View Full Version : Command Service Virus (PLEASE HELP!!)
shortyroc
2007-05-03, 15:41
Help I've been burdened with extensive pops and adware... please help... and I need a free antispyware protection if you know of any... Thanks in advance!!
Here's my HJT log:
---------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:37:18 AM, on 5/3/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchosts.exe
C:\WINDOWS\U291dGh3ZXN0ZXJuIENvbGxlZ2U\command.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\{A86900FB-02B9-1033-1113-001116190001}\Update.exe
C:\WINDOWS\System32\ctfmon.exe
F:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\PROGRA~1\COMMON~1\ozwi\ozwim.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\PROGRA~1\COMMON~1\ozwi\ozwia.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
F:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - F:\Program Files\Popup Manager\PopupMgr_1.0.2.1P.dll
O2 - BHO: BhoApp Class - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\WinBudget\bin\matrix.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - F:\Program Files\Panicware\Pop-Up Stopper Basic\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5b24049d-fc33-4c2c-9385-eed06c4e8911} - C:\WINDOWS\system32\euddmo.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{38690~1\Bar888.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Protection Bar - {74a49269-9779-48b4-a0e6-3a5af2a3ade6} - C:\Program Files\Perfect Codec\iesplugin.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{38690~1\Bar888.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Basic - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - F:\Program Files\Panicware\Pop-Up Stopper Basic\popuppro.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] F:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [ozwi] C:\PROGRA~1\COMMON~1\ozwi\ozwim.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: euddmo - euddmo.dll (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000213 (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U291dGh3ZXN0ZXJuIENvbGxlZ2U\command.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
Hello.
Hello and sorry for the delay. For people waiting who have not resolved their problem, we have this sticky topic:
If you have waited FOUR days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836) :)
Hello shortyroc and welcome to the Forums :)
Sorry for the delay, I noticed the post in the waiting room....
You're badly infected. I must warn that one or more of the identified infections is a backdoor trojan :sick:
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)
I can help you in the cleaning if you don't want to reformat but there is a possibility that we can't get you 100% clean.
Please let us know what you have decided to do in your next post:bigthumb:
shortyroc
2007-05-18, 03:08
I need help... so whatever I need to do let me know!!
Ok so you want to clean the computer?
I'll be happy to help you :)
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.zip) and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
Please download the following program and save it to your desktop:
http://noahdfear.geekstogo.com/FindAWF.exe
Once downloaded, double-click on the file to run it. When it is done there will be a file called awf.txt on your desktop. Please post the contents of that file as a reply to this topic.
:bigthumb:
shortyroc
2007-05-19, 22:42
Here's that report you asked for!!
The next report is coming...
------------------------------------
SDFix: Version 1.84
Run by Admin - Sat 05/19/2007 - 12:12:42.90
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Admin\Desktop\SDFix
Safe Mode:
Checking Services:
Name:
core
ImagePath:
system32\drivers\core.sys
core - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Below files will be copied to Backups folder then removed:
C:\RECYCLER\S-1-5-21-1417001333-1563985344-1957994488-1006\Dc24.dllb - Deleted
C:\RECYCLER\S-1-5-21-1417001333-1563985344-1957994488-1006\Dc26.dllb - Deleted
C:\RECYCLER\S-1-5-21-1417001333-1563985344-1957994488-1006\Dc27.dllb - Deleted
C:\Program Files\Ipwindows\ipwins.dll - Deleted
C:\Program Files\Ipwindows\UnInstall.exe - Deleted
C:\Program Files\Ipwindows\bak\ipwins.exe - Deleted
C:\Documents and Settings\Admin\Application Data\Install.dat - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\abc123.pid - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\b122.exe - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\setup.exe - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\svchost.exe - Deleted
C:\WINDOWS\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe - Deleted
C:\WINDOWS\retadpu1000106.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q2.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q6.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q7.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q8.exe - Deleted
C:\WINDOWS\system32\drivers\core.cache.dsk - Deleted
C:\WINDOWS\system32\drivers\core.sys - Deleted
C:\WINDOWS\system32\explorer.exe - Deleted
C:\WINDOWS\system32\unsvchosts.exe - Deleted
Removing Temp Files...
ADS Check:
Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.
Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
Remaining Files:
---------------
Backups Folder: - C:\DOCUME~1\Admin\Desktop\SDFix\backups\backups.zip
Checking For Files with Hidden Attributes:
C:\Program Files\Uninstall Information\IE40.Comctl32\AINF0000
C:\Program Files\Uninstall Information\mshtml.DllReg\AINF0000
C:\WINDOWS\SYSTEM32\rqoon.dll
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Khalif.Morris\My Documents\Word Documents\~WRL0004.tmp
C:\Documents and Settings\Student\Application Data\Microsoft\Word\~WRL0279.tmp
C:\Documents and Settings\Student\Application Data\Microsoft\Word\~WRL0344.tmp
C:\Documents and Settings\Student\Application Data\Microsoft\Word\~WRL1322.tmp
C:\Documents and Settings\Student\Application Data\Microsoft\Word\~WRL1332.tmp
C:\Documents and Settings\Student\Local Settings\Temp\Temporary Directory 1 for introexcel.zip\MOUSProjectFiles\SkillSet1\desktop.ini
C:\Documents and Settings\Student\Local Settings\Temp\Temporary Directory 1 for introexcel.zip\MOUSProjectFiles\SkillSet2\desktop.ini
C:\Documents and Settings\Student\Local Settings\Temp\Temporary Directory 1 for introexcel.zip\MOUSProjectFiles\SkillSet3\desktop.ini
C:\Documents and Settings\Student\Local Settings\Temp\Temporary Directory 1 for introexcel.zip\MOUSProjectFiles\SkillSet4\desktop.ini
C:\Documents and Settings\Student\Local Settings\Temp\Temporary Directory 1 for introexcel.zip\MOUSProjectFiles\SkillSet5\desktop.ini
C:\Documents and Settings\Student\Local Settings\Temp\Temporary Directory 1 for introexcel.zip\MOUSProjectFiles\SkillSet6\desktop.ini
C:\Documents and Settings\Student\Local Settings\Temp\Temporary Directory 1 for introexcel.zip\MOUSProjectFiles\SkillSet7\desktop.ini
Finished
shortyroc
2007-05-19, 22:45
Here's my new Hijackthis file...
-----------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 4:43:44 PM, on 5/19/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [{ZN}] F:\Program Files\Alwil Software\Avast4\TISKY002.exe CHD001
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\System32\nnrihetb.dll",realset
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu11.exe 61A847B5BBF72813338B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] F:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ozwi] C:\PROGRA~1\COMMON~1\ozwi\ozwim.exe
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - Startup: TA_Start.lnk = F:\Program Files\Alwil Software\Avast4\TISKY002.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\perfc000.dat
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
shortyroc
2007-05-19, 22:57
HERE'S THE LAST REPORT
------------------------------------
Find AWF report by noahdfear ©2006
bak folders found
~~~~~~~~~~~
Directory of C:\PROGRA~1\IPWIND~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\MICROS~3\BAK
07/12/2005 03:35 PM 473,928 gcasServ.exe
1 File(s) 473,928 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
05/21/2004 02:24 PM 77,824 qttask.exe
1 File(s) 77,824 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
08/29/2002 06:41 AM 13,312 ctfmon.exe
07/09/2001 11:50 AM 155,648 NeroCheck.exe
2 File(s) 168,960 bytes
Directory of C:\PROGRA~1\COMMON~1\OZWI\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\PANICW~1\POP-UP~2\BAK
10/29/2003 12:01 PM 524,288 PSFree.exe
1 File(s) 524,288 bytes
Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK
11/30/2006 10:49 PM 4,662,776 YAHOOM~1.EXE
1 File(s) 4,662,776 bytes
Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
05/20/2006 12:48 PM 180,269 realsched.exe
1 File(s) 180,269 bytes
Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK
04/13/2005 04:48 AM 36,975 jusched.exe
1 File(s) 36,975 bytes
Directory of F:\PROGRA~1\PANICW~1\POP-UP~2\BAK
03/17/2005 11:10 AM 536,576 PSFree.exe
1 File(s) 536,576 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
473928 Jul 12 2005 "C:\Program Files\Microsoft AntiSpyware\bak\gcasServ.exe"
77824 May 21 2004 "C:\Program Files\QuickTime\bak\qttask.exe"
13312 Aug 29 2002 "C:\WINDOWS\SYSTEM32\ctfmon.exe"
37089 May 13 2007 "C:\WINDOWS\LastGood\system32\ctfmon.exe"
13312 Aug 29 2002 "C:\WINDOWS\SYSTEM32\bak\ctfmon.exe"
155648 Jul 9 2001 "C:\WINDOWS\SYSTEM32\bak\NeroCheck.exe"
524288 Oct 29 2003 "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\bak\PSFree.exe"
37089 May 13 2007 "F:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
536576 Mar 17 2005 "F:\Program Files\Panicware\Pop-Up Stopper Free Edition\bak\PSFree.exe"
4670968 Mar 27 2007 "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
4662776 Nov 30 2006 "C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"
180269 May 20 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
36975 Apr 13 2005 "C:\Program Files\Java\jre1.5.0_03\bin\bak\jusched.exe"
524288 Oct 29 2003 "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\bak\PSFree.exe"
37089 May 13 2007 "F:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
536576 Mar 17 2005 "F:\Program Files\Panicware\Pop-Up Stopper Free Edition\bak\PSFree.exe"
end of report
shortyroc
2007-05-23, 04:31
please help... i really need this computer!:sad:
shortyroc
2007-05-23, 04:33
Here's an updated hijackthis log
----------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 10:32:13 PM, on 5/22/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\retadpu77.exe
C:\WINDOWS\svhost.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wuauclt.exe
F:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [{ZN}] F:\Program Files\Alwil Software\Avast4\TISKY002.exe CHD001
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\System32\nnrihetb.dll",realset
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ozwi] C:\PROGRA~1\COMMON~1\ozwi\ozwim.exe
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - Startup: TA_Start.lnk = F:\Program Files\Alwil Software\Avast4\TISKY002.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\perfc000.dat
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
Hello and sorry for the delay. I don't know what happened to the email notification :red:
Please Run SDFix again (download the latest version first.) Post the log with a new HijackThis log to here.
Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:
C:\WINDOWS\System32\perfc000.dat
Click on Send
Wait for the scan to end.
Copy & Paste the scan results to here.
Then we'll clean the rest :bigthumb:
shortyroc
2007-05-29, 14:07
Here's the SD report...
--------------------------------------------------
SDFix: Version 1.84
Run by Admin - Tue 05/29/2007 - 7:13:24.42
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Admin\Desktop\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Below files will be copied to Backups folder then removed:
C:\DOCUME~1\Admin\LOCALS~1\Temp\tmp1F.tmp.exe - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\tmp2.tmp.exe - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\tmp3.tmp.exe - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\tmp5.tmp.exe - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\tmp7.tmp.exe - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\tmpA.tmp.exe - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\abc123.pid - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\svchost.exe - Deleted
C:\WINDOWS\poolsv.exe - Deleted
C:\WINDOWS\retadpu1000106.exe - Deleted
C:\WINDOWS\retadpu11.exe - Deleted
C:\WINDOWS\retadpu77.exe - Deleted
C:\WINDOWS\svhost.exe - Deleted
C:\WINDOWS\system32\explorer.exe - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\tmp6.tmp.exe - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\tmp7.tmp.exe - Deleted
C:\DOCUME~1\Admin\LOCALS~1\Temp\svchost.exe - Deleted
C:\WINDOWS\svchost.exe - Deleted
C:\WINDOWS\system32\explorer.exe - Deleted
Removing Temp Files...
ADS Check:
Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.
Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
Remaining Files:
---------------
Backups Folder: - C:\DOCUME~1\Admin\Desktop\SDFix\backups\backups.zip
Checking For Files with Hidden Attributes:
C:\Program Files\Uninstall Information\IE40.Comctl32\AINF0000
C:\Program Files\Uninstall Information\mshtml.DllReg\AINF0000
C:\WINDOWS\SYSTEM32\rqoon.dll
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
C:\Program Files\Messenger\msmsgs.exe
C:\System Volume Information\_restore{A8023AE6-F9C8-43D7-A63A-02466089C964}\RP225\A0021099.exe
C:\System Volume Information\_restore{A8023AE6-F9C8-43D7-A63A-02466089C964}\RP226\A0021201.exe
C:\System Volume Information\_restore{A8023AE6-F9C8-43D7-A63A-02466089C964}\RP226\A0021202.exe
C:\System Volume Information\_restore{A8023AE6-F9C8-43D7-A63A-02466089C964}\RP228\A0021357.exe
C:\Documents and Settings\Khalif.Morris\My Documents\Word Documents\~WRL0004.tmp
C:\Documents and Settings\Student\Application Data\Microsoft\Word\~WRL0279.tmp
C:\Documents and Settings\Student\Application Data\Microsoft\Word\~WRL0344.tmp
C:\Documents and Settings\Student\Application Data\Microsoft\Word\~WRL1322.tmp
C:\Documents and Settings\Student\Application Data\Microsoft\Word\~WRL1332.tmp
C:\WINDOWS\SYSTEM32\nooqr.tmp
C:\Documents and Settings\Student\Local Settings\Temp\Temporary Directory 1 for introexcel.zip\MOUSProjectFiles\SkillSet1\desktop.ini
C:\Documents and Settings\Student\Local Settings\Temp\Temporary Directory 1 for introexcel.zip\MOUSProjectFiles\SkillSet2\desktop.ini
C:\Documents and Settings\Student\Local Settings\Temp\Temporary Directory 1 for introexcel.zip\MOUSProjectFiles\SkillSet3\desktop.ini
C:\Documents and Settings\Student\Local Settings\Temp\Temporary Directory 1 for introexcel.zip\MOUSProjectFiles\SkillSet4\desktop.ini
C:\Documents and Settings\Student\Local Settings\Temp\Temporary Directory 1 for introexcel.zip\MOUSProjectFiles\SkillSet5\desktop.ini
C:\Documents and Settings\Student\Local Settings\Temp\Temporary Directory 1 for introexcel.zip\MOUSProjectFiles\SkillSet6\desktop.ini
C:\Documents and Settings\Student\Local Settings\Temp\Temporary Directory 1 for introexcel.zip\MOUSProjectFiles\SkillSet7\desktop.ini
Finished
shortyroc
2007-05-29, 14:08
here's the new hijackthis report
-----------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 8:05:18 AM, on 5/29/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
F:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\notepad.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Windows Media Player\wmplayer.exe
F:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\Explorer.exe
F:\Program Files\Hijackthis\HijackThis.exe
C:\DOCUME~1\Admin\LOCALS~1\Temp\mfw.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [{ZN}] F:\Program Files\Alwil Software\Avast4\TISKY002.exe CHD001
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\qonmmj.dll",realset
O4 - HKLM\..\Run: [Install.exe] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ozwi] C:\PROGRA~1\COMMON~1\ozwi\ozwim.exe
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - Startup: TA_Start.lnk = F:\Program Files\Alwil Software\Avast4\TISKY002.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\perfc000.dat
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
Sorry for the delay...we'll continue :)
You should print these instructions or save these to a text file. Follow these instructions carefully.
Download replacer_shortyroc.bat (http://koti.mbnet.fi/jpk88/replacer_shortyroc.bat) to your desktop. Don't run it yet!
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.Do NOT run yet.
Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe Do NOT run yet
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Doubleclick on eplacer_shortyroc.bat and let in run.
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log
How is it going shortyroc.
shortyroc
2007-06-05, 18:43
I did all this and still get pop ups... I will post the logs later on tonight
This topic has been archived.
If you need it re-opened, please send me a private message (pm) and provide a link to the thread.
Applies only to the original poster, anyone else with similar problems please start a new topic.
shortyroc
2007-06-12, 20:52
Thanks for Re-opening this thread...
Here is my latest HijackThis log...
---------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 2:49:33 PM, on 6/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\cltcwmho.exe
C:\WINDOWS\System32\lexpps.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
F:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8182
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\System32\xkhcnnrt.dll",realset
O4 - HKLM\..\Run: [mstsc] C:\WINDOWS\cltcwmho.exe
O4 - HKLM\..\Run: [j9291939] rundll32 C:\WINDOWS\System32\j9291939.dll sook
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\jkhfgh.dll",realset
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ozwi] C:\PROGRA~1\COMMON~1\ozwi\ozwim.exe
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - Startup: TA_Start.lnk = F:\Program Files\Alwil Software\Avast4\TISKY002.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\perfc000.dat
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - F:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - F:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
Hello :)
Ok we'll continue.
Please run FindAWF again and post it's log to here.
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
shortyroc, still with us?
shortyroc
2007-06-19, 17:18
yes... I am not at my computer just yet
Hello.
If you cannot respond to your helper, I will close this topic again as it was started 2007-05-03 and we don't seem to be moving forward.
Best regards.