View Full Version : popups & slow performance
AquaSeas
2007-02-21, 04:29
Lately my computer has been running very slowly & I have hundreds of popups daily. I downloaded spydoctor, which only made things worse. I had to use system restore to get rid of the program.
I've been careless with my Internet use and dread discovering what I have unknowingly downloaded. I am also pretty much an idiot when it comes to operating systems; I just know enough to be dangerous. I think I installed SP2 for Windows XP last summer. I didn't check for malware first. :red:
~
From Panda On line:
Incident Status Location
Adware:Adware/Lop Not disinfected c:\docume~1\gregor~1\applic~1\clockd~1\typedateidle.exe
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL
Potentially unwanted tool:application/mywebsearch Not disinfected c:\windows\system32\f3PSSavr.scr
Potentially unwanted tool:application/funweb Not disinfected c:\windows\downloaded program files\f3initialsetup1.0.0.15.inf
Potentially unwanted tool:application/myway Not disinfected c:\program files\MyWay
Adware:adware/keenvalue Not disinfected c:\program files\PerfectNav
Potentially unwanted tool:application/altnet Not disinfected c:\windows\temp\Altnet
Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users.WINDOWS\Application Data\Active Skip Inside Media\amok for.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users.WINDOWS\Application Data\Active Skip Inside Media\AntiLink.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users.WINDOWS\Application Data\Active Skip Inside Media\gpl support.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users.WINDOWS\Application Data\Active Skip Inside Media\HelpJunk.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users.WINDOWS\Application Data\Active Skip Inside Media\Mix Sixth.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users.WINDOWS\Application Data\Active Skip Inside Media\Rdr Long.exe
Spyware:Cookie/Kazaa Networks Not disinfected C:\Documents and Settings\Greg\Cookies\greg@desktop.kazaa[1].txt
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Gregory Hambleton\Application Data\clockdumbface\ejsdomkd.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Gregory Hambleton\Application Data\clockdumbface\mbqysvqt.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Gregory Hambleton\Application Data\clockdumbface\nncbbhgp.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Gregory Hambleton\Application Data\clockdumbface\puwhpwwo.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Gregory Hambleton\Application Data\clockdumbface\typedateidle.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Gregory Hambleton\Application Data\clockdumbface\ybffzcor.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Gregory Hambleton\Application Data\clockdumbface\yyrhnryo.exe
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt[.com.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Gregory Hambleton\Cookies\gregory hambleton@247realmedia[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Gregory Hambleton\Cookies\gregory hambleton@adtech[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Gregory Hambleton\Cookies\gregory hambleton@adultfriendfinder[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Gregory Hambleton\Cookies\gregory hambleton@as-eu.falkag[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Gregory Hambleton\Cookies\gregory hambleton@azjmp[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Gregory Hambleton\Cookies\gregory hambleton@bs.serving-sys[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Gregory Hambleton\Cookies\gregory hambleton@perf.overture[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Gregory Hambleton\Cookies\gregory hambleton@serving-sys[1].txt
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Gregory Hambleton\Local Settings\Temp\bis13.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Gregory Hambleton\Local Settings\Temp\bis14.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Gregory Hambleton\Local Settings\Temp\bis6.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Gregory Hambleton\Local Settings\Temp\bis7.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Gregory Hambleton\Local Settings\Temp\bis8.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Gregory Hambleton\Local Settings\Temp\bis9.exe
Potentially unwanted tool:Application/FunWeb Not disinfected C:\Program Files\MSN Messenger\msimg32.dll
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MSN Messenger\riched20.dll
Potentially unwanted tool:Application/MyWay Not disinfected C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
Potentially unwanted tool:Application/Altnet Not disinfected C:\WINDOWS\Temp\Altnet\adm4.dll
AquaSeas
2007-02-21, 04:31
I rebooted my computer into SafeMode, ran Spybot and fixed everything in red.
Here is the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 9:49:15 PM, on 20/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
c:\progra~1\intern~1\iexplore.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\QUICKENW\QWDLLS.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6028\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1517.0\en-ca\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [insidemediaflagokay] C:\Documents and Settings\All Users.WINDOWS\Application Data\Active Skip Inside Media\amok for.exe
O4 - HKLM\..\Run: [0015691170960197mcinstcleanup] C:\DOCUME~1\GREGOR~1\LOCALS~1\Temp\001569~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\GREGOR~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [idolwin] C:\DOCUME~1\GREGOR~1\APPLIC~1\CLOCKD~1\typedateidle.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxdm824YYCA
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.gov.ns.ca/tran/cameras/msxml4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6028\SAService.exe
Earlier today I tried to update Windows but when I installed the updates the colours and resolution of my monitor were totally messed up and I was unable to fix them so I restored to just before I tried to update. This happened one other time I tried to update the system, which is why I have automatic updates turned off.
Jaye
pskelley
2007-02-21, 22:09
Hi Jaye and welcome to the forum, I can't believe McAfee is dumping all of that junk on folks computers. I had a long battle with them on the phone and took away my credit card number. When the current VSO is gone so are they. If your computer has slowed at lot, look to McAfee for answers, they are probably worse than Norton now.
This happened one other time I tried to update the system, which is why I have automatic updates turned off.You can download them manually, you just have to turn autoupdates on when you do it. Your challenge is to get yourself to the Microsoft Support:
http://support.microsoft.com/ <<< there is email, chat and tollfree numbers, make Tech Support help you fix that problem, that's what you pay them for.
On to your problem, you have a LOP infection, here is some information:
http://www.superadblocker.com/P/PROGRAM%20BOOK.EXE-3755.html
http://forums.spybot.info/showthread.php?t=11358
http://research.sunbelt-software.com/threatdisplay.aspx?name=C2.Lop&threatid=8144
Follow the instructions carefully:
Please download NoLop to the Desktop from one of these links:
http://www.spywareedge.net/nolop/NoLop.exe
http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item16
Close any programs you have running since a reboot is required
Double click NoLop.exe to run it
Next, click the button labeled: Search and Destroy
<<your computer will now be scanned for infected files>>
When the scan finishes, if infected, you are prompted to reboot
Click OK
Now click: REBOOT
A Message should popup from NoLop. If not, double click the program again and it will finish.
Please Post the contents of C:\NoLop.log along with a new HijackThis log
Thanks
AquaSeas
2007-02-22, 03:01
Thanks so much for the welcome and the advice. As soon as I get rid of my popup problem I'm going to get rid of McAfee. Any recs for a good virus scan?
I'll also update Windows manually, one update at a time, and see if the support link you gave me can help with my screen display problems.
Now on to LOP.
I downloaded NoLop from the first link (spywareedge) and ran the search and destroy option. It said:
"Clean - No Infection Files Have Been Found"
I went to the second link (thespykiller) and couldn't find any NoLop programs to download, just a link to HJTsetup.exe. Should I have downloaded it?
Sorry to be so clueless. :sad:
pskelley
2007-02-22, 03:11
Please just follow the directions, would you go back and read them and make sure they are followed exactly, like if it says
Please download NoLop to the Desktop do exactly what it says, it needs to run from the Desktop. Once you follow the directions, then post the logs I reqested. I will handle it from there.
Thank you...Phil
AquaSeas
2007-02-22, 04:21
Sorry if I wasn't clear, but I did download NoLop to my desktop (there's a LOP icon there now). I double clicked on it and clicked 'search and destroy'. It scanned my computer and gave me the popup message I posted above: "Clean - No Infection Files Have Been Found". I clicked OK (the only option) and the popup and the program closed. There was no log file to copy.
AquaSeas
2007-02-22, 04:29
My sincere apologies. I just found the log. I thought it popped up in the program; didn't realize it was just on the hard drive... :oops:
NoLop! Log by Skate_Punk_21
Fix running from: C:\NoLop
[21/02/2007]
[8:38:26 PM]
---Infection Files Found/Removed---
NO INFECTION FILES FOUND - Cleaning Aborted.
---Listing AppData sub directories---
C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Msn6
C:\Documents and Settings\All Users\Application Data\Quicktime
C:\Documents and Settings\All Users.windows\Application Data\Active Skip Inside Media
C:\Documents and Settings\All Users.windows\Application Data\Ahead
C:\Documents and Settings\All Users.windows\Application Data\Google
C:\Documents and Settings\All Users.windows\Application Data\Gtek
C:\Documents and Settings\All Users.windows\Application Data\Mcafee
C:\Documents and Settings\All Users.windows\Application Data\Mcafee.com
C:\Documents and Settings\All Users.windows\Application Data\Microsoft
C:\Documents and Settings\All Users.windows\Application Data\Msn6
C:\Documents and Settings\All Users.windows\Application Data\Nvidia
C:\Documents and Settings\All Users.windows\Application Data\Quicktime
C:\Documents and Settings\All Users.windows\Application Data\Siteadvisor
C:\Documents and Settings\All Users.windows\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users.windows\Application Data\Windows Genuine Advantage
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Default User.windows\Application Data\Microsoft
C:\Documents and Settings\Greg\Application Data\Adobe
C:\Documents and Settings\Greg\Application Data\Help
C:\Documents and Settings\Greg\Application Data\Identities
C:\Documents and Settings\Greg\Application Data\Intertrust
C:\Documents and Settings\Greg\Application Data\Microsoft
C:\Documents and Settings\Greg\Application Data\Msn6 -- EMPTY Directory
C:\Documents and Settings\Greg\Application Data\Real
C:\Documents and Settings\Gregory Hambleton\Application Data\Adobe
C:\Documents and Settings\Gregory Hambleton\Application Data\Ahead
C:\Documents and Settings\Gregory Hambleton\Application Data\Clockdumbface
C:\Documents and Settings\Gregory Hambleton\Application Data\Crystalspace
C:\Documents and Settings\Gregory Hambleton\Application Data\Flock
C:\Documents and Settings\Gregory Hambleton\Application Data\Google
C:\Documents and Settings\Gregory Hambleton\Application Data\Gtek
C:\Documents and Settings\Gregory Hambleton\Application Data\Help
C:\Documents and Settings\Gregory Hambleton\Application Data\Hewlett-packard
C:\Documents and Settings\Gregory Hambleton\Application Data\Identities
C:\Documents and Settings\Gregory Hambleton\Application Data\Intertrust
C:\Documents and Settings\Gregory Hambleton\Application Data\Kazaa Lite
C:\Documents and Settings\Gregory Hambleton\Application Data\Lavasoft -- EMPTY Directory
C:\Documents and Settings\Gregory Hambleton\Application Data\Macromedia
C:\Documents and Settings\Gregory Hambleton\Application Data\Microsoft
C:\Documents and Settings\Gregory Hambleton\Application Data\Mozilla -- EMPTY Directory
C:\Documents and Settings\Gregory Hambleton\Application Data\Msn6
C:\Documents and Settings\Gregory Hambleton\Application Data\Real
C:\Documents and Settings\Gregory Hambleton\Application Data\Siteadvisor
C:\Documents and Settings\Gregory Hambleton\Application Data\Sun
C:\Documents and Settings\Gregory Hambleton\Application Data\Torrent101
C:\Documents and Settings\Gregory Hambleton\Application Data\Utorrent
C:\Documents and Settings\Gregory Hambleton\Application Data\Windows Live Writer
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Localservice.nt Authority\Application Data\Clockdumbface -- EMPTY Directory
C:\Documents and Settings\Localservice.nt Authority\Application Data\Help
C:\Documents and Settings\Localservice.nt Authority\Application Data\Macromedia
C:\Documents and Settings\Localservice.nt Authority\Application Data\Microsoft
C:\Documents and Settings\Localservice.nt Authority\Application Data\Siteadvisor
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice.nt Authority\Application Data\Microsoft
AquaSeas
2007-02-22, 04:30
Logfile of HijackThis v1.99.1
Scan saved at 10:30:38 PM, on 21/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
c:\progra~1\intern~1\iexplore.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
C:\QUICKENW\QWDLLS.EXE
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6028\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1517.0\en-ca\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [insidemediaflagokay] C:\Documents and Settings\All Users.WINDOWS\Application Data\Active Skip Inside Media\amok for.exe
O4 - HKLM\..\Run: [0015691170960197mcinstcleanup] C:\DOCUME~1\GREGOR~1\LOCALS~1\Temp\001569~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\GREGOR~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [idolwin] C:\DOCUME~1\GREGOR~1\APPLIC~1\CLOCKD~1\typedateidle.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxdm824YYCA
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.gov.ns.ca/tran/cameras/msxml4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6028\SAService.exe
pskelley
2007-02-22, 13:19
Thanks much for posting that information. It may be the infection in the log is not active or that NoLop had a problem with removal for some reason. I would like a look at your Uninstall list to be sure something is not installed (like messengerplus) that is putting Lop back.
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
This item is hard to identify and I am most sure it is LOP. Because you have so much McAfee stuff that looks a little like it, would you check it to be sure before you remove it. You can navigate to the folder and have a look. Right click and look at properties, or you can scan the file here:
http://virusscan.jotti.org/ here is that item:
O4 - HKCU\..\Run: [idolwin] C:\DOCUME~1\GREGOR~1\APPLIC~1\CLOCKD~1\typedateidle.exe
See this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\jre1.5.0_09\ <<< out of date, download the newest version and uninstall all old versions in Add Remove Programs.
Let's try to remove it manually, please read and follow all directions carefully.
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [insidemediaflagokay] C:\Documents and Settings\All Users.WINDOWS\Application Data\Active Skip Inside Media\amok for.exe
O4 - HKCU\..\Run: [idolwin] C:\DOCUME~1\GREGOR~1\APPLIC~1\CLOCKD~1\typedateidle.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZNxdm824YYCA
Close all programs but HJT and all browser windows, then click on "Fix Checked"
4) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\PROGRAM FILES~1\MYWEBS~1\ <<< delete that folder
C:\Documents and Settings\All Users.WINDOWS\Application Data\Active Skip Inside Media\ <<< delete that folder
C:\DOCUMENTS & SETTINGS~1\GREGOR~1\APPLIC~1\CLOCKD~1\ <<< delete that folder
5) Let's run another good scan (free trial) to make sure nothing is hiding, please follow the directions in the link and make sure you delete or at least quarantine anything found and save the scan report to post.
http://forums.security-central.us/showthread.php?t=3165
6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post the scan report from AVG Anti-Spyware, the uninstall list and new HJT log and your comments.
Thanks
AquaSeas
2007-02-22, 16:47
Hi Phil. Again many thanks for your advice and patience. I tried to follow all the directions to the letter.
Here's a rundown of what I did and the requested logs.
- removed all old versions of Java and installed latest
- the uninstall list:
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Avery Media Software 32 bit
Easy CD Creator 5 Basic
EAX Unified
Flock (Photobucket Edition) 0.7
Google Toolbar for Internet Explorer
HijackThis 1.99.1
hp deskjet 3600
HP Memories Disc
HP Photo and Imaging 2.0 - Deskjet Series
HP PrecisionScan LTX
hp print screen utility
HP Scan-to-Web Wizard
HP Software Update
Java(TM) SE Runtime Environment 6
Keepsake
Kodak EasyShare software
Leisure Suit Larry - Magna Cum Laude
Masque MahJongg
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Office XP Professional with FrontPage
Microsoft Picture It! Express 10
Microsoft Windows Journal Viewer
MSN Messenger 7.5
MSN Toolbar
Nero Suite
NVIDIA Drivers
overland
Panda ActiveScan
QuickTax 2002 Standard
QuickTax 2003 Standard
QuickTax 2004
QuickTax 2005
QuickTax 2006
QuickTime
Quik 21
RealPlayer
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Semagic (remove only)
Solitaire 2 Special Edition
SPSS 14.0 for Windows Evaluation Version
Spybot - Search & Destroy 1.4
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Windows Installer 3.1 (KB893803)
Windows Live Writer (Beta)
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
- scanned O4 - HKCU\..\Run: [idolwin] C:\DOCUME~1\GREGOR~1\APPLIC~1\CLOCKD~1\typedateidle.exe as requested. Here is the report:
Service load: 0% 100%
File: typedateidle.exe
Status: INFECTED/MALWARE
MD5 377f8305014d9d04dddc72b9b09b6653
Packers detected: -
Scanner results
Scan taken on 22 Feb 2007 12:03:07 (GMT)
AntiVir Found TR/FatObfus.68
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VirusBuster Found Adware.Lop.Gen
VBA32 Found Trojan-Downloader.Obfuscated.1 (paranoid heuristics) (probable variant)
- made all files and folders visible
- downloaded ATF cleaner to my desktop
- Used HijackThis to 'fix checked' the four files you specified
- Deleted the three folders you specified
tbc...
AquaSeas
2007-02-22, 16:53
- here is the AVG anti-spyware report:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 10:19:42 AM 22/02/2007
+ Scan result:
C:\WINDOWS\Temp\Altnet -> Adware.Altnet : Cleaned.
C:\WINDOWS\Temp\Altnet\Atl.dll -> Adware.Altnet : Cleaned.
C:\WINDOWS\Temp\Altnet\DMinfo2.cab -> Adware.Altnet : Cleaned.
C:\WINDOWS\Temp\Altnet\Setup.cab -> Adware.Altnet : Cleaned.
C:\WINDOWS\Temp\Altnet\adm4.dll -> Adware.Altnet : Cleaned.
C:\WINDOWS\Temp\Altnet\dminstall3.cab -> Adware.Altnet : Cleaned.
C:\WINDOWS\Temp\Altnet\msvcirt.dll -> Adware.Altnet : Cleaned.
C:\WINDOWS\Temp\Altnet\mysearch.cab -> Adware.Altnet : Cleaned.
C:\WINDOWS\Temp\Altnet\pminstall.cab -> Adware.Altnet : Cleaned.
HKLM\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE -> Adware.Altnet : Cleaned.
HKLM\SOFTWARE\Classes\AppID\adm.EXE -> Adware.Altnet : Cleaned.
HKLM\SOFTWARE\PerfectNav -> Adware.KeenValue : Cleaned.
C:\System Volume Information\_restore{9A9BC57F-C5D0-45E5-A52B-0FAB39F2ED3B}\RP1596\A0085874.DLL -> Adware.MyWaySpeed : Cleaned.
C:\Program Files\PerfectNav -> Adware.PerfectNav : Cleaned.
C:\Program Files\PerfectNav\BHO -> Adware.PerfectNav : Cleaned.
:mozilla.142:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.44:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.45:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Gregory Hambleton\Cookies\gregory hambleton@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Gregory Hambleton\Cookies\gregory hambleton@canadapost.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Gregory Hambleton\Cookies\gregory hambleton@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.130:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.131:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.132:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.135:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.136:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.167:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.168:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.169:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.170:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.171:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.183:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.188:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.156:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.157:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Gregory Hambleton\Cookies\gregory hambleton@casinotropez[1].txt -> TrackingCookie.Casinotropez : Cleaned.
C:\Documents and Settings\Gregory Hambleton\Cookies\gregory hambleton@www.casinotropez[2].txt -> TrackingCookie.Casinotropez : Cleaned.
:mozilla.161:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Gregory Hambleton\Cookies\gregory hambleton@com[1].txt -> TrackingCookie.Com : Cleaned.
:mozilla.175:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.190:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Gregory Hambleton\Cookies\gregory hambleton@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Gregory Hambleton\Cookies\gregory hambleton@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.143:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.144:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.145:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.146:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.92:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Gregory Hambleton\Cookies\gregory hambleton@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Gregory Hambleton\Cookies\gregory hambleton@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\Gregory Hambleton\Cookies\gregory hambleton@pro-market[2].txt -> TrackingCookie.Pro-market : Cleaned.
C:\Documents and Settings\Gregory Hambleton\Cookies\gregory hambleton@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.79:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.80:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.81:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.82:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.83:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Gregory Hambleton\Cookies\gregory hambleton@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.73:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.74:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.75:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.76:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.77:C:\Documents and Settings\Gregory Hambleton\Application Data\Flock\Browser\Profiles\cma7ov6u.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\RECYCLER\S-1-5-21-343818398-2025429265-725345543-1004\Dc1.exe -> Trojan.Inject.au : Cleaned.
C:\System Volume Information\_restore{9A9BC57F-C5D0-45E5-A52B-0FAB39F2ED3B}\RP1551\A0083137.exe -> Trojan.Inject.au : Cleaned.
C:\System Volume Information\_restore{9A9BC57F-C5D0-45E5-A52B-0FAB39F2ED3B}\RP1551\A0083138.exe -> Trojan.Inject.au : Cleaned.
C:\System Volume Information\_restore{9A9BC57F-C5D0-45E5-A52B-0FAB39F2ED3B}\RP1551\A0083140.exe -> Trojan.Inject.au : Cleaned.
C:\System Volume Information\_restore{9A9BC57F-C5D0-45E5-A52B-0FAB39F2ED3B}\RP1603\A0087845.exe -> Trojan.Inject.au : Cleaned.
C:\System Volume Information\_restore{9A9BC57F-C5D0-45E5-A52B-0FAB39F2ED3B}\RP1603\A0087846.exe -> Trojan.Inject.au : Cleaned.
C:\System Volume Information\_restore{9A9BC57F-C5D0-45E5-A52B-0FAB39F2ED3B}\RP1603\A0087847.exe -> Trojan.Inject.au : Cleaned.
C:\System Volume Information\_restore{9A9BC57F-C5D0-45E5-A52B-0FAB39F2ED3B}\RP1603\A0087848.exe -> Trojan.Inject.au : Cleaned.
C:\System Volume Information\_restore{9A9BC57F-C5D0-45E5-A52B-0FAB39F2ED3B}\RP1603\A0087849.exe -> Trojan.Inject.au : Cleaned.
C:\System Volume Information\_restore{9A9BC57F-C5D0-45E5-A52B-0FAB39F2ED3B}\RP1603\A0087851.exe -> Trojan.Inject.au : Cleaned.
C:\System Volume Information\_restore{9A9BC57F-C5D0-45E5-A52B-0FAB39F2ED3B}\RP1603\A0087853.exe -> Trojan.Inject.au : Cleaned.
C:\System Volume Information\_restore{9A9BC57F-C5D0-45E5-A52B-0FAB39F2ED3B}\RP1603\A0087854.exe -> Trojan.Inject.au : Cleaned.
C:\System Volume Information\_restore{9A9BC57F-C5D0-45E5-A52B-0FAB39F2ED3B}\RP1603\A0087855.exe -> Trojan.Inject.au : Cleaned.
C:\System Volume Information\_restore{9A9BC57F-C5D0-45E5-A52B-0FAB39F2ED3B}\RP1603\A0087857.exe -> Trojan.Inject.au : Cleaned.
C:\System Volume Information\_restore{9A9BC57F-C5D0-45E5-A52B-0FAB39F2ED3B}\RP1603\A0087858.exe -> Trojan.Inject.au : Cleaned.
::Report end
- ran ATF cleaner and empied 'all selected'
- restarted my computer
- here is the new HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 10:37:44 AM, on 22/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\QUICKENW\QWDLLS.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\MSC\mctskshd.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6028\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1517.0\en-ca\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [0015691170960197mcinstcleanup] C:\DOCUME~1\GREGOR~1\LOCALS~1\Temp\001569~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6028\SiteAdv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunOnce: [DELDIR0.EXE] "C:\DOCUME~1\GREGOR~1\LOCALS~1\Temp\DELDIR0.EXE" "C:\Program Files\McAfee\McAfee Shared Components\Guardian\"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [idolwin] C:\DOCUME~1\GREGOR~1\APPLIC~1\CLOCKD~1\typedateidle.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.gov.ns.ca/tran/cameras/msxml4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6028\SiteAdv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6028\SAService.exe
Comments: I saw no popups so far in this internet session! :bigthumb:
~ Jaye
pskelley
2007-02-22, 17:34
Thanks for the feedback and great job:bigthumb: you ever want to learn more about the process (training is free but not easy) let us know.
O4 - HKCU\..\Run: [idolwin] C:\DOCUME~1\GREGOR~1\APPLIC~1\CLOCKD~1\typedateidle.exeYou need to remove this one, see this:
File: typedateidle.exe
Status: INFECTED/MALWARE
MD5 377f8305014d9d04dddc72b9b09b6653
VirusBuster Found Adware.Lop.Gen
No doubt it is LOP, remove the line with HJT. HJT is a process manager and that will stop the process from running. Navigate to that folder and delete it:
C:\DOCUMENTS $ SETTINGS~1\GREGOR~1\APPLICATION DATA~1\CLOCKD~1\ <<< that one
Uninstall list looks good, but you store too many junk cookies, see this information: http://www.mvps.org/winhelp2002/cookies.htm
I will give you all of the information new, please post in 24 hours to let me know if all is well, that being the case I will close your topic then.
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...Phil
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
AquaSeas
2007-02-23, 00:30
Phil, I can't thank you enough for all the advice and helpful information! I've been working on the Internet all afternoon and haven't seen a single popup. :bigthumb: Plus everything just seems to be loading faster. I'm so grateful.
I did get rid of the two files you mentioned in your last post. I also found a clockdumbface folder in c:\documents & settings\local service.NT AUTHORITY\Application Data and got rid of it too.
I followed your instructions and links and made a clean system restore file and manually turned off AVG Anti-Spyware.
My mission for the weekend is to read all the information on the links you posted, do something about my junk cookies and increase the security on my Internet surfing.
If I haven't posted anything else by tomorrow AM you can assume that everything is still running smoothly and close my file.
Fabulous work you folks do here!
:bighug: Jaye
pskelley
2007-02-23, 01:10
Well...sounds like you have plans for a secure, clean, well maintained computer. I will add these links then:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
. Security At Home site
http://www.microsoft.com/athome/security/default.mspx
. Security Tips & Talk blog
http://blogs.msdn.com/securitytipstalk/default.aspx
. RSS feed: Get security information delivered to you
http://www.microsoft.com/athome/security/rss/default.mspx
. Security video tutorials
http://www.microsoft.com/athome/security/videos/default.mspx
. Security community for home users
http://www.microsoft.com/athome/security/newsgroup/default.mspx
. Support for your computer security issues
http://www.microsoft.com/athome/security/support/default.mspx
. Worldwide computer security information
http://www.microsoft.com/athome/security/worldwide/default.mspx
:laugh:
AquaSeas
2007-02-23, 14:40
More reading material! Yikes! :laugh:
All is still great this morning. I was even able to get all the latest Windows updates installed with no monitor problems. Now it's time to take a serious look at McAfee...
Thanks again.
Jaye