View Full Version : Malware problem can someone help
Detected vulnerabilities - during trend micro online scan
(MS07-006) Vulnerability in Windows Shell Could Allow Elevation of Privilege (928255)
(MS07-007) Vulnerability in Windows Image Acquisition Service Could Allow Elevation of Privilege (927802)
(MS07-008) Vulnerability in HTML Help ActiveX Control Could Allow Remote Code Execution (928843)
(MS07-009) Vulnerability in Microsoft Data Access Components Could Allow Remote Code Execution (927779)
(MS07-011) Vulnerability in Microsoft OLE Dialog Could Allow Remote Code Execution (926436)
(MS07-014) Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (929434)
(MS07-016) Cumulative Security Update for Internet Explorer (928090)
I installed all the MS updates listed above.
Then ran HijackThis as got the log below
Logfile of HijackThis v1.99.1
Scan saved at 8:10:02 PM, on 25/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WPN111 Configuration Utility\wpn111.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\HighJack\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.2.7.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Line Speed Meter V3.0] C:\Program Files\tcpIQ\Line Speed Meter\LineSpeedMeter.exe -minimized
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [that dart default way] C:\Documents and Settings\All Users\Application Data\Real Mess That Dart\typewindow.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [once sixth] C:\DOCUME~1\PETERL~1\APPLIC~1\ANTESI~1\pollwait.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whlnsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whllsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whllsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whllsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whllsp.dll
O16 - DPF: {42D683F7-9C1B-11D7-A860-005056C00001} (.print Client RDP Webinstall) - https://www.virtualpc.aspac.kpmg.com/whalecome71143c78e60c8b75eee56cd32f627f3c743fbabdece471dab063c3f86dbf8db830188/whalecom1/TPRDPenN.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143117952609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143118201796
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://www.virtualpc.aspac.kpmg.com/whalecome71143c78e60c8b75eee56cd32f627f3c743fbabdece471dab063c3f86dbf8db830188/whalecom1/msrdp.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://www.virtualpc.aspac.kpmg.com/InternalSite/WhlCompMgr.cab
O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - https://online.westpac.com.au/wtoa/wtOtherAccounts/portfoliomanagerwt.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsushita Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
pskelley
2007-03-25, 21:47
Welcome to the forum, since I see no antivirus scan results, I have to
assume you missed this important information. "BEFORE you POST"
Mandatory Steps Before Requesting Assistance
http://forums.spybot.info/showthread.php?t=288 Please read and follow
all instructions, you may hold the antivirus scan, I will let you know
if I need it.
When you post it is always best to try to describe your "malware problem", kind of like telling the doctor something hurts and letting him guess what. I believe I see a LOP infection, read about this junk.
http://inetexplorer.mvps.org/data/lop.htm
http://www.superadblocker.com/P/PROGRAM%20BOOK.EXE-3755.html
http://research.sunbelt-software.com/threatdisplay.aspx?name=C2Lop&threatid=8144
Follow the directions carefully, that is you best chance for success.
Thanks to skate_punk_21 and anyone else who helped with this fix.
Please download NoLop to the Desktop from one of these links:
http://www.spywareedge.net/nolop/NoLop.exe
http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item16
Close any programs you have running since a reboot is required
Double click NoLop.exe to run it
Next, click the button labeled: Search and Destroy
<<your computer will now be scanned for infected files>>
When the scan finishes, if infected, you are prompted to reboot
Click OK
Now click: REBOOT
A Message should popup from NoLop. If not, double click the program again and it will finish.
Please Post the contents of C:\NoLop.log along with a new HijackThis log
We will have more to do,
Thanks
Hi thanks for the reply, i actually did read the before you post thread, and I ran the trend micro online anti virus and I put what it gave me at the beginning of my first message they didn't really have a log file so I just copied the screen. It ended up being too much text so I just kept the most important parts.
I ran noLoop this morning and it came up with no infections.
Here is the log:
NoLop! Log by Skate_Punk_21
Please Note: any existing old logs will have now been renamed to NoLop!OLD.log
Fix running from: C:\Documents and Settings\Peter Logie\Desktop
[27/03/2007]
[7:41:14 AM]
---Infection Files Found/Removed---
NO INFECTION FILES FOUND - Cleaning Aborted.
---Listing AppData sub directories---
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Ahead
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Dvd Shrink
C:\Documents and Settings\All Users\Application Data\Hp
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Nero
C:\Documents and Settings\All Users\Application Data\Real Mess That Dart
C:\Documents and Settings\All Users\Application Data\Sony Ericsson
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Temp -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Trend Micro
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Peter Logie\Application Data\.bittorrent
C:\Documents and Settings\Peter Logie\Application Data\1clickdvdcopy -- EMPTY Directory
C:\Documents and Settings\Peter Logie\Application Data\Adobe
C:\Documents and Settings\Peter Logie\Application Data\Adobeum
C:\Documents and Settings\Peter Logie\Application Data\Ahead
C:\Documents and Settings\Peter Logie\Application Data\Ante Site
C:\Documents and Settings\Peter Logie\Application Data\Apple Computer
C:\Documents and Settings\Peter Logie\Application Data\Bitgrabber
C:\Documents and Settings\Peter Logie\Application Data\Copytodvd -- EMPTY Directory
C:\Documents and Settings\Peter Logie\Application Data\Coreftp
C:\Documents and Settings\Peter Logie\Application Data\Divx
C:\Documents and Settings\Peter Logie\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Peter Logie\Application Data\Hp
C:\Documents and Settings\Peter Logie\Application Data\Identities
C:\Documents and Settings\Peter Logie\Application Data\Lavasoft -- EMPTY Directory
C:\Documents and Settings\Peter Logie\Application Data\Macromedia
C:\Documents and Settings\Peter Logie\Application Data\Microsoft
C:\Documents and Settings\Peter Logie\Application Data\Mozilla
C:\Documents and Settings\Peter Logie\Application Data\Pc Tools
C:\Documents and Settings\Peter Logie\Application Data\Sun
C:\Documents and Settings\Peter Logie\Application Data\Utorrent
C:\Documents and Settings\Peter Logie\Application Data\Wholesecurity
This is the virus that keeps popping up in my anti virus = ayb.dns-look-up.com
pskelley
2007-03-27, 14:34
http://blogs.zdnet.com/Spyware/?p=853 <<< please take the time to read this article so whoever downloaded this junk can stop doing it.
The Lop processes continuously contact these domains, ayb.dns-look-up.com and ads.dns-look-up.com, which reside on an IP address owned by C2 Media, the makers of Lop.
You have LOP on your computer, if the NoLop fix did not find and kill it, you may want to review the instructions and run it again. If the instructions are not followed, the fix may fail.
Please Post the contents of C:\NoLop.log along with a new HijackThis log
We will have more to do,
Thanks
Hi again, I followed the instructions for NoLop and closed all applications (do I need to shutdown my anti-virus?) But it still came up with no infections.
Here is this the NoLop log and the HighJackThis log to follow it.
I am reading the blog now.
NoLop! Log by Skate_Punk_21
Please Note: any existing old logs will have now been renamed to NoLop!OLD.log
Fix running from: C:\Documents and Settings\Peter Logie\Desktop
[28/03/2007]
[10:35:57 PM]
---Infection Files Found/Removed---
NO INFECTION FILES FOUND - Cleaning Aborted.
---Listing AppData sub directories---
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Ahead
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Dvd Shrink
C:\Documents and Settings\All Users\Application Data\Hp
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Nero
C:\Documents and Settings\All Users\Application Data\Real Mess That Dart
C:\Documents and Settings\All Users\Application Data\Sony Ericsson
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Temp -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Trend Micro
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Peter Logie\Application Data\.bittorrent
C:\Documents and Settings\Peter Logie\Application Data\1clickdvdcopy -- EMPTY Directory
C:\Documents and Settings\Peter Logie\Application Data\Adobe
C:\Documents and Settings\Peter Logie\Application Data\Adobeum
C:\Documents and Settings\Peter Logie\Application Data\Ahead
C:\Documents and Settings\Peter Logie\Application Data\Ante Site
C:\Documents and Settings\Peter Logie\Application Data\Apple Computer
C:\Documents and Settings\Peter Logie\Application Data\Bitgrabber
C:\Documents and Settings\Peter Logie\Application Data\Copytodvd -- EMPTY Directory
C:\Documents and Settings\Peter Logie\Application Data\Coreftp
C:\Documents and Settings\Peter Logie\Application Data\Divx
C:\Documents and Settings\Peter Logie\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Peter Logie\Application Data\Hp
C:\Documents and Settings\Peter Logie\Application Data\Identities
C:\Documents and Settings\Peter Logie\Application Data\Lavasoft -- EMPTY Directory
C:\Documents and Settings\Peter Logie\Application Data\Macromedia
C:\Documents and Settings\Peter Logie\Application Data\Microsoft
C:\Documents and Settings\Peter Logie\Application Data\Mozilla
C:\Documents and Settings\Peter Logie\Application Data\Pc Tools
C:\Documents and Settings\Peter Logie\Application Data\Sun
C:\Documents and Settings\Peter Logie\Application Data\Utorrent
C:\Documents and Settings\Peter Logie\Application Data\Wholesecurity
Logfile of HijackThis v1.99.1
Scan saved at 10:39:10 PM, on 28/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\PMJ151LA.BIN
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\NETGEAR\WPN111 Configuration Utility\wpn111.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Nero\Nero 7\Core\nero.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\HighJack\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.19.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Line Speed Meter V3.0] C:\Program Files\tcpIQ\Line Speed Meter\LineSpeedMeter.exe -minimized
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [that dart default way] C:\Documents and Settings\All Users\Application Data\Real Mess That Dart\typewindow.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [once sixth] C:\DOCUME~1\PETERL~1\APPLIC~1\ANTESI~1\pollwait.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whlnsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whllsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whllsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whllsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whllsp.dll
O16 - DPF: {42D683F7-9C1B-11D7-A860-005056C00001} (.print Client RDP Webinstall) - https://www.virtualpc.aspac.kpmg.com/whalecome71143c78e60c8b75eee56cd32f627f3c743fbabdece471dab063c3f86dbf8db830188/whalecom1/TPRDPenN.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143117952609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143118201796
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://www.virtualpc.aspac.kpmg.com/whalecome71143c78e60c8b75eee56cd32f627f3c743fbabdece471dab063c3f86dbf8db830188/whalecom1/msrdp.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://www.virtualpc.aspac.kpmg.com/InternalSite/WhlCompMgr.cab
O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - https://online.westpac.com.au/wtoa/wtOtherAccounts/portfoliomanagerwt.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsushita Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
pskelley
2007-03-28, 15:11
Thanks for returning the information and for trying the fix again. I have no idea why NoLop is not finding the infection, it has not failed in many, many attempts at using it. It may be SpywareDoctor is causing the fix to fail but it never has before? Did you notice anything strange in the way the fix worked as far as the instructions went?
We will have to try to remove it manually. I am interested in where you got this? If MessengerPlus was downloaded with sponsor programs, we may have to install it again and use an uninstaller, let's try this and see what happens.
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
(these are LOP)
O4 - HKLM\..\Run: [that dart default way] C:\Documents and Settings\All Users\Application Data\Real Mess That Dart\typewindow.exe
O4 - HKCU\..\Run: [once sixth] C:\DOCUME~1\PETERL~1\APPLIC~1\ANTESI~1\pollwait.exe
Close all programs but HJT and all browser windows, then click on "Fix Checked"
RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\Documents and Settings\All Users\Application Data\Real Mess That Dart\ <<< delete that folder
C:\DOCUMENTS and Settings~1\PETERL~1\APPLICation Data~1\ANTESI~1\ <<< delete that folder
Follow the instruction in this link to download, update and run Avg Anti-Spyware, make sure you delete or at least quarantine anything it finds and save the scan report to post.
http://forums.security-central.us/showthread.php?t=3165
Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post the scan results from AVG Anti-Spyware, a new HJT log and any comments you think will help.
Thanks
Ok thanks for your help, here are the logs of the scans. I followed your instructions.
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 10:15:50 PM 29/03/2007
+ Scan result:
:mozilla.113:C:\Documents and Settings\Peter Logie\Application Data\Mozilla\Firefox\Profiles\jxo85pr4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.23:C:\Documents and Settings\Peter Logie\Application Data\Mozilla\Firefox\Profiles\jxo85pr4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.41:C:\Documents and Settings\Peter Logie\Application Data\Mozilla\Firefox\Profiles\jxo85pr4.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.123:C:\Documents and Settings\Peter Logie\Application Data\Mozilla\Firefox\Profiles\jxo85pr4.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.125:C:\Documents and Settings\Peter Logie\Application Data\Mozilla\Firefox\Profiles\jxo85pr4.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.135:C:\Documents and Settings\Peter Logie\Application Data\Mozilla\Firefox\Profiles\jxo85pr4.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.132:C:\Documents and Settings\Peter Logie\Application Data\Mozilla\Firefox\Profiles\jxo85pr4.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.83:C:\Documents and Settings\Peter Logie\Application Data\Mozilla\Firefox\Profiles\jxo85pr4.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.29:C:\Documents and Settings\Peter Logie\Application Data\Mozilla\Firefox\Profiles\jxo85pr4.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.171:C:\Documents and Settings\Peter Logie\Application Data\Mozilla\Firefox\Profiles\jxo85pr4.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.90:C:\Documents and Settings\Peter Logie\Application Data\Mozilla\Firefox\Profiles\jxo85pr4.default\cookies.txt -> TrackingCookie.Fortunecity : Cleaned.
:mozilla.91:C:\Documents and Settings\Peter Logie\Application Data\Mozilla\Firefox\Profiles\jxo85pr4.default\cookies.txt -> TrackingCookie.Fortunecity : Cleaned.
:mozilla.94:C:\Documents and Settings\Peter Logie\Application Data\Mozilla\Firefox\Profiles\jxo85pr4.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.95:C:\Documents and Settings\Peter Logie\Application Data\Mozilla\Firefox\Profiles\jxo85pr4.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.96:C:\Documents and Settings\Peter Logie\Application Data\Mozilla\Firefox\Profiles\jxo85pr4.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.27:C:\Documents and Settings\Peter Logie\Application Data\Mozilla\Firefox\Profiles\jxo85pr4.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.28:C:\Documents and Settings\Peter Logie\Application Data\Mozilla\Firefox\Profiles\jxo85pr4.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.100:C:\Documents and Settings\Peter Logie\Application Data\Mozilla\Firefox\Profiles\jxo85pr4.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.17:C:\Documents and Settings\Peter Logie\Application Data\Mozilla\Firefox\Profiles\jxo85pr4.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.128:C:\Documents and Settings\Peter Logie\Application Data\Mozilla\Firefox\Profiles\jxo85pr4.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.80:C:\Documents and Settings\Peter Logie\Application Data\Mozilla\Firefox\Profiles\jxo85pr4.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.81:C:\Documents and Settings\Peter Logie\Application Data\Mozilla\Firefox\Profiles\jxo85pr4.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.82:C:\Documents and Settings\Peter Logie\Application Data\Mozilla\Firefox\Profiles\jxo85pr4.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.85:C:\Documents and Settings\Peter Logie\Application Data\Mozilla\Firefox\Profiles\jxo85pr4.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.223:C:\Documents and Settings\Peter Logie\Application Data\Mozilla\Firefox\Profiles\jxo85pr4.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.224:C:\Documents and Settings\Peter Logie\Application Data\Mozilla\Firefox\Profiles\jxo85pr4.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.225:C:\Documents and Settings\Peter Logie\Application Data\Mozilla\Firefox\Profiles\jxo85pr4.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.110:C:\Documents and Settings\Peter Logie\Application Data\Mozilla\Firefox\Profiles\jxo85pr4.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.
::Report end
Logfile of HijackThis v1.99.1
Scan saved at 10:28:05 PM, on 29/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\PMJ151LA.BIN
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\NETGEAR\WPN111 Configuration Utility\wpn111.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tsc.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\HighJack\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.3.19.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Line Speed Meter V3.0] C:\Program Files\tcpIQ\Line Speed Meter\LineSpeedMeter.exe -minimized
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [once sixth] C:\DOCUME~1\PETERL~1\APPLIC~1\ANTESI~1\pollwait.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whlnsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whllsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whllsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whllsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whllsp.dll
O16 - DPF: {42D683F7-9C1B-11D7-A860-005056C00001} (.print Client RDP Webinstall) - https://www.virtualpc.aspac.kpmg.com/whalecome71143c78e60c8b75eee56cd32f627f3c743fbabdece471dab063c3f86dbf8db830188/whalecom1/TPRDPenN.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143117952609
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1143118201796
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://www.virtualpc.aspac.kpmg.com/whalecome71143c78e60c8b75eee56cd32f627f3c743fbabdece471dab063c3f86dbf8db830188/whalecom1/msrdp.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://www.virtualpc.aspac.kpmg.com/InternalSite/WhlCompMgr.cab
O16 - DPF: {EA1B8527-E422-4909-825A-70BE0694F18E} (PortfolioManagerWT ProfileManager Class) - https://online.westpac.com.au/wtoa/wtOtherAccounts/portfoliomanagerwt.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: PMJ151 AutoLaunch Service (PMJ151LA) - Matsushita Electric Industrial Co. ,Ltd, - C:\WINDOWS\PMJ151LA.BIN
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
I have a feeling this came from a bit torrent download, which was a dodgy winrar which required a password to unlock. There was a website which you had to go to and download another bittorrent download program and use the version number as the password which didnt work. I haven't downloan any messenger programs so i am not sure if relates to that. I did have a problem when I downloaded IE7 I had to uninstall then IE6 wouldn't work either so I now use Mozilla.
I hope this helps. Thanks again.
pskelley
2007-03-29, 15:03
Thanks for returning your information, this will help with those junk cookies:
http://www.mvps.org/winhelp2002/cookies.htm
http://www.microsoft.com/windows/ie/using/howto/privacy/config.mspx
Looks like you did not get it all:
O4 - HKCU\..\Run: [once sixth] C:\DOCUME~1\PETERL~1\APPLIC~1\ANTESI~1\ <<< that folder in red must be deleted.
Since NoLop won't work for you, here is more information that may help.
http://inetexplorer.mvps.org/data/lop.htm
Look over those instructions and give anything suggested a try, this is a piece of crap but it is hard to remove.
Before you try to delete the file in red, use HJT to remove the line, HJT is a process manager and it will stop the process so you can delete it.
BitRoll BitTorrent Client Installs Malware
http://torrentfreak.com/bitroll-bittorrent-client-installs-malware/
Safe downloading
http://cybercoyote.org/internet/download.shtml
http://www.learnthenet.com/english/html/101download.htm
I may have some old information or tools I can drag out, but see what you can accomplish first.
Don't be afraid to try the tool again, review the instructions first.
Keep me posted
Thanks
This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.