uncleduey
2007-04-27, 10:32
Please be patient with me....Im no expert.
I (stupid me) installed a decompression file program that I hadnt heard of and now I get pop up advertisements (ebay, NAB, casino etc). I uninstalled the program which didnt make a difference and have tried to do a system restore which now fails. Im at my wits end.
Have reviewed and done all the tasks requested in the Malware forum before I posted. When running Spybot in safemode, nothing was found.
Below is the On Line Virus Scan report followed by the HJT log as per instructions. Hope you can help.
cheers.
On Line Virus Scan Report (Activescan)
Incident Status Location Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\Heck Idol Obj 4\file chin.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\user\Application Data\MFCDBOLDTEST\Roam okay.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\user\Application Data\MFCDBOLDTEST\uzlbejes.exe
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\user\Cookies\user@112.2o7[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\user\Cookies\user@azjmp[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\user\Cookies\user@bs.serving-sys[1].txt
Spyware:Cookie/Casinotropez Not disinfected C:\Documents and Settings\user\Cookies\user@casinotropez[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\user\Cookies\user@com[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\user\Cookies\user@serving-sys[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\user\Cookies\user@www.burstbeacon[1].txt
Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\user\Local Settings\Temp\b116.exe[YazzleBundle-1122.exe]
Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\user\Local Settings\Temp\b116.exe[YazzleBundle-1122.exe][¦++\Yazzle1122OinAdmin.exe]
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\user\Local Settings\Temp\b122.exe
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\user\Local Settings\Temp\b129.exe[webhdll.dll]
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\user\Local Settings\Temp\b129.exe[whiehlpr.dll]
Adware:Adware/Lop Not disinfected C:\Documents and Settings\user\Local Settings\Temp\bis9364.exe
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\681OCPWY\122[1].net
Adware:Adware/888Bar Not disinfected C:\Program Files\Common Files\{30E66B35-095D-1033-0707-06062006003d}\Bar888.dll
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Ipwindows\ipwins.dll
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Ipwindows\ipwins.exe
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Ipwindows\UnInstall.exe
HJT v1.9Logfile of HijackThis v1.99.1
Scan saved at 5:31:26 PM, on 27/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\{10E66B35-095D-1033-0707-06062006003d}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ipwindows\ipwins.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Common Files\VideoMate\ComproRemote.exe
C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Fast.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\system32\fast.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Axis Live] C:\DOCUME~1\user\APPLIC~1\MFCDBO~1\Roam okay.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - Global Startup: ComproRemote.lnk = ?
O4 - Global Startup: ComproSchedulerDTV.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
I (stupid me) installed a decompression file program that I hadnt heard of and now I get pop up advertisements (ebay, NAB, casino etc). I uninstalled the program which didnt make a difference and have tried to do a system restore which now fails. Im at my wits end.
Have reviewed and done all the tasks requested in the Malware forum before I posted. When running Spybot in safemode, nothing was found.
Below is the On Line Virus Scan report followed by the HJT log as per instructions. Hope you can help.
cheers.
On Line Virus Scan Report (Activescan)
Incident Status Location Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\Heck Idol Obj 4\file chin.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\user\Application Data\MFCDBOLDTEST\Roam okay.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\user\Application Data\MFCDBOLDTEST\uzlbejes.exe
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\user\Cookies\user@112.2o7[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\user\Cookies\user@azjmp[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\user\Cookies\user@bs.serving-sys[1].txt
Spyware:Cookie/Casinotropez Not disinfected C:\Documents and Settings\user\Cookies\user@casinotropez[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\user\Cookies\user@com[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\user\Cookies\user@serving-sys[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\user\Cookies\user@www.burstbeacon[1].txt
Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\user\Local Settings\Temp\b116.exe[YazzleBundle-1122.exe]
Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\user\Local Settings\Temp\b116.exe[YazzleBundle-1122.exe][¦++\Yazzle1122OinAdmin.exe]
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\user\Local Settings\Temp\b122.exe
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\user\Local Settings\Temp\b129.exe[webhdll.dll]
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\user\Local Settings\Temp\b129.exe[whiehlpr.dll]
Adware:Adware/Lop Not disinfected C:\Documents and Settings\user\Local Settings\Temp\bis9364.exe
Adware:Adware/Maxifiles Not disinfected C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\681OCPWY\122[1].net
Adware:Adware/888Bar Not disinfected C:\Program Files\Common Files\{30E66B35-095D-1033-0707-06062006003d}\Bar888.dll
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Ipwindows\ipwins.dll
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Ipwindows\ipwins.exe
Adware:Adware/Maxifiles Not disinfected C:\Program Files\Ipwindows\UnInstall.exe
HJT v1.9Logfile of HijackThis v1.99.1
Scan saved at 5:31:26 PM, on 27/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\{10E66B35-095D-1033-0707-06062006003d}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ipwindows\ipwins.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Common Files\VideoMate\ComproRemote.exe
C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Fast.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.3558\swg.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\system32\fast.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Axis Live] C:\DOCUME~1\user\APPLIC~1\MFCDBO~1\Roam okay.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - Global Startup: ComproRemote.lnk = ?
O4 - Global Startup: ComproSchedulerDTV.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe