View Full Version : secure connections disabled, help
exetergirldanni
2007-04-13, 16:10
My computer has some virus where i cannot access any sites with secure connections, such as e-mails or msn. I have ran Spybot S&D and it cannot find anything, and it's not my firewall as it has only just become apparent. I also cannot download the tools update from the Spybot website, and shows a socket error when I try to update through S&D. Does anyone have an idea how to track down and get rid of this virus?
Thanks
Hello.
The primary causes of Socket Errors during the Spybot update are firewalls and proxy servers, but as you believe the machine is infected; please see the procedure for posting in this forum: "BEFORE you POST" Mandatory Steps Before Requesting Assistance (http://forums.spybot.info/showthread.php?t=288)
Post the information into this topic, and a helper will advise you as soon as available.
If you cannot run the on-line Anti Virus scan please let us know.
Cheers.
exetergirldanni
2007-04-17, 00:00
Hello,
I have ran panda and hijack this, hope this helps
Panda log
Incident Status Location
Virus:Trj/KillAV.FW Disinfected Operating system
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Danni\Cookies\danni@adtech[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Danni\Cookies\danni@azjmp[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Danni\Cookies\danni@bs.serving-sys[1].txt
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\Danni\Cookies\danni@linksynergy[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Danni\Cookies\danni@mediaplex[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Danni\Cookies\danni@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Danni\Cookies\danni@realmedia[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Danni\Cookies\danni@serving-sys[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Danni\Cookies\danni@tribalfusion[1].txt
Virus:Trj/KillAV.FW Disinfected C:\Program Files\Common Files\Symantec Shared\ccApp.exe
Virus:Trj/KillAV.FW Disinfected C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
Virus:Trj/KillAV.FW Disinfected C:\Program Files\Norton Internet Security\UrlLstCk.exe
Virus:Trj/KillAV.FW Disinfected C:\Program Files\REGSHAVE\REGSHAVE.EXE
Virus:Trj/KillAV.FW Disinfected C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
Virus:Trj/KillAV.FW Disinfected C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
Virus:Trj/KillAV.FW Disinfected C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
Virus:Trj/KillAV.FW Disinfected C:\Program Files\TOSHIBA\TOSHIBA Applet\thotkey.exe
Virus:Trj/KillAV.FW Disinfected C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
Virus:Trj/KillAV.FW Disinfected C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
Virus:Trj/KillAV.FW Disinfected C:\Program Files\TOSHIBA\Tvs\TvsTray.exe
Virus:Trj/KillAV.FW Disinfected C:\WINDOWS\system32\dla\tfswctrl.exe
Adware:Adware/EShopper Not disinfected C:\WINDOWS\system32\m247es.exe
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\WINDOWS\system32\mgsb.exe
Hijack This log
Logfile of HijackThis v1.99.1
Scan saved at 22:58:43, on 16/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Danni\My Documents\Downloads\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.southampton.ac.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.msn.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\tmp7.tmp.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {f96235b2-20bc-4b1d-9773-3b678753067a} - C:\WINDOWS\system32\mimapi.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\opoopq.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: mimapi - C:\WINDOWS\SYSTEM32\mimapi.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
Angelfire777
2007-04-26, 22:06
Hi, welcome to Safer Networking Forums!
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your Desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
exetergirldanni
2007-04-26, 23:09
Hello, I have ran vundofix and hijackthis again
vundofix
VundoFix V6.3.20
Checking Java version...
Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.
Scan started at 21:54:13 26/04/2007
Listing files found while scanning....
C:\WINDOWS\system32\tmp7.tmp.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\tmp7.tmp.dll
C:\WINDOWS\system32\tmp7.tmp.dll Has been deleted!
Performing Repairs to the registry.
Done!
Hijackthis
Logfile of HijackThis v1.99.1
Scan saved at 22:07:48, on 26/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Danni\My Documents\Downloads\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.msn.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\tmp59.tmp.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {f96235b2-20bc-4b1d-9773-3b678753067a} - C:\WINDOWS\system32\mimapi.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\gebxuu.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: mimapi - C:\WINDOWS\SYSTEM32\mimapi.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
Angelfire777
2007-04-27, 00:26
Hi,
*Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once the scan is complete, Right Click inside the listbox (white box) and click add more files.
Copy&Paste the 2 entries below into the top 4 boxes.
C:\WINDOWS\system32\mimapi.dll
C:\WINDOWS\SYSTEM32\ipamim.*
C:\WINDOWS\system32\tmp59.tmp.dll
C:\WINDOWS\system32\pmt.95pmt.*
Click Add Files and click Close Window.
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt
*Please download FindAWF (http://noahdfear.geekstogo.com/FindAWF.exe) by noahdfear and save it to your desktop:
Please double-click FindAWF.exe to run it.
If a security alert shows, allow the program to run.
When the tool has completed, a report will open in Notepad.
Please post the results of the awf.txt in your next reply.
On your next reply, please post a fresh HijackThis log, Vundofix log and the findAWF log.
exetergirldanni
2007-04-29, 23:29
Hello
here is a fresh HijackThis log, Vundofix log and the findAWF log
HijackThis
Logfile of HijackThis v1.99.1
Scan saved at 22:26:12, on 29/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\sol.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Danni\My Documents\Downloads\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.msn.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\tmp59.tmp.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {f96235b2-20bc-4b1d-9773-3b678753067a} - C:\WINDOWS\system32\mimapi.dll (file missing)
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: rundll32.exe "C:\WINDOWS\gebxuu.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
[B]VundoFix
VundoFix V6.3.20
Checking Java version...
Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.
Scan started at 21:54:13 26/04/2007
Listing files found while scanning....
C:\WINDOWS\system32\tmp7.tmp.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\tmp7.tmp.dll
C:\WINDOWS\system32\tmp7.tmp.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.20
Checking Java version...
Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.
Scan started at 22:12:11 29/04/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
Attempting to delete C:\WINDOWS\system32\mimapi.dll
C:\WINDOWS\system32\mimapi.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\tmp59.tmp.dll
C:\WINDOWS\system32\tmp59.tmp.dll Has been deleted!
Performing Repairs to the registry.
Done!
findAWF
Find AWF report by noahdfear ©2006
bak folders found
~~~~~~~~~~~
Directory of C:\PROGRA~1\NORTON~1\BAK
06/05/2005 04:27 22,656 UrlLstCk.exe
1 File(s) 22,656 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
14/08/2006 20:29 282,624 qttask.exe
1 File(s) 282,624 bytes
Directory of C:\PROGRA~1\REGSHAVE\BAK
04/02/2002 22:32 53,248 REGSHAVE.EXE
1 File(s) 53,248 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
04/08/2004 13:00 15,360 ctfmon.exe
1 File(s) 15,360 bytes
Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK
11/04/2005 10:00 339,968 atiptaxx.exe
1 File(s) 339,968 bytes
Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK
12/04/2006 13:54 49,824 ccApp.exe
1 File(s) 49,824 bytes
Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK
14/10/2004 23:26 688,218 SynTPEnh.exe
14/10/2004 23:28 98,394 SynTPLpr.exe
2 File(s) 786,612 bytes
Directory of C:\PROGRA~1\TOSHIBA\TOSCDSPD\BAK
11/04/2005 11:26 65,536 toscdspd.exe
1 File(s) 65,536 bytes
Directory of C:\PROGRA~1\TOSHIBA\TOSHIB~1\BAK
Angelfire777
2007-04-30, 07:42
The findAWF log you posted was incomplete...Please post the contents of awf.txt again ..
exetergirldanni
2007-04-30, 17:36
Find AWF report by noahdfear ©2006
bak folders found
~~~~~~~~~~~
Directory of C:\PROGRA~1\NORTON~1\BAK
06/05/2005 04:27 22,656 UrlLstCk.exe
1 File(s) 22,656 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
14/08/2006 20:29 282,624 qttask.exe
1 File(s) 282,624 bytes
Directory of C:\PROGRA~1\REGSHAVE\BAK
04/02/2002 22:32 53,248 REGSHAVE.EXE
1 File(s) 53,248 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
04/08/2004 13:00 15,360 ctfmon.exe
1 File(s) 15,360 bytes
Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK
11/04/2005 10:00 339,968 atiptaxx.exe
1 File(s) 339,968 bytes
Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK
12/04/2006 13:54 49,824 ccApp.exe
1 File(s) 49,824 bytes
Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK
14/10/2004 23:26 688,218 SynTPEnh.exe
14/10/2004 23:28 98,394 SynTPLpr.exe
2 File(s) 786,612 bytes
Directory of C:\PROGRA~1\TOSHIBA\TOSCDSPD\BAK
11/04/2005 11:26 65,536 toscdspd.exe
1 File(s) 65,536 bytes
Directory of C:\PROGRA~1\TOSHIBA\TOSHIB~1\BAK
25/04/2005 09:15 339,968 thotkey.exe
1 File(s) 339,968 bytes
Directory of C:\PROGRA~1\TOSHIBA\TOSHIB~3\BAK
11/04/2005 10:12 118,784 SmoothView.exe
1 File(s) 118,784 bytes
Directory of C:\PROGRA~1\TOSHIBA\TOUCHA~1\BAK
17/11/2004 10:56 1,077,327 PadExe.exe
1 File(s) 1,077,327 bytes
Directory of C:\PROGRA~1\TOSHIBA\TVS\BAK
05/04/2005 16:25 73,728 TvsTray.exe
1 File(s) 73,728 bytes
Directory of C:\WINDOWS\SYSTEM32\DLA\BAK
31/05/2005 05:33 122,941 tfswctrl.exe
1 File(s) 122,941 bytes
Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\121128~1.546\BAK
14/02/2007 15:13 171,448 GoogleToolbarNotifier.exe
1 File(s) 171,448 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
22656 6 May 2005 "C:\Program Files\Norton Internet Security\bak\UrlLstCk.exe"
282624 14 Aug 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
53248 4 Feb 2002 "C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE"
15360 4 Aug 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 4 Aug 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
339968 11 Apr 2005 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
49824 12 Apr 2006 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
688218 14 Oct 2004 "C:\ToolsCD\Touch pad Driver\SynTPEnh.exe"
688218 14 Oct 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
688218 14 Oct 2004 "C:\Program Files\Synaptics\SynTP\Media\SynTPEnh.exe"
98394 14 Oct 2004 "C:\ToolsCD\Touch pad Driver\SynTPLpr.exe"
98394 14 Oct 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
98394 14 Oct 2004 "C:\Program Files\Synaptics\SynTP\Media\SynTPLpr.exe"
65536 11 Apr 2005 "C:\Program Files\TOSHIBA\TOSCDSPD\bak\toscdspd.exe"
339968 25 Apr 2005 "C:\Program Files\TOSHIBA\TOSHIBA Applet\bak\thotkey.exe"
118784 11 Apr 2005 "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\bak\SmoothView.exe"
1077327 17 Nov 2004 "C:\Program Files\TOSHIBA\Touch and Launch\bak\PadExe.exe"
73728 5 Apr 2005 "C:\Program Files\TOSHIBA\Tvs\bak\TvsTray.exe"
122941 31 May 2005 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
122941 31 May 2005 "C:\WINDOWS\system32\dla\bak\tfswctrl.exe"
69632 31 Oct 2006 "C:\Program Files\Google\Google Earth\googleearth.exe"
559784 8 Sep 2006 "C:\Program Files\Common Files\Real\GToolbar\GoogleToolbarInstaller.exe"
171448 14 Feb 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"
end of report
Angelfire777
2007-05-01, 01:34
Hi,
*Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update AVG Antispyware.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update. Do not use it yet!
*Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune
Do not use it yet.
*Please download DelDomains (http://www.mvps.org/winhelp2002/DelDomains.inf) by WinHelp2002 and save it to your desktop:
Right-click on DelDomains.inf, and choose Install.
You may not see any noticeable changes or prompts; this is normal.
Then, please restart your computer, and post a new HijackThis log.
You will have to re-immunize with SpywareBlaster, IE-SPYAD, and/or Spybot - Search & Destroy after doing this.
*Please download ResetProtocolDefaults (http://www.mvps.org/winhelp2002/ResetProtocolDefaults.reg) by WinHelp2002 and save it to your desktop:
Locate ResetProtocolDefaults.reg which should be on your desktop.
Right-click and select: Merge.
OK the prompt.
___________________
*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\tmp59.tmp.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {f96235b2-20bc-4b1d-9773-3b678753067a} - C:\WINDOWS\system32\mimapi.dll (file missing)
O4 - HKLM\..\Run: rundll32.exe "C:\WINDOWS\gebxuu.dll",realset
O20 - AppInit_DLLs:
Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
*You may want to print these instructions here or save them in notepad since you'll work offline.
Reboot into Safe Mode.
To enter Safe Mode..
Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.
*Configure your machine to view hidden files:
Windows XP
Click Start.
Open My Computer..
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the "Hidden files and folders" heading select Show hidden files and folders.
Uncheck the Hide Protected Operating System Files Option.
Click Yes to confirm.
Click OK.
*Using Windows Explorer, find and delete this file:
C:\WINDOWS\gebxuu.dll
Empty your recycle bin.
____________________
*Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type restore.bat in the File name and save it to your desktop.
if exist "C:\Program Files\Norton Internet Security\UrlLstCk.exe" del /q "C:\Program Files\Norton Internet Security\UrlLstCk.exe"
copy /y "C:\Program Files\Norton Internet Security\bak\UrlLstCk.exe" "C:\Program Files\Norton Internet Security"
if exist "C:\Program Files\REGSHAVE\REGSHAVE.EXE" del /q "C:\Program Files\REGSHAVE\REGSHAVE.EXE"
copy /y "C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE" "C:\Program Files\REGSHAVE"
if exist "C:\Program Files\QuickTime\qttask.exe" del /q "C:\Program Files\QuickTime\qttask.exe"
copy /y "C:\Program Files\QuickTime\bak\qttask.exe" "C:\Program Files\QuickTime"
if exist "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" del /q "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
copy /y "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe" "C:\Program Files\ATI Technologies\ATI Control Panel"
if exist "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" del /q "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
copy /y "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe" "C:\Program Files\Common Files\Symantec Shared"
if exist "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" del /q "C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe"
copy /y "C:\Program Files\TOSHIBA\TOSCDSPD\bak\toscdspd.exe" "C:\Program Files\TOSHIBA\TOSCDSPD"
if exist "C:\Program Files\TOSHIBA\TOSHIBA Applet\thotkey.exe" del /q "C:\Program Files\TOSHIBA\TOSHIBA Applet\thotkey.exe"
copy /y "C:\Program Files\TOSHIBA\TOSHIBA Applet\bak\thotkey.exe" "C:\Program Files\TOSHIBA\TOSHIBA Applet"
if exist "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" del /q "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe"
copy /y ":\Program Files\TOSHIBA\TOSHIBA Zooming Utility\bak\SmoothView.exe" "C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility"
if exist "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" del /q "C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe"
copy /y "C:\Program Files\TOSHIBA\Touch and Launch\bak\PadExe.exe" "C:\Program Files\TOSHIBA\Touch and Launch"
if exist "C:\Program Files\TOSHIBA\Tvs\TvsTray.exe" del /q "C:\Program Files\TOSHIBA\Tvs\TvsTray.exe"
copy /y "C:\Program Files\TOSHIBA\Tvs\bak\TvsTray.exe" "C:\Program Files\TOSHIBA\Tvs"
if exist "C:\WINDOWS\system32\dla\tfswctrl.exe" del /q "C:\WINDOWS\system32\dla\tfswctrl.exe"
copy /y "C:\WINDOWS\system32\dla\bak\tfswctrl.exe" "C:\WINDOWS\system32\dla"
if exist "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" del /q "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"
copy /y "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe" "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462"
Double click restore.bat then please run FindAWF again to make sure nothing is left.
__________________
*[b]Important: Make sure all your browsers are closed before running ATF Cleaner..
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose:Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click
No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE:If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
*Please run AVG AntiSpyware, and run a full scan as follow:
IMPORTANT: Do not open any other windows or programs while AVG AntiSpyware is scanning, it may interfere with the scanning process.
Launch AVG AntiSpyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG AntiSpyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save Report As" button in the lower left hand of the screen and save it to a text file on your system. (Make sure to remember where you saved that file, this is important).
Close AVG AntiSpyware.
Reboot to normal mode.
*Your Java is out of date....
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components.
Click Start > Control Panel
Click Add/Remove Programs
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove button.
Repeat as many times as necessary to remove all versions of Java.
Reboot your computer once all Java components are removed.
Then download Java Runtime Environment 6u1 (http://java.sun.com/javase/downloads/index.jsp), and install it to your computer.
On your next reply, please include a fresh HijackThis log, AVG Antispyware log, findawf log and a description on how is your machine running.
How is it going exetergirldanni
Due to lack of a response, this topic has been archived.
If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.