick...

Temporary internet files
Cookies* > see Note below
History
Recently typed URL's (leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history


under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"

Other explorer MRU's (leave this unticked if you DON'T want to clear lists such as the start\run list)

under "System"

Tick ALL these ...


under "Advanced"

no need to tick any of these (but you can if you want, and realise what they do)


Applications tab...

These will mostly clean out old log files for these applications...

Clean:- (if you use them)

Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm
...
Personally I clean everything in the applications tab... but you tick what you want...

Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.

click "analyse" if you want to see a list of what is going to be removed, before it is removed.

Or

click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up

"This process will permanently delete files from your system. Are you sure you wish to proceed?"

click OK.

Second.....

Please download Combofix: http://download.bleepingcomputer.com/sUBs/combofix.exe
and save to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply.

Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

steam

gotkwah
2007-01-24, 05:52
hey,

sorry it has taken so long, the computer is my fiance's so i only have access to it when im at her place.

Anyway,

1) i could not find C:\WINDOWS\khltsvc.exe
i looked 3 times, and i even ran a search and could not find it...

2) i ran Ccleaner and cleaned everything, even though i run about once exery week or so anyway.

3) going to run combofix now, and then ill be back, ill run AVG overnight...

4) when i came to the forums i get a message in IE7, like a transparent popup on the top left of the page about Key Scrambler personal or something like that, whats the deal? is it legit? or should i be worried?

Thanks.

BBS

gotkwah
2007-01-24, 06:00
"Stan" - 07-01-23 22:54:34 Service Pack 2
ComboFix 07-01-23.2 - Running from: "C:\Documents and Settings\Stan\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\svchost.exe


((((((((((((((((((((((((((((((( Files Created from 2006-12-23 to 2007-01-23 ))))))))))))))))))))))))))))))))))


2007-01-23 22:25 <DIR> d-------- C:\Program Files\LogMeIn
2007-01-21 23:56 <DIR> d-------- C:\DOCUME~1\Stan\Application Data\AdobeUM
2007-01-21 23:56 <DIR> d-------- C:\DOCUME~1\Stan\Application Data\AdobeAUM
2007-01-21 23:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Adobe
2007-01-20 20:06 152,448 --a------ C:\WINDOWS\system32\drivers\keyscrambler.sys
2007-01-18 22:41 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Viewpoint
2007-01-18 22:41 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\AOL
2007-01-18 18:48 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-18 18:48 <DIR> d-------- C:\Program Files\Grisoft
2007-01-18 16:28 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-01-18 11:32 60,416 --------- C:\WINDOWS\system32\tzchange.exe
2007-01-17 23:48 <DIR> d-------- C:\Program Files\Winkflash
2007-01-11 03:03 <DIR> d-------- C:\WINDOWS\ie7updates
2007-01-07 21:22 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-01-07 21:21 <DIR> d-------- C:\WINDOWS\WBEM
2007-01-07 21:21 <DIR> d-------- C:\WINDOWS\system32\en-US
2007-01-07 21:20 <DIR> d--h-c--- C:\WINDOWS\ie7
2007-01-07 21:14 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2007-01-07 21:13 <DIR> d-------- C:\WINDOWS\network diagnostic
2006-12-29 07:26 <DIR> d-------- C:\Program Files\Apple Software Update
2006-12-26 00:22 <DIR> d-------- C:\Program Files\Skype
2006-12-26 00:22 <DIR> d-------- C:\DOCUME~1\Stan\Application Data\Skype
2006-12-26 00:09 <DIR> d-------- C:\DOCUME~1\Stan\Application Data\acccore
2006-12-26 00:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\AOL OCP
2006-12-26 00:06 <DIR> d-------- C:\Program Files\AIM6
2006-12-25 23:52 <DIR> d-------- C:\DOCUME~1\Stan\Application Data\Aim
2006-12-25 22:40 9,216 -ra------ C:\WINDOWS\V0230Cfg.exe
2006-12-25 22:40 86,016 -ra------ C:\WINDOWS\CtDrvIns.exe
2006-12-25 22:40 8,192 -ra------ C:\WINDOWS\system32\V0230Srv.exe
2006-12-25 22:40 6,272 -ra------ C:\WINDOWS\system32\drivers\V0230Vfx.sys
2006-12-25 22:40 498,464 -ra------ C:\WINDOWS\system32\drivers\V0230VID.sys
2006-12-25 22:40 36,961 -ra------ C:\WINDOWS\system32\V0230Mon.exe
2006-12-25 22:40 36,864 -ra------ C:\WINDOWS\system32\CtCamMgr.dll
2006-12-25 22:40 253,952 -ra------ C:\WINDOWS\system32\V0230CVW.dll
2006-12-25 22:40 25,600 -ra------ C:\WINDOWS\system32\V0230Pin.dll
2006-12-25 22:40 18,432 -ra------ C:\WINDOWS\system32\V0230Hwx.dll
2006-12-25 22:40 122,880 -ra------ C:\WINDOWS\system32\V0230Vfw.dll
2006-12-25 22:25 <DIR> d-------- C:\WINDOWS\CtDrvInstall
2006-12-25 22:25 <DIR> d-------- C:\Live! Cam


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-23 18:35 -------- d-------- C:\Program Files\mozilla firefox
2007-01-22 22:01 -------- d-------- C:\Program Files\symantec antivirus
2007-01-21 23:58 -------- d-------- C:\DOCUME~1\Stan\Application Data\adobe
2007-01-21 23:57 -------- d-------- C:\Program Files\Common Files\adobe
2007-01-21 12:54 -------- d---s---- C:\DOCUME~1\Stan\Application Data\microsoft
2007-01-18 17:05 -------- d-------- C:\Program Files\quicktime
2007-01-18 17:01 -------- d-------- C:\Program Files\itunes
2007-01-18 16:58 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-01-18 16:58 -------- d-------- C:\Program Files\Common Files\scanner
2007-01-18 16:56 -------- d-------- C:\Program Files\america online 9.0
2007-01-18 11:09 -------- d-------- C:\DOCUME~1\Stan\Application Data\viewpoint
2007-01-13 18:31 -------- d-------- C:\Program Files\yahoo!
2007-01-11 00:29 -------- d-------- C:\Program Files\viewpoint
2007-01-07 20:41 -------- d-------- C:\Program Files\cdcopy
2006-12-29 07:17 -------- d--h----- C:\Program Files\installshield installation information
2006-12-26 00:08 -------- d-------- C:\Program Files\Common Files\aol
2006-12-25 23:56 -------- d-------- C:\Program Files\aim
2006-12-25 23:51 -------- d-------- C:\Program Files\aod
2006-12-25 22:40 -------- d-------- C:\Program Files\creative
2006-12-19 18:27 -------- d-------- C:\Program Files\hp
2006-12-19 17:22 -------- d-------- C:\Program Files\windows live safety center
2006-12-18 20:39 -------- d-------- C:\Program Files\eraser
2006-12-18 16:40 -------- d-------- C:\Program Files\sysutil
2006-12-18 16:28 -------- d-------- C:\Program Files\asys
2006-12-18 16:00 -------- d-------- C:\Program Files\symantec
2006-12-18 15:05 -------- d-------- C:\Program Files\google
2006-12-18 00:21 -------- d-------- C:\Program Files\ccleaner
2006-12-18 00:13 -------- d-------- C:\Program Files\pcpitstop
2006-12-07 22:04 -------- d-------- C:\Program Files\avisynth 2.5
2006-12-07 00:29 2374472 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-11-29 17:12 -------- d-------- C:\Program Files\java
2006-11-29 17:09 -------- d-------- C:\Program Files\Common Files\macromedia
2006-11-29 17:09 -------- d-------- C:\DOCUME~1\Stan\Application Data\macromedia
2006-11-29 17:08 -------- d-------- C:\Program Files\ipod
2006-11-24 22:13 -------- d--h----- C:\Program Files\windowsupdate
2006-11-24 02:45 -------- d-------- C:\Program Files\messenger
2006-11-24 00:33 -------- d-------- C:\Program Files\movie maker
2006-11-24 00:30 -------- d-------- C:\Program Files\windows nt
2006-11-23 20:45 -------- d-------- C:\Program Files\msxml 4.0
2006-11-16 11:44 103984 --a------ C:\WINDOWS\system32\aoldial.dll
2006-11-08 00:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"EM_EXEC"="C:\\PROGRA~1\\Logitech\\MOUSEW~1\\SYSTEM\\EM_EXEC.EXE"
"Pure Networks Port Magic"="\"C:\\PROGRA~1\\PURENE~1\\PORTMA~1\\PortAOL.exe\" -Run"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1116121944\\ee\\AOLSoftware.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"V0230Mon.exe"="G:\\DRIVERS\\English\\V0230Mon.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 07-01-23 22:57:04

gotkwah
2007-01-24, 10:20
Avg reported nothing found in safe mode... i did a complete system scan...

whats next?

steamwiz
2007-01-25, 01:41
keyscrambler is shown in your combofix log...

2007-01-20 20:06 152,448 --a------ C:\WINDOWS\system32\drivers\keyscrambler.sys

Apparently it's legit ... you don't remember installing it ?

http://www.siteadvisor.com/sites/qfxsoftware.com/downloads/2171036/


keyscrambler from http://www.qfxsoftware.com/

Apparently this is an anti-keylogger

keyscrambler will tell You when its working, at the top it shows a little image telling you if its scrambling the letters your typing or showing them ...

keyscrambler only works for internet explorer and firefox no other programs so Your not 100 percent protected

-
Do you have a KeyScrambler entry in Add/Remove Programs ?

Do you have a c:\Program Files\KeyScrambler\ folder ?

-


Your latest logs are clean...

going back to your first post "symantec keeps showing me Trojan.Adclicker in C:\windows, the file is called pippdll.exe."

Can you find the C:\windows\pippdll.exe file ?

Post a new Pandascan & a new hijackthis log

steam

gotkwah
2007-01-26, 10:14
steam

i wasnt able to find the pippdll.exe file anywhere.

im going to do another pandascan now, maybe you can help me with this though:

My fiance's brother installed IE7 on thier computer at home and it has a bunch of probs, wondering if you or anyone has any ideas whats wrong(besides for it being IE7)

1) when i use the mouse to scroll the screen will scroll and then about 2 seconds later it will scroll more by itself. im forced to drag the scroll bar, othewise i end up at the beg. or end of the document if i scroll the wheel just once.

2) words and links dont seem to match up 100%,, such as the blue bar at the top of the SD site (with Home, Coupons.... etc on it) all the words are bunched up, so the links are messed up.

3) whenever im typing into a forum or other field the spacing between the letters is really messed up, some letters are really close and some really far apart (looks like i have spaces in the middle of words)

any help is appreciated...

Thanks!

steamwiz
2007-01-26, 16:55
HI

It may be caused by the installation of IE7 as you say, most computers are having no problems with IE7, but the ones that are are showing many different side effects... try uninstalling IE7 and rolling back to IE6 ...

The mouse & keyboard could be corrupt drivers, then again, all hardware interacts with the software, so i suppose IE7 could be causing this as well...

Anyway, it's not possible to work on the problems of 2 computers in the same thread, it will get confusing, so please start a new thread about the new computer.

cheers

steam

gotkwah
2007-01-26, 18:48
Incident Status Location

Adware:adware/ilookup Not disinfected c:\windows\system32\xbox31.ico
Adware:adware/beginto Not disinfected c:\windows\system32\cache32_rtneg4
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Stan\Cookies\stan@atwola[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Stan\Cookies\stan@atwola[2].txt
Adware:Adware/SystemDoctor Not disinfected F:\Backup\Backup Elan\Temp\k\ChangeKey\Windows XP CD Key and Product ID Changer.exe
Potentially unwanted tool:Application/ServUBased.A Not disinfected F:\Serv-U.v4.1.0.3.Professional.Edition.Repack-MAGNUM\mgmsur43.zip[MGMsusetup.rar][susetup.exe][SERVUDAEMON.EXE]
Adware:Adware/SystemDoctor Not disinfected F:\System Disc\XP Utils\Windows XP CD Key and Product ID Changer.exe

steamwiz
2007-01-26, 22:41
Hi

Delete the following files :-

c:\windows\system32\xbox31.ico ... file
c:\windows\system32\cache32_rtneg4 ... file

delete these cookies :-

C:\Documents and Settings\Stan\Cookies\stan@atwola[1].txt
C:\Documents and Settings\Stan\Cookies\stan@atwola[2].txt

Delete this file ... or not (it's your shout) but most files of this sort come with a worm or trojan or 2. :-

Adware:Adware/SystemDoctor Not disinfected F:\Backup\Backup Elan\Temp\k\ChangeKey\Windows XP CD Key and Product ID Changer.exe

Adware:Adware/SystemDoctor Not disinfected F:\System Disc\XP Utils\Windows XP CD Key and Product ID Changer.exe

steam

tashi
2007-02-05, 09:05
This topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.