PDA

View Full Version : Pop-up Problems! Cannot Delete Command Service



bullethead399
2007-08-08, 07:46
I don't know what to do. When I use spybot, it finds command services and now I keep gettin pop ups of stupid advertisements. PLEASE HELP...

HERE'S THE ONLINE SCAN REPORT.

File Infection Status Path
adfcook[1] Win32/Secdrop.OC infected C:\Documents and Settings\Eric G\Local Settings\Temporary Internet Files\Content.IE5\0P0VS70R\
retadpu[1].exe Win32/Matcash.AP infected C:\Documents and Settings\Eric G\Local Settings\Temporary Internet Files\Content.IE5\0P0VS70R\
masiyxanidi[1] Win32/Abetear.B infected C:\Documents and Settings\Eric G\Local Settings\Temporary Internet Files\Content.IE5\65T6BUTS\
kcehc_eicooc20070702[1] Win32/Secdrop.OF infected C:\Documents and Settings\Eric G\Local Settings\Temporary Internet Files\Content.IE5\EEFV3AKK\
!update-4395[1].0000 Win32/Clspring.GS infected C:\Documents and Settings\Eric G\Local Settings\Temporary Internet Files\Content.IE5\VM0Z3H85\
CAZEWFVL Win32/Vundo!generic infected C:\Documents and Settings\Eric G\Local Settings\Temporary Internet Files\Content.IE5\WJ5NMQ3T\
_affvm[1] Win32/Vundo!generic infected C:\Documents and Settings\Eric G\Local Settings\Temporary Internet Files\Content.IE5\WJ5NMQ3T\
_jnvm[1] Win32/Darksma!generic infected C:\Documents and Settings\Eric G\Local Settings\Temporary Internet Files\Content.IE5\WJ5NMQ3T\
retadpu[1].exe Win32/Matcash.AP infected C:\Documents and Settings\Eric G\Local Settings\Temporary Internet Files\Content.IE5\Y9DA3E1G\
retadpu[2].exe Win32/Matcash.AP infected C:\Documents and Settings\Eric G\Local Settings\Temporary Internet Files\Content.IE5\Y9DA3E1G\
p.zip Win32/Alcan.I!ZIP infected C:\Program Files\outlook\
p.zip>Setup.exe Win32/Alcan.I infected C:\Program Files\outlook\
v.tmp Win32/Alcan.I infected C:\Program Files\outlook\
cpffxqxc.dll Win32/Darksma!generic infected C:\WINDOWS\system32\
fnccwxku.exe Win32/Abetear.B infected C:\WINDOWS\system32\
fonvgmpi.exe Win32/Abetear.B infected C:\WINDOWS\system32\
gprwuatd.exe Win32/Abetear.B infected C:\WINDOWS\system32\
install.exe Win32/Matcash.AQ infected C:\WINDOWS\system32\
jfpaxpmx.exe Win32/Secdrop.OF infected C:\WINDOWS\system32\
jsamlkdc.exe Win32/Abetear.B infected C:\WINDOWS\system32\
ocnjoqbv.exe Win32/Secdrop.OF infected C:\WINDOWS\system32\
omltxmos.exe Win32/Secdrop.OC infected C:\WINDOWS\system32\
peleegug.exe Win32/Abetear.B infected C:\WINDOWS\system32\
ps.exe Win32/Unknown possibly infected C:\WINDOWS\system32\
pylcgicv.exe Win32/Secdrop.OF infected C:\WINDOWS\system32\
qebltbon.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
sstts.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
taqmsqem.exe Win32/Secdrop.OF infected C:\WINDOWS\system32\
vtuttqn.dll Win32/Chisyne!generic infected C:\WINDOWS\system32\
wefwedhn.exe Win32/Abetear.B infected C:\WINDOWS\system32\
wpdcvxko.exe Win32/Secdrop.OF infected C:\WINDOWS\system32\
ycqphyot.exe Win32/Abetear.B infected C:\WINDOWS\system32\

AND HERE'S THE HJT LOG.

Logfile of HijackThis v1.99.1
Scan saved at 9:30:48 PM, on 8/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\AKProg\AKProg.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\outlook\outlook.exe
C:\WINDOWS\system32\winlog.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Documents and Settings\Eric G\My Documents\?ystem32\n?pdb.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\ERICG~1\APPLIC~1\ECURIT~1\wuauboot.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Common Files\Palo Alto Software\9.0\PAS9_UD.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Eric G\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\qebltbon.dll",forkonce
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Tptohtvh] "C:\Documents and Settings\Eric G\My Documents\?ystem32\n?pdb.exe"
O4 - HKCU\..\Run: [Atou] "C:\DOCUME~1\ERICG~1\APPLIC~1\ECURIT~1\wuauboot.exe" -vt ndrv
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Palo Alto Software Update Manager 9.0.lnk = ?
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} (Keynote Connector Launcher 2) - http://webeffective.keynote.com/applications/pconnector/download/ConnectorLauncher.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Unknown owner - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe (file missing)
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Unknown owner - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RXJpYyBHLg\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

PLEASE TELL ME WHAT TO DO PLEASE.!

pskelley
2007-08-08, 15:18
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are quite infected, this one worries me: O4 - HKLM\..\Run: [winlog] winlog.exe
http://www.castlecops.com/startuplist-11877.html
http://www.castlecops.com/startuplist-12703.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_GAOBOT.DF&VSect=T
If it is the Goabot backdoor trojan, then you can read how severely your system would be compromised. You can scan the file: http://www.virustotal.com/
to see if you wish, you will need to show hidden files and folders to see it:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
And you would want to read this right away if it is a backdoor trojan:
http://www.dslreports.com/faq/10451

I am hoping it is the first item which is part of the whole bundled pile of junk you are infected with. If you want to continue with the cleanup and it will take some time and work, then start like this.

1) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)

2) Thanks to Atribune and any others who helped with this fix.

Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThislogin a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com

(hold the report and log until you are finished)

3) Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the uninstall list, report from combofix, report from Vundofix and a new HJT log.

Thanks

bullethead399
2007-08-09, 00:59
Ok. You guys are the best! When I first did all the steps, for some reason, it didn't want to save a log file when it's supposed to be prompted. So I reran HJT, VundoFix, and ComboFix. Now, HJT gave me one, VundoFix doesn't read any problems, and ComboFix didn't find problems either. I'm HOPING its fixed? Well, here's the logs now.

HJT LOG:

Ad-Aware SE Personal
Adobe Download Manager 2.2 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.9
Adobe Shockwave Player
AIM 6
AnyDVD
Avira UnErase Personal
Azureus Vuze
Bonjour Core for Windows
Business Plan Pro 2007
CloneDVD Full 3.0.2.5
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DVD Decrypter (Remove Only)
Google Earth
HijackThis 1.99.1
Hotfix for Windows XP (KB926239)
hp deskjet 5550 series (Remove only)
hp print screen utility
Java(TM) 6 Update 2
Java(TM) SE Runtime Environment 6 Update 1
Keynote Connector
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0.0.6)
MSXML 4.0 SP2 (KB927978)
Nero 7 Demo
NVIDIA Drivers
NvMixer
SATARaid
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929969)
Spybot - Search & Destroy 1.4
upapp
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB931836)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
World of Warcraft

NO LIST FOR VUNDOFIX BECAUSE IT DIDN'T FIND ANY PROBLEMS.

ComboFix Log

ComboFix 07-08-07.6 - "Eric G" 2007-08-08 14:41:41.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.290 [GMT -7:00]


((((((((((((((((((((((((( Files Created from 2007-07-08 to 2007-08-08 )))))))))))))))))))))))))))))))


2007-08-08 14:29 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-08 14:18 <DIR> d-------- C:\VundoFix Backups
2007-08-08 14:06 75,328 --a------ C:\WINDOWS\system32\dsiygyyf.exe
2007-08-07 20:23 <DIR> d-------- C:\!KillBox
2007-08-06 12:49 167 --a------ C:\DOCUME~1\ERICG~1\4544.bat
2007-08-06 12:48 <DIR> d-------- C:\WINDOWS\zrmw
2007-08-06 12:48 <DIR> d-------- C:\Program Files\Common Files\zrmw
2007-08-04 14:31 167 --a------ C:\DOCUME~1\ERICG~1\5796.bat
2007-08-04 14:31 <DIR> d--hs---- C:\WINDOWS\RXJpYyBHLg
2007-08-03 15:25 167 --a------ C:\DOCUME~1\ERICG~1\2588.bat
2007-08-03 11:19 167 --a------ C:\DOCUME~1\ERICG~1\8406.bat
2007-08-02 14:19 167 --a------ C:\DOCUME~1\ERICG~1\2906.bat
2007-07-31 15:39 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2007-07-31 14:47 1,763,352 ---hs---- C:\WINDOWS\system32\sttss.bak2
2007-07-31 02:28 6,506 ---hs---- C:\WINDOWS\system32\sttss.bak1
2007-07-31 02:23 9,814 --a------ C:\WINDOWS\system32\install.exe
2007-07-31 02:23 86,016 --a------ C:\WINDOWS\system32\ps.exe
2007-07-31 02:23 797 --a------ C:\WINDOWS\system32\x.dat
2007-07-31 02:23 73 --a------ C:\WINDOWS\system32\n.bat
2007-07-31 02:23 32,768 --a------ C:\WINDOWS\system32\setup9x.exe
2007-07-31 02:23 167 --a------ C:\WINDOWS\system32\3809.bat
2007-07-31 02:23 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-07-31 02:22 <DIR> d--hs---- C:\Program Files\outlook
2007-07-27 14:41 <DIR> d-------- C:\DOCUME~1\ERICG~1\APPLIC~1\Keynote Systems
2007-07-26 16:04 <DIR> d-------- C:\DOCUME~1\ERICG~1\Incomplete
2007-07-26 16:03 <DIR> d-------- C:\DOCUME~1\ERICG~1\APPLIC~1\LimeWire
2007-07-19 18:44 <DIR> d--h----- C:\DOCUME~1\ERICG~1\APPLIC~1\ijjigame


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-07 19:29 --------- d-------- C:\Program Files\Google
2007-07-29 10:36 --------- d-------- C:\Program Files\World of Warcraft
2007-06-25 16:17 --------- d-------- C:\DOCUME~1\ERICG~1\APPLIC~1\RipIt4Me
2007-06-25 13:45 --------- d-------- C:\DOCUME~1\ERICG~1\APPLIC~1\Viewpoint
2007-06-17 15:35 --------- d-------- C:\DOCUME~1\ERICG~1\APPLIC~1\Azureus
2007-06-17 15:19 --------- d-------- C:\Program Files\Azureus
2007-06-15 19:02 --------- d-------- C:\Program Files\AIM6
2007-06-15 19:01 --------- d-------- C:\Program Files\Viewpoint
2007-02-28 00:03 882 --a------ C:\Program Files\Acrobat Reader 5.0.lnk
2005-07-29 23:24:26 472 --sha-r C:\WINDOWS\RXJpYyBHLg\lrLDsV1JM0.vbs


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F7F0D4C5-A6EE-4CFB-A398-CAF8527F3F7E}]
C:\WINDOWS\system32\sstts.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 21:51]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe" [2002-07-11 05:06]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" []
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-02-13 11:29]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 14:17]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-12-16 13:57]
"Tptohtvh"="C:\Documents and Settings\Eric G\My Documents\?ystem32\n?pdb.exe" []
"Atou"="C:\DOCUME~1\ERICG~1\APPLIC~1\ECURIT~1\wuauboot.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Palo Alto Software Update Manager 9.0.lnk - C:\WINDOWS\Installer\{6B2D979E-216D-43A4-BAE2-71A185922CA1}\NewShortcut1.BDD3527A_D6D6_4DD6_AEAD_6B5236DA8F67.exe [2007-02-28 15:13:05]
SATARaid.lnk - C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe [2007-02-28 01:08:03]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"application"=C:\Program Files\AKProg\AKProg.exe hs

R3 NVENET;NVIDIA nForce Networking Controller Driver;C:\WINDOWS\system32\DRIVERS\NVENET.sys
S1 avgio;avgio;\??\C:\Program Files\AntiVir PersonalEdition Classic\avgio.sys
S3 avgntflt;avgntflt;\??\C:\Program Files\AntiVir PersonalEdition Classic\avgntflt.sys
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service;"C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe"
S3 odserv;Microsoft Office Diagnostics Service;"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE"


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-08 14:42:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-08 14:43:08
C:\ComboFix-quarantined-files.txt ... 2007-08-08 14:42
C:\ComboFix2.txt ... 2007-08-08 14:34

--- E O F ---

So I'm hoping everything is fixed now. Thanks a lot to you guys so such detailed instructions. Let me know if I have to do anything else.

THANKS!

pskelley
2007-08-09, 01:54
I really need to see the logs I ask for, I am blind without them. Please don't tell me they show nothing, post the logs and let me decide that for myself.

Uninstall list:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Java(TM) SE Runtime Environment 6 Update 1
Delete all old version in Add Remove progams.


Post the uninstall list, report from combofix, report from Vundofix and a new HJT log.

Please post the HJT log I requested.

Thanks

bullethead399
2007-08-09, 23:19
Sorry. I'm not trying to not show you. It's when I did what the directions you told me to do, it didn't save. Then i couldn't find where they were stored at either. So that's why i did the steps all over again and that is what I have now.

For example, when I did the HJT portion, when i clicked save it just closed the program. Same for VenudoFix. That's why I did everything over and that is what I got.

It seems like it's fixed now though.

pskelley
2007-08-09, 23:22
Would you please copy/paste a new HJT log.

Thanks

bullethead399
2007-08-10, 09:03
Logfile of HijackThis v1.99.1
Scan saved at 11:02:51 PM, on 8/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AKProg\AKProg.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Common Files\Palo Alto Software\9.0\PAS9_UD.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Documents and Settings\Eric G\Desktop\HijackThis.exe
c:\program files\aim6\anotify.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {F7F0D4C5-A6EE-4CFB-A398-CAF8527F3F7E} - C:\WINDOWS\system32\sstts.dll (file missing)
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Tptohtvh] "C:\Documents and Settings\Eric G\My Documents\?ystem32\n?pdb.exe"
O4 - HKCU\..\Run: [Atou] "C:\DOCUME~1\ERICG~1\APPLIC~1\ECURIT~1\wuauboot.exe" -vt ndrv
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Palo Alto Software Update Manager 9.0.lnk = ?
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} (Keynote Connector Launcher 2) - http://webeffective.keynote.com/applications/pconnector/download/ConnectorLauncher.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Unknown owner - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe (file missing)
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Unknown owner - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


HERE IT IS. :cool:

pskelley
2007-08-10, 13:45
Thanks, a little more cleaning that needs to be done.

C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546

C:\Program Files\AKProg\AKProg.exe <<< this is a keylogger, if you installed it and want it there, then ignore my removal instructions.
http://www.google.com/search?hl=en&q=AKProg.exe&btnG=Search

Move HJT from the Desktop for safety. I prefer C:\HJT\HijackThis.exe, if you need additional instructions use these: http://russelltexas.com/malware/createhjtfolder.htm

Start > Control Panel > Add Remove programs and uninstall AKProg

1) Please follow these instructions and post your uninstall list for me:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)

2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {F7F0D4C5-A6EE-4CFB-A398-CAF8527F3F7E} - C:\WINDOWS\system32\sstts.dll (file missing)
O4 - HKCU\..\Run: [Tptohtvh] "C:\Documents and Settings\Eric G\My Documents\?ystem32\n?pdb.exe"
O4 - HKCU\..\Run: [Atou] "C:\DOCUME~1\ERICG~1\APPLIC~1\ECURIT~1\wuauboot.exe" -vt ndrv

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\Program Files\AKProg\ <<< delete that folder

C:\Documents and Settings\Eric G\My Documents\?ystem32\ <<< delete that folder

C:\DOCUMENTS AND SETTINGS~1\ERICG~1\APPLICATION DATA~1\ECURIT~1\ <<< delete that folder

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the uninstall list and a new HJT log, let me know how the computer is running.

Thanks

bullethead399
2007-08-11, 02:12
WOW. You guys have a lot of skills with this because I'm dumbfounded. haha. I removed both viewpoint programs...

When you said to remove AKProg.exe, I was never able to find it. There was no folder or it was not in the Add/Remove programs either.

The part where to told me to locate the three folders and delete them, one problem....I didn't find any of those anywhere.

My computer seems to be running great now thanks to you guys! Here is my uninstall list & new HJT log.

UNINSTALL LIST
Ad-Aware SE Personal
Adobe Download Manager 2.2 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.9
Adobe Shockwave Player
AIM 6
AnyDVD
Avira UnErase Personal
Azureus Vuze
Bonjour Core for Windows
Business Plan Pro 2007
CloneDVD Full 3.0.2.5
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DVD Decrypter (Remove Only)
Google Earth
HijackThis 1.99.1
Hotfix for Windows XP (KB926239)
hp deskjet 5550 series (Remove only)
hp print screen utility
Java DB 10.2.2.0
Java(TM) 6 Update 2
Java(TM) SE Development Kit 6 Update 2
Keynote Connector
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0.0.6)
MSXML 4.0 SP2 (KB927978)
Nero 7 Demo

HJT LOG

Logfile of HijackThis v1.99.1
Scan saved at 4:07:43 PM, on 8/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AKProg\AKProg.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Palo Alto Software\9.0\PAS9_UD.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Eric G\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Palo Alto Software Update Manager 9.0.lnk = ?
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} (Keynote Connector Launcher 2) - http://webeffective.keynote.com/applications/pconnector/download/ConnectorLauncher.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Unknown owner - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe (file missing)
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Unknown owner - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe (file missing)
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

If my computer is good now. Thank you very much!

pskelley
2007-08-11, 02:22
I apologize, I tend to check several ways for junk, often a tool will remove it but I will still check for it in Add Remove programs and again to make sure the file is gone. I am trying to be positive the junk is gone for you.

Uninstall list: I look for malware and security issues, it's a great chance for you to see stuff you no longer use.
and all looks good there:bigthumb:

Your HJT log looks clean of malware. I would like to run one additional scan to be sure:
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

If you are satisfied all is well and do not believe the additional scan is necessary, then do this:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

pskelley
2007-08-18, 03:27
As the problem appears to be resolved this topic has been closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.