View Full Version : NEED HELP ASAP, keep getting popups etc, this damn ware sucks..
can anyone help me? I know you need a log first right? best place to start/? I will follow step by step, email me at (removed email address for security) if you responded! :)
Hello redize
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
We don't fix malware through email, just the forum
Download and install Trendmicros Hijackthis (http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php?page=download)
Download the Trendmicro Hijackthis Installer, follow defauts and it will install in C:\Program Files\Trendmicro\Hijackthis and this is exactly where we want it to be.
Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
Do this before you post your log.
This is important
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass )and rename it to Scanner.exe
Thanks, I followed all instructions, heres my log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:21:22 PM, on 9/22/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Insider\Insider.exe
C:\Documents and Settings\Owner\Application Data\WinTouch\WinTouch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Paltalk Messenger\palstart.exe
C:\Program Files\Kasamba\Kasamba.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Documents and Settings\Owner\My Documents\?ecurity\n?pdb.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://paltalk.myway.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\System32\wpyaxuux.dll",sitypnow
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Owner\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\RunOnce: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P7 /q C:\DOCUME~1\Owner\LOCALS~1\Temp\WINANT~1.SH! C:\DOCUME~1\Owner\LOCALS~1\Temp\THINKS~1.SH! C:\DOCUME~1\Owner\LOCALS~1\Temp\NI56D3~1.UWA\setup.SH! C:\DOCUME~1\Owner\LOCALS~1\Temp\NI56D3~1.SH! C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\41I78P6R\JAUN_2~1.SH! C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\CD2BOPAR\BANCON~1.SH! C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\8X6VCXMV\83122_~1.SH!
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: TA_Start.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PalStart.lnk = C:\Program Files\Paltalk Messenger\palstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Messenger\profsyby.html
--
End of file - 9379 bytes
Heres log after renaming to scanner.exe
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:31:25 PM, on 9/22/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Insider\Insider.exe
C:\Documents and Settings\Owner\Application Data\WinTouch\WinTouch.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Paltalk Messenger\palstart.exe
C:\Program Files\Kasamba\Kasamba.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Documents and Settings\Owner\My Documents\?ecurity\n?pdb.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://paltalk.myway.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7A4DFE85-4013-18BF-6526-4871C3039FCB} - C:\WINDOWS\System32\ncuolj.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - (no file)
O2 - BHO: (no name) - {B507F258-BB40-4B93-AC75-1F2703D90091} - C:\WINDOWS\System32\pmnli.dll
O2 - BHO: CPub Object - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - c:\PROGRA~1\mcafee\mps\mcpopup.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\System32\ukbgwuyd.dll",sitypnow
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Owner\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\RunOnce: [DelayShred] c:\PROGRA~1\mcafee\mshr\ShrCL.EXE /P7 /q C:\DOCUME~1\Owner\LOCALS~1\Temp\WINANT~1.SH! C:\DOCUME~1\Owner\LOCALS~1\Temp\THINKS~1.SH! C:\DOCUME~1\Owner\LOCALS~1\Temp\NI56D3~1.UWA\setup.SH! C:\DOCUME~1\Owner\LOCALS~1\Temp\NI56D3~1.SH! C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\41I78P6R\JAUN_2~1.SH! C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\CD2BOPAR\BANCON~1.SH! C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\8X6VCXMV\83122_~1.SH!
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: TA_Start.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PalStart.lnk = C:\Program Files\Paltalk Messenger\palstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Messenger\profsyby.html
--
End of file - 10386 bytes
redize,
FYI The reason I had you rename HJT to something else is because the thieves that have written the Vundo Trojan have written it to evade a HJT scan and by renaming it if the Vundo Trojan is present it will show up on your log. You are infected with Vundo and a couple of other things, look over your normal log and the one renamed and you will see a lot more entries.
Run these in order.
Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
I need to see the Vundo log, the Combofix log and a New HJT log. Keep it renamed please.
I ran vundofix and it found some that it needed to fix after reboot however once rebooted, instead of hitting fix the ones I rescanned and it said it didnt find any, hope this is ok, also I noticed I have a bunch of windows updates on the bottom, so I am currently doing them, I usually lack on my computer cleaning/repairing etc but these popups became to much and I now realize the importance of staying on top of things, once Im done with this I will run the other programs and give you logs of each, thanks again for the help, how can I repay you???:)
Heres vundo log, running the others now:
VundoFix V6.5.8
Checking Java version...
Java version is 1.5.0.11
Scan started at 10:37:31 PM 9/21/2007
Listing files found while scanning....
C:\WINDOWS\System32\cgyvswjn.dll
C:\windows\system32\cilygfnm.ini
C:\windows\system32\edqgygpt.ini
C:\windows\system32\ifrgubgp.dll
C:\windows\system32\mnfgylic.dll
C:\windows\system32\pgbugrfi.ini2
C:\windows\system32\pgbugrfi.tmp
C:\windows\system32\tpgygqde.dll
Beginning removal...
Attempting to delete C:\WINDOWS\System32\cgyvswjn.dll
C:\WINDOWS\System32\cgyvswjn.dll Has been deleted!
Attempting to delete C:\windows\system32\cilygfnm.ini
C:\windows\system32\cilygfnm.ini Has been deleted!
Attempting to delete C:\windows\system32\edqgygpt.ini
C:\windows\system32\edqgygpt.ini Has been deleted!
Attempting to delete C:\windows\system32\ifrgubgp.dll
C:\windows\system32\ifrgubgp.dll Has been deleted!
Attempting to delete C:\windows\system32\mnfgylic.dll
C:\windows\system32\mnfgylic.dll Has been deleted!
Attempting to delete C:\windows\system32\pgbugrfi.ini2
C:\windows\system32\pgbugrfi.ini2 Has been deleted!
Attempting to delete C:\windows\system32\pgbugrfi.tmp
C:\windows\system32\pgbugrfi.tmp Has been deleted!
Attempting to delete C:\windows\system32\tpgygqde.dll
C:\windows\system32\tpgygqde.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.8
Checking Java version...
Java version is 1.5.0.11
Scan started at 10:47:15 PM 9/21/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.9
Checking Java version...
Java version is 1.5.0.11
Scan started at 7:58:14 PM 9/22/2007
Listing files found while scanning....
C:\windows\system32\bmdxkpnk.dll
C:\windows\system32\ilnmp.bak1
C:\windows\system32\ilnmp.bak2
C:\windows\system32\ilnmp.ini
C:\windows\system32\ilnmp.ini2
C:\windows\system32\ilnmp.tmp
C:\windows\system32\pmnli.dll
C:\WINDOWS\System32\ukbgwuyd.dll
Beginning removal...
Attempting to delete C:\windows\system32\bmdxkpnk.dll
C:\windows\system32\bmdxkpnk.dll Has been deleted!
Attempting to delete C:\windows\system32\ilnmp.bak1
C:\windows\system32\ilnmp.bak1 Has been deleted!
Attempting to delete C:\windows\system32\ilnmp.bak2
C:\windows\system32\ilnmp.bak2 Has been deleted!
Attempting to delete C:\windows\system32\ilnmp.ini
C:\windows\system32\ilnmp.ini Has been deleted!
Attempting to delete C:\windows\system32\ilnmp.ini2
C:\windows\system32\ilnmp.ini2 Has been deleted!
Attempting to delete C:\windows\system32\ilnmp.tmp
C:\windows\system32\ilnmp.tmp Has been deleted!
Attempting to delete C:\windows\system32\pmnli.dll
C:\windows\system32\pmnli.dll Could not be deleted.
Attempting to delete C:\WINDOWS\System32\ukbgwuyd.dll
C:\WINDOWS\System32\ukbgwuyd.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.5.8
Checking Java version...
Java version is 1.5.0.11
Scan started at 8:04:27 PM 9/22/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.5.9
Checking Java version...
Java version is 1.5.0.11
Scan started at 2:34:00 PM 9/23/2007
Listing files found while scanning....
C:\windows\system32\ilnmp.bak2
C:\windows\system32\ilnmp.ini
C:\windows\system32\ilnmp.ini2
C:\WINDOWS\system32\nqttvdyr.dll
C:\windows\system32\pmnli.dll
C:\WINDOWS\system32\rydvttqn.ini
Beginning removal...
Attempting to delete C:\windows\system32\ilnmp.bak2
C:\windows\system32\ilnmp.bak2 Has been deleted!
Attempting to delete C:\windows\system32\ilnmp.ini
C:\windows\system32\ilnmp.ini Has been deleted!
Attempting to delete C:\windows\system32\ilnmp.ini2
C:\windows\system32\ilnmp.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\nqttvdyr.dll
C:\WINDOWS\system32\nqttvdyr.dll Could not be deleted.
Attempting to delete C:\windows\system32\pmnli.dll
C:\windows\system32\pmnli.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\rydvttqn.ini
C:\WINDOWS\system32\rydvttqn.ini Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\ilnmp.ini
C:\windows\system32\ilnmp.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\nqttvdyr.dll
C:\WINDOWS\system32\nqttvdyr.dll Has been deleted!
Attempting to delete C:\windows\system32\pmnli.dll
C:\windows\system32\pmnli.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.5.8
Checking Java version...
Java version is 1.5.0.11
Scan started at 2:55:22 PM 9/23/2007
Listing files found while scanning....
No infected files were found.
Trying to run combo fix and it says a freeware implementation of REG.EXE has encountered a problem and needs to close..
it wont let me run the program.. :(
You may have gotten a bad download of Combofix, drag it to the trash and download it from the other location, it will only run from your desktop.
Before you try again, post a new HJT log and then try combofix again.
I had to do a system restore cause my computer wouldnt start heres a brand new hjt log..
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:46:25 PM, on 9/23/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Paltalk Messenger\palstart.exe
C:\Program Files\Kasamba\Kasamba.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'Default user')
O4 - .DEFAULT User Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: TA_Start.lnk = ? (User 'Default user')
O4 - Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: TA_Start.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PalStart.lnk = C:\Program Files\Paltalk Messenger\palstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
--
End of file - 6549 bytes
Vundo appears gone from your log , are you still getting popups??
Heres the scoop on Paltalk, its your option to remove it or not.
http://www.superadblocker.com/definition/palstart/
C:\Program Files\Paltalk Messenger <-- you can uninstall it via the Add Remove Programs in the Control Panel.
Open HijackThis > Do a System Scan Only, close your browser and all open windows, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - .DEFAULT User Startup: TA_Start.lnk = ? (User 'Default user')
O4 - Startup: TA_Start.lnk = ?
O4 - Global Startup: PalStart.lnk = C:\Program Files\Paltalk Messenger\palstart.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
Your Java is out of date and leaving your system vulnerable.
Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
It should have an icon next to it:
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.jpg
Select it and click Remove.
Reboot your system.
Then go to the Sun Microsystems (http://www.java.com/en/download/manual.jsp) and install the update
Java Runtime Environment Version 6 Update 2 <--This is what you need to download and install.
If you chose the online installation, it will prompt you to run the program.
If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
Then after install you can verify your installation here Sun Java Verify (http://www.java.com/en/download/manual.jsp)
I like to to do the offline installation and save the setup file in case I may need it in the future
Were you able to run Combofix?? The rest of your log looks fine.
Thanks so much for all your help, no popups so far
just ran combo fix, while running norton said it found a virus something windows/154.exe then 157 etc but said deleted them
heres combo log, will post new hjt log next
ComboFix 07-09-21.2 - "Owner" 2007-09-23 22:59:06.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.183 [GMT -7:00]
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\1.exe
C:\check_LSA7.txt
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\DEFAUL~1\err.log
C:\DOCUME~1\Owner\APPLIC~1\STEM~1
C:\DOCUME~1\Owner\APPLIC~1\WinTouch
C:\DOCUME~1\Owner\APPLIC~1\WinTouch\wintouch.cfg
C:\DOCUME~1\Owner\err.log
C:\DOCUME~1\Owner\MYDOCU~1\ECURIT~1
C:\DOCUME~1\Owner\MYDOCU~1\ECURIT~1\n?pdb.exe
C:\Program Files\icroso~1
C:\Program Files\icroso~1\?icrosoft\
C:\Program Files\inetget2
C:\Program Files\Insider
C:\Program Files\Insider\Insider.exe
C:\Program Files\Insider\UnInstall.exe
C:\Program Files\ISM
C:\Program Files\ISM\srvupd.exe
C:\Program Files\ISM\targets.gz
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\web buying
C:\Program Files\web buying\v1.8.3\wbuninst.exe
C:\Program Files\WinAble
C:\Program Files\WinAble\UnInstall.exe
C:\sstray.exe
C:\svhost.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\tskmgr.exe
C:\WINDOWS\1.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b143.exe
C:\WINDOWS\b147.exe
C:\WINDOWS\b148.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\IA
D:\Autorun.inf
f:\autorun.inf . . . . failed to delete
.
((((((((((((((((((((((((( Files Created from 2007-08-24 to 2007-09-24 )))))))))))))))))))))))))))))))
.
2007-09-23 17:54 <DIR> d-------- C:\Program Files\SymNetDrv
2007-09-23 17:36 182,880 --a--c--- C:\WINDOWS\system32\dllcache\iuengine.dll
2007-09-23 17:36 182,880 --a------ C:\WINDOWS\system32\iuengine.dll
2007-09-23 17:34 32,256 --a--c--- C:\WINDOWS\system32\dllcache\msgsvc.dll
2007-09-23 17:34 32,256 --a------ C:\WINDOWS\system32\msgsvc.dll
2007-09-23 17:20 <DIR> d---s---- C:\DOCUME~1\DEFAUL~1\UserData
2007-09-23 17:20 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Shared
2007-09-23 17:20 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Incomplete
2007-09-23 17:20 <DIR> d-------- C:\DOCUME~1\DEFAUL~1\Contacts
2007-09-23 15:07 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-22 20:49 <DIR> d-------- C:\WINDOWS\provisioning
2007-09-22 20:49 <DIR> d-------- C:\WINDOWS\peernet
2007-09-22 20:46 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-09-22 20:35 <DIR> d-------- C:\WINDOWS\EHome
2007-09-22 14:20 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-21 22:52 <DIR> d-------- C:\Program Files\Yahoo!
2007-09-21 22:51 <DIR> d-------- C:\Program Files\CCleaner
2007-09-21 22:37 <DIR> d-------- C:\VundoFix Backups
2007-09-20 09:13 425,480 --a------ C:\sysowyo.exe
2007-09-20 09:13 425,480 --a------ C:\sysnkqy.exe
2007-09-20 03:00 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-09-20 01:07 425,480 --a------ C:\sysydta.exe
2007-09-19 19:15 <DIR> d-------- C:\Program Files\McAfee.com
2007-09-19 19:14 <DIR> d-------- C:\Program Files\McAfee
2007-09-19 19:14 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-09-19 18:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-09-19 18:40 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-09-19 18:10 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-09-19 18:10 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\PC Tools
2007-09-19 16:46 425,480 --a------ C:\sysysnk.exe
2007-09-19 16:46 425,480 --a------ C:\sysgqfg.exe
2007-09-19 15:33 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-19 15:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-18 06:20 281 --a------ C:\ernmwr3w.exe
2007-09-15 18:23 <DIR> d-------- C:\WINDOWS\uzzf
2007-09-15 18:23 <DIR> d-------- C:\Program Files\Common Files\uzzf
2007-09-13 10:33 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-23 17:54 --------- d-------- C:\Program Files\Symantec
2007-09-23 17:53 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-23 17:36 3994 -rahs---- C:\WINDOWS\system32\drivers\HP_DT158A-ABA A445C_YC_Pavi_QMXR419_E41NAheBLU4_4_IKamet2_SASUSTek Computer INC._V2.01_B3.07_T040119_WXH1_L409_M448_J160_7AMD_8Athlon XP 3000+_92.16_111063044_N11063065_P_Z11C1044C_K_A11063059_U11063038_G11067205_O_DILO5611.MRK
2007-09-22 23:28 --------- d-------- C:\Program Files\MSN Messenger
2007-09-22 13:54 --------- d-------- C:\Program Files\Kasamba
2007-09-19 15:32 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-15 20:04 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
2007-09-14 11:10 10 --a------ C:\Program Files\.autoreg
2007-08-07 19:37 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\DVD Shrink
2007-07-26 20:53 --------- d-------- C:\Program Files\Common Files\SWF Studio
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-04-07 07:07]
"CamMonitor"="c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 07:23]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" []
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-23 02:55]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 20:02]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 08:01]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-10-10 21:58]
"AutoTKit"="C:\hp\bin\AUTOTKIT.EXE" [2003-06-18 19:19]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 21:42]
"VTTimer"="VTTimer.exe" [2003-05-07 23:32 C:\WINDOWS\system32\VTTimer.exe]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 16:57]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2003-08-15 00:59]
"LTMSG"="LTMSG.exe" [2003-07-14 17:52 C:\WINDOWS\ltmsg.exe]
"Sunkist2k"="C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [2003-08-14 21:11]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [2003-06-17 18:13]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-09-23 17:54]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe" [2005-03-07 21:42]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"NVIEW"="nview.dll,nViewLoadHook" []
"BackupNotify"="c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" [2003-06-22 21:25]
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 08:20:40]
C:\DOCUME~1\Owner\STARTM~1\Programs\Startup\
Connect Kasamba.lnk - C:\Program Files\Kasamba\Kasamba.exe [2007-08-23 13:43:45]
PowerReg Scheduler V3.exe [2007-02-02 01:50:24]
S2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\System32\DRIVERS\nvcap.sys
S2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\System32\DRIVERS\NVxbar.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-09-20 02:16:44 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2007-09-20 02:16:43 C:\WINDOWS\Tasks\McQcTask.job"
"2007-09-24 00:51:31 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- c:\PROGRA~1\NORTON~1\Navw32.exe
"2007-09-24 00:51:33 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-23 23:03:16
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-09-23 23:06:05 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-23 23:05
.
--- E O F ---
heres HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09:13 PM, on 9/23/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kasamba\Kasamba.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'Default user')
O4 - .DEFAULT User Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: TA_Start.lnk = ? (User 'Default user')
O4 - Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
--
End of file - 6166 bytes
Good Morning,
.
Remove this with HJT.
O4 - .DEFAULT User Startup: TA_Start.lnk = ? (User 'Default user')
C:\Program Files\Kasamba Is this a program that you use??
We need to make sure all hidden files are showing :
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide file extensions for known types option.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Once your system is clean, we suggest that you reverse this to keep critical windows files from accidently being deleted.
Combofix picked up a few files that I am unsure of, what I would like you to do is upload them to this site for analysis and post the reports
Go to Jotti Upload (http://virusscan.jotti.org/) and under the browse feature,
browse to these files
C:\sysowyo.exe
C:\sysgqfg.exe
C:\sysysnk.exe
C:\sysgqfg.exe
C:\ernmwr3w.exe
Then click on upload and it will give you a report, post the report in your next reply.
ok I did everything, yes kasamba is a prog I use its safe but when trying the jotti upload i click on anyone of the sys****.exe and get a message from norton saying its a trojan and cannot be repaired, it wont let me upload it and I tried deleted them and says access denied :(
We can and will delete them once we know for sure that there bad, when they won't Google there almost 100% bad, but lets try this before we remove them.
Right click on Norton in the system tray ( by the clock ) and either shut it down or disable it, it will be enabled the next time you reboot. Then try the Jotti upload again.
ok, I tried with norton disabled and get this message from jotti
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
Ok, then lets do this.
First look for the files manually yourself, I may seem overcautious but we don't want to remove any files that may be needed by one of your programs. When you find the files, right click on them and go to properties and it will give you info on that file, let me know what they are related to. Just do the top 2 as they all seem related and where created on the same date.
C:\ernmwr3w.exe
C:\sysowyo.exe
C:\sysgqfg.exe
C:\sysysnk.exe
Under type of file it just says Application
Lets do this.
Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad
File::
C:\ernmwr3w.exe
C:\sysowyo.exe
C:\sysgqfg.exe
C:\sysysnk.exe
Save this as CFScript to your desktop.
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://i24.photobucket.com/albums/c30/ken545/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
together with a new HijackThis log.
I had to run system recovery again on my computer cause that damn winantivirus thing came back and would not let me get on the net or anything, I am sure its these files, can you just tell me how to get rid of them, I am 1005 positive it has to be them and if we do mess something up Ill just run the system recovery again lol... heres a new HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:12:08 PM, on 9/27/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kasamba\Kasamba.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\RunOnce: [regcmdcons] c:\windows\regedit.exe /s c:\hp\bin\cmdcons2.reg
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler V3.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: TA_Start.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT Startup: TA_Start.lnk = ? (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'Default user')
O4 - .DEFAULT User Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: TA_Start.lnk = ? (User 'Default user')
O4 - Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
--
End of file - 6966 bytes
I dont know if those files where deleted or not, I need to see the last Combofix log.
Download Pocket Killbox (http://www.majorgeeks.com/Pocket_KillBox_d4709.html) to your desktop.
Highlight the file with the complete path inside the Quote Box and press Ctrl C on your keyboard.
f:\autorun.inf
Open Pocket Killbox
Go to File > Paste from clipboard
Set it to Delete on Reboot
Tick the box that says End Explorer shell while killing file
If its not greyed out..Click the radio button that say Unregister .dll before deleting.
Make sure Single File is selected
Click on the Red circle with the white X
It will ask you to confirm the deletion...Say yes
It will ask you to reboot, say yes
If you get a message "pending operations has been stopped by external process!" then reboot the computer manually.
Fix this entry with HJT.
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
Please download SuperAntiSpyware (http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE)
Install the program
Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.
Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish
It is possible that the program asks to reboot in order to delete some files.
Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)
Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.
Let me see the last Combofix log and the SAS log and a New HJT log
the sas log is way too big to post here :(
plus after all that just got damn winantispyware running a check and back on.. shit :( over a week with no luck!
new hjt log at leastLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:06:02 AM, on 10/1/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kasamba\Kasamba.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\cmd.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\iexplor.exe
C:\WINDOWS\System32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler V3.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: TA_Start.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT Startup: TA_Start.lnk = ? (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'Default user')
O4 - .DEFAULT User Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: TA_Start.lnk = ? (User 'Default user')
O4 - Startup: AutoTBar.exe
O4 - Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
--
End of file - 7177 bytes
redize,
Please refrain from using any foul language in the forum or I won't be able to continue to help you.
Open HijackThis > Do a System Scan Only, close your browser and all open windows, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - S-1-5-18 Startup: TA_Start.lnk = ? (User 'SYSTEM')
O4 - .DEFAULT Startup: TA_Start.lnk = ? (User 'Default user')
O4 - .DEFAULT User Startup: TA_Start.lnk = ? (User 'Default user')
1. Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop. Click on Avenger.zip to open the file Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Files to Delete:
C:\Documents and Settings\Owner\Local Settings\Temp\iexplor.exe
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Run Panda's ActiveScan from here (http://www.pandasoftware.com/activescan/com/activescan_principal.htm) and perform a full system scan.
Once you are on the Panda site click the "Scan your PC" button
A new window will open...click the big "Check Now" button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
If you are on a slow connection it will take about 15 minuites for the scanner to load.
Click on "Local Disks" to start the scan
Once scan is done, click "see report" then "save report"
Save the log someplace you can find
Reboot
Post the Panda scan results in your next reply
Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.zip)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Let me see the Panda Report, Smitfraud report and a New HJT log. Also you can open up the SAS report, it will open in Notepad, you can delete any references to cookies and post the log, if the log is still to big, post it in sections.
Very sorry for the language, just frustrated..
heres avenger log
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gpiewsvs
*******************
Script file located at: \??\C:\qeiwonta.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\Documents and Settings\Owner\Local Settings\Temp\iexplor.exe not found!
Deletion of file C:\Documents and Settings\Owner\Local Settings\Temp\iexplor.exe failed!
Could not process line:
C:\Documents and Settings\Owner\Local Settings\Temp\iexplor.exe
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
Heres HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:55:29 AM, on 10/1/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hhupd.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\tsitra1000106.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe
C:\WINDOWS\winptr.exe
C:\Program Files\Internet Explorer\winload.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\frmwrk.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Kasamba\Kasamba.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\syst66x.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://easyrussianbrides.info/?idAff=76
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://easyrussianbrides.info/?idAff=76
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easyrussianbrides.info/?idAff=76
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easyrussianbrides.info/?idAff=76
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\hhupd.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: BhoApp Class - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\WINDOWS\System32\bho.dll
O2 - BHO: Editor plugin - {49F3A26F-CC23-4112-A5E1-38FDE8D40F9E} - smuhdd.dll (file missing)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-dcf7-f96da086b434} - C:\Documents and Settings\Owner\posterm.dll
O2 - BHO: 0 - {669D4C76-BB20-4CED-FC8D-E840EFB99E0E} - (no file)
O2 - BHO: (no name) - {6C6B8C69-9285-4D94-8492-9E920C8C2B65} - C:\Documents and Settings\Owner\systerm.exe
O2 - BHO: (no name) - {74f25a2c-22b3-4023-8f1a-ca616c30a8b5} - C:\WINDOWS\System32\mxcrtp.dll
O2 - BHO: (no name) - {7771CC79-C39A-4447-A7FE-075B50873C3D} - (no file)
O2 - BHO: (no name) - {8318875B-4F18-471B-8AFD-71B3A4C48AED} - (no file)
O2 - BHO: (no name) - {85ec429b-a769-4b0c-9897-ec9ac367c55b} - (no file)
O2 - BHO: (no name) - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - (no file)
O2 - BHO: (no name) - {9803B78E-5BB5-4760-95A4-66F8202732A1} - C:\WINDOWS\System32\pmkji.dll
O2 - BHO: (no name) - {B6615A2C-2FC0-42AE-897E-A698919663BE} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {c5183abc-eb6e-4e05-b8c9-500a16b6cf94} - C:\WINDOWS\System32\mssvmdll.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {5AA06644-BC46-4220-A460-47A6EB47C96D} - C:\Documents and Settings\Owner\wintst.dll
O3 - Toolbar: (no name) - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\DOCUME~1\Owner\LOCALS~1\Temp\regdll32.exe
O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\Documents and Settings\Owner\stubext.dll
O3 - Toolbar: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - C:\Documents and Settings\Owner\sthbdm32.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\tsitra1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [uwas7cw] "C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe" -c
O4 - HKLM\..\Run: [winptr] C:\WINDOWS\winptr.exe
O4 - HKLM\..\Run: [winload] C:\Program Files\Internet Explorer\winload.exe
O4 - HKLM\..\Run: [Windows Framework] C:\DOCUME~1\Owner\LOCALS~1\Temp\frmwrk.exe
O4 - HKLM\..\Run: [new.net startup] C:\DOCUME~1\Owner\LOCALS~1\Temp\mssvmdll.dll
O4 - HKLM\..\Run: [shellbn] C:\DOCUME~1\Owner\LOCALS~1\Temp\wintst.dll
O4 - HKLM\..\Run: [bxproxy] C:\DOCUME~1\Owner\LOCALS~1\Temp\systerm.exe
O4 - HKLM\..\Run: [mmnext06] C:\DOCUME~1\Owner\LOCALS~1\Temp\regdll32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpywareSoftStop] C:\Program Files\SpywareSoftStop\SpywareSoftStop.exe
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe
O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe (User 'Default user')
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler V3.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'Default user')
O4 - .DEFAULT User Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: TA_Start.lnk = ? (User 'Default user')
O4 - Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - AppInit_DLLs: C:\WINDOWS\System32\tmp_2h.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: iifedca - C:\WINDOWS\SYSTEM32\iifedca.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Messenger\profsyby.html
--
End of file - 10787 bytes
atf cleaner link wont work and panda needs IE i use firefox is there one I can use for firefox? heres the smitfraud log:
SmitFraudFix v2.234
Scan done at 11:59:57.43, Mon 10/01/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hhupd.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\tsitra1000106.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe
C:\WINDOWS\winptr.exe
C:\Program Files\Internet Explorer\winload.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\frmwrk.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Kasamba\Kasamba.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\syst66x.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\cmd.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Messenger\\profsyby.html"
"SubscribedURL"=""
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINDOWS\\System32\\tmp_2h.dll"
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: VIA Rhine II Fast Ethernet Adapter - Packet Scheduler Miniport
DNS Server Search Order: 192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{61B3F0E0-A4E0-44CF-AC05-B0A2DBABFBF0}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{61B3F0E0-A4E0-44CF-AC05-B0A2DBABFBF0}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{61B3F0E0-A4E0-44CF-AC05-B0A2DBABFBF0}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
also this stupid 3spyware thing loads up everytime and theres a red circle with a white x in the middle of it on the bottom of my desktop and it keeps making a popping noise. Also when I hit ctrl alt delete it says the task manager has been disabled by the administrator
Reran superantispyware and got rid of that 3spy thing task manager still says disabled when I try to click ctrl alt delete..
got atfcleaner to work, just still cant get task manager to work, heres new hjt log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:30:03 PM, on 10/1/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\winptr.exe
C:\Program Files\Internet Explorer\winload.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kasamba\Kasamba.exe
C:\WINDOWS\System32\alg.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://easyrussianbrides.info/?idAff=76
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://easyrussianbrides.info/?idAff=76
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easyrussianbrides.info/?idAff=76
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easyrussianbrides.info/?idAff=76
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\hhupd.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Editor plugin - {49F3A26F-CC23-4112-A5E1-38FDE8D40F9E} - smuhdd.dll (file missing)
O2 - BHO: 0 - {669D4C76-BB20-4CED-FC8D-E840EFB99E0E} - (no file)
O2 - BHO: (no name) - {6C6B8C69-9285-4D94-8492-9E920C8C2B65} - C:\Documents and Settings\Owner\systerm.exe
O2 - BHO: (no name) - {7771CC79-C39A-4447-A7FE-075B50873C3D} - (no file)
O2 - BHO: (no name) - {8318875B-4F18-471B-8AFD-71B3A4C48AED} - (no file)
O2 - BHO: (no name) - {85ec429b-a769-4b0c-9897-ec9ac367c55b} - (no file)
O2 - BHO: (no name) - {B6615A2C-2FC0-42AE-897E-A698919663BE} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {5AA06644-BC46-4220-A460-47A6EB47C96D} - C:\Documents and Settings\Owner\wintst.dll
O3 - Toolbar: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - C:\Documents and Settings\Owner\sthbdm32.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKLM\..\Run: [winptr] C:\WINDOWS\winptr.exe
O4 - HKLM\..\Run: [winload] C:\Program Files\Internet Explorer\winload.exe
O4 - HKLM\..\Run: [shellbn] C:\DOCUME~1\Owner\LOCALS~1\Temp\wintst.dll
O4 - HKLM\..\Run: [bxproxy] C:\DOCUME~1\Owner\LOCALS~1\Temp\systerm.exe
O4 - HKLM\..\Run: [mmnext06] C:\DOCUME~1\Owner\LOCALS~1\Temp\regdll32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\System32\xijdxdyi.dll",sitypnow
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe
O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe (User 'Default user')
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler V3.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'Default user')
O4 - .DEFAULT User Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: TA_Start.lnk = ? (User 'Default user')
O4 - Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - AppInit_DLLs: C:\WINDOWS\System32\tmp_2h.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: iifedca - iifedca.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
--
End of file - 9041 bytes
Wow, your really infected, its going to take some work to get rid of all this.
Print out the following instructions as you will not have Internet Access for the rest of this fix. All this has to be done in Safemode
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.< -- Don't run it yet
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop. Click on Avenger.zip to open the file Extract avenger.exe to your desktop
Download http://download.sysinternals.com/Files/ProcessExplorer.zip to your desktop and unzip it to your desktop
Boot to Safemode
To Enter Safemode
Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
Unzip Process Explorer and double click on procexp.exe
In the top section of the Process Exlporer screen double-click on winlogon.exe to bring up the winlogon.exe properties screen.
Click on the Threads tab at the top.
Once you see this screen click on each instance of: tmp_2h.dll once.
Once you see this screen click on each instance of: iifedca.dll once.
Then click the Kill button.
After you have killed all of: tmp_2h.dll and iifedca.dll under winlogon click OK.
BE SURE TO KILL ONLY THIS FILE
Next double-click on explorer.exe.
Select the Threads tab.
and again click once on each instance of: tmp_2h.dll and iifedca.dll
Then click the Kill button.
Once you have done that click OK again.
BE SURE TO KILL ONLY THIS FILE
Next run Hijack This! and place a check beside each of the following.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://easyrussianbrides.info/?idAff=76
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://easyrussianbrides.info/?idAff=76
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easyrussianbrides.info/?idAff=76
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easyrussianbrides.info/?idAff=76
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\hhupd.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: Editor plugin - {49F3A26F-CC23-4112-A5E1-38FDE8D40F9E} - smuhdd.dll (file missing)
O2 - BHO: (no name) - {6C6B8C69-9285-4D94-8492-9E920C8C2B65} - C:\Documents and Settings\Owner\systerm.exe
O2 - BHO: (no name) - {7771CC79-C39A-4447-A7FE-075B50873C3D} - (no file)
O2 - BHO: (no name) - {8318875B-4F18-471B-8AFD-71B3A4C48AED} - (no file)
O2 - BHO: (no name) - {85ec429b-a769-4b0c-9897-ec9ac367c55b} - (no file)
O2 - BHO: (no name) - {B6615A2C-2FC0-42AE-897E-A698919663BE} - (no file)
O3 - Toolbar: (no name) - {5AA06644-BC46-4220-A460-47A6EB47C96D} - C:\Documents and Settings\Owner\wintst.dll
O3 - Toolbar: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - C:\Documents and Settings\Owner\sthbdm32.dll
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKLM\..\Run: [shellbn] C:\DOCUME~1\Owner\LOCALS~1\Temp\wintst.dll
O4 - HKLM\..\Run: C:\DOCUME~1\Owner\LOCALS~1\Temp\systerm.exe
O4 - HKLM\..\Run: [mmnext06] C:\DOCUME~1\Owner\LOCALS~1\Temp\regdll32.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\System32\xijdxdyi.dll",sitypnow
O4 - HKCU\..\Run: C:\WINDOWS\System32\ntos.exe
O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe (User 'Default user')
O4 - .DEFAULT User Startup: TA_Start.lnk = ? (User 'Default user')
O20 - AppInit_DLLs: C:\WINDOWS\System32\tmp_2h.dll
O20 - Winlogon Notify: iifedca - d(file missing)
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Files to Delete:
C:\WINDOWS\winptr.exe
C:\WINDOWS\winshow.exe
C:\WINDOWS\System32\hhupd.exe
C:\WINDOWS\System32\ntos.exe
C:\WINDOWS\System32\xijdxdyi.dll
C:\WINDOWS\System32\tmp_2h.dll
C:\WINDOWS\System32\iifedca.dll
C:\Program Files\Internet Explorer\winload.exe
C:\Documents and Settings\Owner\systerm.exe
C:\Documents and Settings\Owner\wintst.dll
C:\Documents and Settings\Owner\sthbdm32.dll
C:\Documents and Settings\Owner\Local Settings\Temp\wintst.dll
C:\Documents and Settings\Owner\Local Settings\Temp\systerm.exe
C:\Documents and Settings\Owner\Local Settings\Temp\regdll32.exe
Folders to delete:
[b]
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will [u]Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
Now we need to run SDFix also in Safemode
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
I need to see the Avenger log, the SDfix log and a New HJT log please
should I just rerun system recovery instead of all this?
All of this infection is on your hard drive, after running system recovery you will still be infected.
One alternative it to do a reformat and a clean install of windows, BUT this is entirely up to you, I can't advise you either way.
My last set of instructions where not that hard to follow, why don't you give it a try.
Gonna try it, thanks for everything so far!!!
problems:
1) When running in safe mode it wanted me to choose Administrator or Owner.. I chose admin at first but it wouldnt boot up so I did owner which had it all
2) I tried running ProcessExplorer and got it running however I didnt see the threads tab up top, there was a thread for each section on the left but I didnt see any of the file extensions that you told me of
3) rebooted and chkdsk came on and ran itself saying it fixed somethings, then once I got on got a message saying the computer recovered from a serious error.. havent done anything else yet
heres a new HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:30:12 PM, on 10/1/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\winptr.exe
C:\Program Files\Internet Explorer\winload.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Kasamba\Kasamba.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://easyrussianbrides.info/?idAff=76
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://easyrussianbrides.info/?idAff=76
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easyrussianbrides.info/?idAff=76
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easyrussianbrides.info/?idAff=76
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\hhupd.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Editor plugin - {49F3A26F-CC23-4112-A5E1-38FDE8D40F9E} - smuhdd.dll (file missing)
O2 - BHO: 0 - {669D4C76-BB20-4CED-FC8D-E840EFB99E0E} - (no file)
O2 - BHO: (no name) - {6C6B8C69-9285-4D94-8492-9E920C8C2B65} - C:\Documents and Settings\Owner\systerm.exe
O2 - BHO: (no name) - {7771CC79-C39A-4447-A7FE-075B50873C3D} - (no file)
O2 - BHO: (no name) - {8318875B-4F18-471B-8AFD-71B3A4C48AED} - (no file)
O2 - BHO: (no name) - {85ec429b-a769-4b0c-9897-ec9ac367c55b} - (no file)
O2 - BHO: (no name) - {B6615A2C-2FC0-42AE-897E-A698919663BE} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {5AA06644-BC46-4220-A460-47A6EB47C96D} - C:\Documents and Settings\Owner\wintst.dll
O3 - Toolbar: (no name) - {3ceff6cd-6f08-4e4d-bccd-ff7415288c3b} - C:\Documents and Settings\Owner\sthbdm32.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKLM\..\Run: [winptr] C:\WINDOWS\winptr.exe
O4 - HKLM\..\Run: [winload] C:\Program Files\Internet Explorer\winload.exe
O4 - HKLM\..\Run: [shellbn] C:\DOCUME~1\Owner\LOCALS~1\Temp\wintst.dll
O4 - HKLM\..\Run: [bxproxy] C:\DOCUME~1\Owner\LOCALS~1\Temp\systerm.exe
O4 - HKLM\..\Run: [mmnext06] C:\DOCUME~1\Owner\LOCALS~1\Temp\regdll32.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\System32\xijdxdyi.dll",sitypnow
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe
O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe (User 'Default user')
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler V3.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'Default user')
O4 - .DEFAULT User Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: TA_Start.lnk = ? (User 'Default user')
O4 - Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - AppInit_DLLs: C:\WINDOWS\System32\tmp_2h.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: iifedca - iifedca.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
--
End of file - 9030 bytes
another quick question, is it even safe to do my work and check emails etc on this comp right now? I have a laptop I can use temporarily until this is fixed if I must..
Ran HJT and fixed all you said.. seems to be running a bit smoother, heres the newest HJT log.. will wait for further instructions before I touch anything else..
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:42:57 PM, on 10/1/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\winptr.exe
C:\Program Files\Internet Explorer\winload.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Kasamba\Kasamba.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://easyrussianbrides.info/?idAff=76
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://easyrussianbrides.info/?idAff=76
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easyrussianbrides.info/?idAff=76
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easyrussianbrides.info/?idAff=76
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {669D4C76-BB20-4CED-FC8D-E840EFB99E0E} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [winptr] C:\WINDOWS\winptr.exe
O4 - HKLM\..\Run: [winload] C:\Program Files\Internet Explorer\winload.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe
O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [userinit] C:\WINDOWS\System32\ntos.exe (User 'Default user')
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler V3.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'Default user')
O4 - .DEFAULT User Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: TA_Start.lnk = ? (User 'Default user')
O4 - Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
--
End of file - 7690 bytes
Did you run those files through Avenger?? If so I need to see the report.
Did you run SDbotfix?? If so I need to see the report.
Your log is looking better but not clean yet. Keep in mind that you have had some serious infections on this machine, password stealing trojans and the like. It always leaves your system somewhat compromised.
Check email if you wish but at this point I would not do any online shopping or banking.
avenger log:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\fubenfas
*******************
Script file located at: \??\C:\WINDOWS\wxjlcoaf.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\winptr.exe deleted successfully.
File C:\WINDOWS\winshow.exe not found!
Deletion of file C:\WINDOWS\winshow.exe failed!
Could not process line:
C:\WINDOWS\winshow.exe
Status: 0xc0000034
File C:\WINDOWS\System32\hhupd.exe not found!
Deletion of file C:\WINDOWS\System32\hhupd.exe failed!
Could not process line:
C:\WINDOWS\System32\hhupd.exe
Status: 0xc0000034
File C:\WINDOWS\System32\ntos.exe deleted successfully.
File C:\WINDOWS\System32\xijdxdyi.dll deleted successfully.
File C:\WINDOWS\System32\tmp_2h.dll not found!
Deletion of file C:\WINDOWS\System32\tmp_2h.dll failed!
Could not process line:
C:\WINDOWS\System32\tmp_2h.dll
Status: 0xc0000034
File C:\WINDOWS\System32\iifedca.dll not found!
Deletion of file C:\WINDOWS\System32\iifedca.dll failed!
Could not process line:
C:\WINDOWS\System32\iifedca.dll
Status: 0xc0000034
File C:\Program Files\Internet Explorer\winload.exe deleted successfully.
File C:\Documents and Settings\Owner\systerm.exe not found!
Deletion of file C:\Documents and Settings\Owner\systerm.exe failed!
Could not process line:
C:\Documents and Settings\Owner\systerm.exe
Status: 0xc0000034
File C:\Documents and Settings\Owner\wintst.dll deleted successfully.
File C:\Documents and Settings\Owner\sthbdm32.dll deleted successfully.
File C:\Documents and Settings\Owner\Local Settings\Temp\wintst.dll deleted successfully.
File C:\Documents and Settings\Owner\Local Settings\Temp\systerm.exe not found!
Deletion of file C:\Documents and Settings\Owner\Local Settings\Temp\systerm.exe failed!
Could not process line:
C:\Documents and Settings\Owner\Local Settings\Temp\systerm.exe
Status: 0xc0000034
File C:\Documents and Settings\Owner\Local Settings\Temp\regdll32.exe not found!
Deletion of file C:\Documents and Settings\Owner\Local Settings\Temp\regdll32.exe failed!
Could not process line:
C:\Documents and Settings\Owner\Local Settings\Temp\regdll32.exe
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
I only use Process Explorer when its needed for serious infections so I have not run it myself in a few months. I just downloaded a new copy from the link I sent you and everything in my instructions were present. You just did not read it and follow through.
I know being infected like this is frustrating and you want to get rid of it as fast as you can, but you can't jump ahead of me, you need to run the scans or programs that I have listed in order given. I take a lot of time going over your log and trying to figure out the best course of action to take to better help you.
Ken:)
Im sorry Ken, I realize this yet when I ran that prog I seen no threads tab anywhere up top, just when I would click a certain tab on the side the threads was there but i searched all and didnt see any files ending with that...
I did run sdbot fix heres a log and a new HJT log, I do know you are taking a lot of time with me and will pay you back however I can! I really appreciate it man!
sdbotfix log:
SDFix: Version 1.107
Run by Owner on Mon 10/01/2007 at 06:33 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Name:
protect
runtime
ImagePath:
System32\drivers\protect.sys
\??\C:\WINDOWS\System32\drivers\runtime.sys
protect - Deleted
runtime - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Resetting AppInit_DLLs value
Rebooting...
Service runtime2 - Deleted after Reboot
Normal Mode:
Checking Files:
Trojan Files Found:
C:\WINDOWS\SYSTEM32\SVCHQY.DLL - Deleted
C:\WINDOWS\SYSTEM32\TMP_O.DLL - Deleted
C:\WINDOWS\SYSTEM32\WIN_PMO.DLL - Deleted
C:\WINDOWS\SYSTEM32\IALMCOIN.DLL - Deleted
C:\4.TMP - Deleted
C:\4A.TMP - Deleted
C:\4B.TMP - Deleted
C:\4E.TMP - Deleted
C:\58.TMP - Deleted
C:\59.TMP - Deleted
C:\5B.TMP - Deleted
C:\5C.TMP - Deleted
C:\5D.TMP - Deleted
C:\5E.TMP - Deleted
C:\5F.TMP - Deleted
C:\60.TMP - Deleted
C:\61.TMP - Deleted
C:\62.TMP - Deleted
C:\63.TMP - Deleted
C:\64.TMP - Deleted
C:\65.TMP - Deleted
C:\67.TMP - Deleted
C:\7.TMP - Deleted
C:\A.TMP - Deleted
C:\Documents and Settings\Owner\Desktop\WinAntiSpyware 2007.lnk - Deleted
C:\Documents and Settings\Owner\Local Settings\Temp\WinAntiSpyware 2007 FreeInstall.exe - Deleted
C:\A.tmp - Deleted
C:\WINDOWS\system32\1_exception.nls - Deleted
C:\WINDOWS\system32\boa1.dat - Deleted
C:\WINDOWS\system32\cookie1.dat - Deleted
C:\WINDOWS\system32\drivers\protect.sys - Deleted
C:\WINDOWS\system32\help.txt - Deleted
C:\WINDOWS\system32\ps1.dat - Deleted
C:\WINDOWS\system32\smuhdd.dll - Deleted
C:\WINDOWS\system32\win32.exe - Deleted
C:\WINDOWS\Temp\startdrv.exe - Deleted
C:\WINDOWS\uninstall_nmon.vbs - Deleted
C:\WINDOWS\system32\drivers\runtime2.sys - Deleted
Folder C:\Program Files\InetGet2 - Removed
Folder C:\WINDOWS\system32\wsnpoem - Removed
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
Remaining Files:
---------------
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes:
Thu 27 Sep 2007 196 A.SHR --- "C:\BOOT.BAK"
Mon 1 Oct 2007 6,448 ..SH. --- "C:\WINDOWS\system32\gjllm.bak1"
Mon 1 Oct 2007 2,107,115 ..SH. --- "C:\WINDOWS\system32\ijkmp.bak2"
Mon 1 Oct 2007 16,954 ...HR --- "C:\WINDOWS\system32\svch51.exe"
Mon 1 Oct 2007 16,954 ...HR --- "C:\WINDOWS\system32\svchl00.exe"
Mon 1 Oct 2007 16,954 ...HR --- "C:\WINDOWS\system32\syst66x.exe"
Mon 1 Oct 2007 16,954 ...HR --- "C:\WINDOWS\system32\tmp_226.exe"
Mon 1 Oct 2007 16,954 ...HR --- "C:\WINDOWS\system32\tmp_5i.exe"
Mon 16 Apr 2007 661 A..H. --- "C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Messenger\prf83E.tmp"
Mon 16 Apr 2007 661 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Messenger\prf83E.tmp"
Finished!
HJT LOG:
SDFix: Version 1.107
Run by Owner on Mon 10/01/2007 at 06:33 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Name:
protect
runtime
ImagePath:
System32\drivers\protect.sys
\??\C:\WINDOWS\System32\drivers\runtime.sys
protect - Deleted
runtime - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Resetting AppInit_DLLs value
Rebooting...
Service runtime2 - Deleted after Reboot
Normal Mode:
Checking Files:
Trojan Files Found:
C:\WINDOWS\SYSTEM32\SVCHQY.DLL - Deleted
C:\WINDOWS\SYSTEM32\TMP_O.DLL - Deleted
C:\WINDOWS\SYSTEM32\WIN_PMO.DLL - Deleted
C:\WINDOWS\SYSTEM32\IALMCOIN.DLL - Deleted
C:\4.TMP - Deleted
C:\4A.TMP - Deleted
C:\4B.TMP - Deleted
C:\4E.TMP - Deleted
C:\58.TMP - Deleted
C:\59.TMP - Deleted
C:\5B.TMP - Deleted
C:\5C.TMP - Deleted
C:\5D.TMP - Deleted
C:\5E.TMP - Deleted
C:\5F.TMP - Deleted
C:\60.TMP - Deleted
C:\61.TMP - Deleted
C:\62.TMP - Deleted
C:\63.TMP - Deleted
C:\64.TMP - Deleted
C:\65.TMP - Deleted
C:\67.TMP - Deleted
C:\7.TMP - Deleted
C:\A.TMP - Deleted
C:\Documents and Settings\Owner\Desktop\WinAntiSpyware 2007.lnk - Deleted
C:\Documents and Settings\Owner\Local Settings\Temp\WinAntiSpyware 2007 FreeInstall.exe - Deleted
C:\A.tmp - Deleted
C:\WINDOWS\system32\1_exception.nls - Deleted
C:\WINDOWS\system32\boa1.dat - Deleted
C:\WINDOWS\system32\cookie1.dat - Deleted
C:\WINDOWS\system32\drivers\protect.sys - Deleted
C:\WINDOWS\system32\help.txt - Deleted
C:\WINDOWS\system32\ps1.dat - Deleted
C:\WINDOWS\system32\smuhdd.dll - Deleted
C:\WINDOWS\system32\win32.exe - Deleted
C:\WINDOWS\Temp\startdrv.exe - Deleted
C:\WINDOWS\uninstall_nmon.vbs - Deleted
C:\WINDOWS\system32\drivers\runtime2.sys - Deleted
Folder C:\Program Files\InetGet2 - Removed
Folder C:\WINDOWS\system32\wsnpoem - Removed
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
Remaining Files:
---------------
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes:
Thu 27 Sep 2007 196 A.SHR --- "C:\BOOT.BAK"
Mon 1 Oct 2007 6,448 ..SH. --- "C:\WINDOWS\system32\gjllm.bak1"
Mon 1 Oct 2007 2,107,115 ..SH. --- "C:\WINDOWS\system32\ijkmp.bak2"
Mon 1 Oct 2007 16,954 ...HR --- "C:\WINDOWS\system32\svch51.exe"
Mon 1 Oct 2007 16,954 ...HR --- "C:\WINDOWS\system32\svchl00.exe"
Mon 1 Oct 2007 16,954 ...HR --- "C:\WINDOWS\system32\syst66x.exe"
Mon 1 Oct 2007 16,954 ...HR --- "C:\WINDOWS\system32\tmp_226.exe"
Mon 1 Oct 2007 16,954 ...HR --- "C:\WINDOWS\system32\tmp_5i.exe"
Mon 16 Apr 2007 661 A..H. --- "C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Messenger\prf83E.tmp"
Mon 16 Apr 2007 661 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Messenger\prf83E.tmp"
Finished!
sorry it posted the one twice, heres new hjt log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:20:34 PM, on 10/1/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kasamba\Kasamba.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://easyrussianbrides.info/?idAff=76
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://easyrussianbrides.info/?idAff=76
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easyrussianbrides.info/?idAff=76
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easyrussianbrides.info/?idAff=76
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {669D4C76-BB20-4CED-FC8D-E840EFB99E0E} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [winptr] C:\WINDOWS\winptr.exe
O4 - HKLM\..\Run: [winload] C:\Program Files\Internet Explorer\winload.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler V3.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'Default user')
O4 - .DEFAULT User Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: TA_Start.lnk = ? (User 'Default user')
O4 - Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
--
End of file - 7173 bytes
dang russianbrides are back lol patiently waiting on your step by step instructions...
reread and tried instructions from before:
there is nothing in
procexp.exe
in winlogon.ex
with a instance of
tmp_2h.dll or
iifedca.dll once.
Next Go start> Run type cmd and hit OK
Type in ipconfig /flushdns then hit enter
(that space between g and / is needed)
Type exit hit enter
Remove these with HJT.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://easyrussianbrides.info/?idAff=76
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://easyrussianbrides.info/?idAff=76
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easyrussianbrides.info/?idAff=76
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easyrussianbrides.info/?idAff=76
O2 - BHO: 0 - {669D4C76-BB20-4CED-FC8D-E840EFB99E0E} - (no file)
O4 - HKLM\..\Run: [winptr] C:\WINDOWS\winptr.exe
O4 - HKLM\..\Run: [winload] C:\Program Files\Internet Explorer\winload.exe
O4 - .DEFAULT User Startup: TA_Start.lnk = ? (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
Please download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe)by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\winptr.exe
C:\Program Files\Internet Explorer\winload.exe
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it into your next reply.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Download and Save the Trial of Blacklight (http://www.f-secure.com/blacklight/) to your desktop.
Download the Blacklight Beta graphical user interface version
Double-click blbeta.exe
Then accept the agreement
Click > scan then > next
You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).
Copy and paste this log in your next reply.
Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"
Let me see the OtMoveIt log, the Blacklight log and a new HJT log please
If you have not done so already, run these through OtMoveIt.
C:\WINDOWS\system32\gjllm.bak1
C:\WINDOWS\system32\ijkmp.bak2
C:\WINDOWS\system32\svch51.exe
Should be like this.
C:\WINDOWS\winptr.exe
C:\WINDOWS\system32\gjllm.bak1
C:\WINDOWS\system32\ijkmp.bak2
C:\WINDOWS\system32\svch51.exe
C:\Program Files\Internet Explorer\winload.exe
We need to make sure all hidden files are showing :
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide file extensions for known types option.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Once your system is clean, we suggest that you reverse this to keep critical windows files from accidently being deleted.
Go to this site Jotti Upload (http://virusscan.jotti.org/) and under the browse feature, browse to these files
C:\WINDOWS\system32\svchl00.exe
C:\WINDOWS\system32\syst66x.exe
C:\WINDOWS\system32\tmp_226.exe
C:\WINDOWS\system32\tmp_5i.exe
Then click on upload and it will give you a report, post the report in your next reply for each file.
otmoveit results:
File/Folder C:\WINDOWS\winptr.exe not found.
C:\WINDOWS\system32\gjllm.bak1 moved successfully.
C:\WINDOWS\system32\ijkmp.bak2 moved successfully.
C:\WINDOWS\system32\svch51.exe moved successfully.
File/Folder C:\Program Files\Internet Explorer\winload.exe not found.
Created on 10/02/2007 16:34:26
cannot find blacklight from the link you gave, waiting for further instructions before I do anything else..
It looks like they did away with it but included it in there online scanner.
http://support.f-secure.com/enu/home/ols.shtml
Post a new HJT log, then run the scan and post it please.
new hjt log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:11:52 PM, on 10/2/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Kasamba\Kasamba.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler V3.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'Default user')
O4 - .DEFAULT User Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: TA_Start.lnk = ? (User 'Default user')
O4 - Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
--
End of file - 6324 bytes
Running scan now then will post
note: scan currently running had about 10 or so norton alerts that they removed certain virus/ trojan.pandex/ trojan/horse
Your log is not looking to bad :bigthumb: After you run Blacklight, update your Java . You need to do this, it will plug some holes that maybe letting this garbage in.
Your Java is out of date and leaving your system vulnerable.
Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
It should have an icon next to it:
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.jpg
Select it and click Remove.
Reboot your system.
Then go to the Sun Microsystems (http://www.java.com/en/download/manual.jsp) and install the update
Java Runtime Environment Version 6 Update 2 <--This is what you need to download and install.
If you chose the online installation, it will prompt you to run the program.
If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
Then after install you can verify your installation here Sun Java Verify (http://www.java.com/en/download/manual.jsp)
I like to to do the offline installation and save the setup file in case I may need it in the future
Boot to Safemode and remove these
O4 - S-1-5-18 Startup: PowerReg Scheduler V3.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: TA_Start.lnk = ? (User 'Default user')
04 - Startup: PowerReg Scheduler V3.exe
Post a new HJT log
k will do that next, the scan is cleaning now, it said it found 28 viruses and 8 spyware
report from scan:
Scanning Report
Tuesday, October 02, 2007 17:22:14 - 19:06:59
Computer name: YOUR-FSYLY0JTWN
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\
--------------------------------------------------------------------------------
Result: 36 malware found
Adware.Ismas (spyware)
System (Disinfected)
Alexa (spyware)
System (Disinfected)
NavExcel (spyware)
System (Disinfected)
Tracking Cookie (spyware)
System (Disinfected)
Trojan-Downloader.Win32.Agent.acl (virus)
C:\WINDOWS\SYSTEM32\DRIVERS\SECDRV.SYS (Renamed)
Trojan-Downloader.Win32.Agent.cbx (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\30397F4E.EXE (Renamed)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\557B4B77.EXE (Renamed)
Trojan-Downloader.Win32.Agent.dlx (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5A5F60EC.EXE (Renamed)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\795116E2.EXE (Renamed)
Trojan-Downloader.Win32.Agent.dpn (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\24976C1B.EXE (Renamed)
Trojan-Downloader.Win32.Small.buy (virus)
C:\WINDOWS\SYSTEM32\P1\DWDLDR1.EXE (Renamed)
Trojan-Downloader.Win32.Small.cyn (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\11582A1D.DLL (Renamed)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\59E1780C.DLL (Renamed)
Trojan-Downloader.Win32.Small.egd (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\43995B25.EXE (Renamed)
Trojan-Downloader.Win32.Small.fwu (virus)
C:\WINDOWS\SYSTEM32\S9\RW1000DR.EXE (Renamed)
Trojan-Downloader.Win32.Tiny.id (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\12AC6FCA.EXE (Renamed)
Trojan-Downloader.Win32.VB.bkw (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\1A2B6D93.EXE (Renamed)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\20803893.EXE (Renamed)
Trojan.Win32.Agent.bnd (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\04E00503.EXE (Renamed)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\20C00E55.EXE (Renamed)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3F1974E2.EXE (Renamed)
Trojan.Win32.BHO.ab (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\13EF2C66.EXE (Renamed)
C:\PROGRAM FILES\MESSENGER\LAVUMA.DLL
Trojan.Win32.VB.bgu (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\45F7735B.EXE (Renamed)
Vundo.gen38 (virus)
C:\WINDOWS\SYSTEM32\IYDXDJIX.INI
Win32.Backdoor.Agent (spyware)
System (Disinfected)
Win32.Trojan.Agent (spyware)
System (Disinfected)
Win32.TrojanDownloader.Agent (spyware)
System (Disinfected)
WinAntiSpyware (spyware)
System (Disinfected)
not-virus:Hoax.Win32.Agent.n (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\12C63FAD.EXE
not-virus:Hoax.Win32.Renos.cy (virus)
C:\WINDOWS\SYSTEM32\WARN.HTM
C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\DESKTOP.HTT
not-virus:Hoax.Win32.Renos.kg (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\11582A1D.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\13C26099.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\31103A8E.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\664.EXE
--------------------------------------------------------------------------------
Statistics
Scanned:
Files: 48403
System: 5320
Not scanned: 7
Actions:
Disinfected: 8
Renamed: 19
Deleted: 0
None: 9
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\VMW10A\VMW10A1099.EXE
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\B1\GB83122.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\DFGAERT.DLL
C:\B4B43416D5A431B2B7AA75662E\MSI.DLL
--------------------------------------------------------------------------------
Options
Scanning engines:
F-Secure AVP: 7.0.171, 2007-10-03
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 0596-150-72
F-Secure Libra: 2.4.2, 2007-10-02
F-Secure Orion: 1.2.37, 2007-10-03
F-Secure Pegasus: 1.19.0, 2007-09-01
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Use Advanced heuristics
--------------------------------------------------------------------------------
Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.
Also I had norton pop up several times saying it detected viruses and it was unable to fix or delete these were:
sysgqfg.exe
sysnkqy.exe
sysowyo.exe
sysydta.exe
sysysnk.exe and a few more I think...
I went to remove java but the only thing I can see is:
Jave 2 Runtime Environment SE v1.4.2 and it has a computer icon not the coffee cup, is this the one I remove?
Just leave uninstalling Java be but install the new one, I will have to look into that.
Open up Norton and go into the Quarantine folder and remove it all.
Download Pocket Killbox (http://www.majorgeeks.com/Pocket_KillBox_d4709.html) to your desktop.
Highlight all the files with the complete path inside the quote and press Ctrl C on your keyboard.
sysgqfg.exe
sysnkqy.exe
sysowyo.exe
sysydta.exe
sysysnk.exe
Open Pocket Killbox
Go to File > Paste from clipboard
Set it to Delete on Reboot
Tick the box that says End Explorer shell while killing file
If its not greyed out..Click the radio button that say Unregister .dll before deleting.
Make sure ALL Files is selected
Click on the Red circle with the white X
It will ask you to confirm the deletion...Say yes
It will ask you to reboot, say yes
If you get a message "pending operations has been stopped by external process!" then reboot the computer manually.
Reboot and run Norton again and let me know of any other files it picked up.
ok I went to quarantined items and it said none but there was 20 something backup items in that section that I deleted is that ok? they were mostly virus etc..
Im not familiar with norton, ran those with killbox but how do I do a norton scan now, the little icon on bottom right of desktop isnt showing..
trusted antivirusinstaller just popped up and I clicked cancel but it downloaded then I had a message saying invalid point... wow my com is weird!:sad:
Go to Start> All Programs and look for Norton, once it opens you will have to look through it to find the scan feature. I don't know what version you have so you will have to find that on your own.
Let me see a new HJT log
new hjt log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:37:39 PM, on 10/3/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\winshow.exe
C:\PROGRA~1\COMMON~1\TRUSTE~1\uga6pcw.exe
C:\PROGRA~1\SSEMBL~1\spool32.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\s?stem32\w?nlogon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kasamba\Kasamba.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe
C:\Program Files\Internet Explorer\iexplore.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {327B057E-4AC6-418B-95D9-FC3403F85022} - C:\WINDOWS\System32\awvvv.dll
O2 - BHO: CIEIntegrator Object - {7A7F202E-AF91-4889-9DD5-2FE241085CC1} - C:\Program Files\TrustedAntivirus\Tools\popupg.dll
O2 - BHO: (no name) - {B9B0D653-65CA-3A61-BD5E-3F766C4F0096} - C:\WINDOWS\System32\epqesro.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: IEFW Object - {FAAD2038-C371-473D-86F1-5B11D39C3775} - C:\Program Files\TrustedAntivirus\Tools\IEFWBHO.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKLM\..\Run: [TrustedAntivirus] C:\Program Files\TrustedAntivirus\pgs.exe
O4 - HKLM\..\Run: [uga6pcw] "C:\PROGRA~1\COMMON~1\TRUSTE~1\uga6pcw.exe" -start
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Notn] "C:\PROGRA~1\SSEMBL~1\spool32.exe" -vt yazb
O4 - HKCU\..\Run: [Ekg] "C:\Program Files\s?stem32\w?nlogon.exe"
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler V3.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'Default user')
O4 - .DEFAULT User Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: TA_Start.lnk = ? (User 'Default user')
O4 - Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: tuvvutq - C:\WINDOWS\SYSTEM32\tuvvutq.dll
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
--
End of file - 6955 bytes
I seriously cant find norton, I have mcafee now..
found norton running scan now, my autoprotect was off when I try to enable says there is a internal error! figures
getting A LOT of popups winantispyware is back also :( will my com ever be clean?
i reran vundofix, it found 3 then stopped norton scan and rebooted so im runnin superantispyware scan again then norton
superanitspyware detected 112 files and removed them, i rebooted and heres a new hjt log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:20:02 PM, on 10/3/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\winshow.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kasamba\Kasamba.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Ekg] "C:\Program Files\s?stem32\w?nlogon.exe"
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler V3.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'Default user')
O4 - .DEFAULT User Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: TA_Start.lnk = ? (User 'Default user')
O4 - Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: tuvvutq - C:\WINDOWS\SYSTEM32\tuvvutq.dll
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
--
End of file - 6181 bytes
You still have part of the Vundo infection, these dirt bags write new files all the time.
Remove these with HJT.
O4 - HKCU\..\Run: [Ekg] "C:\Program Files\s?stem32\w?nlogon.exe"
O4 - .DEFAULT User Startup: TA_Start.lnk = ? (User 'Default user')
O20 - Winlogon Notify: tuvvutq - C:\WINDOWS\SYSTEM32\tuvvutq.dll
Copy the file with the complete path inside the quote box by highlighting it and pressing CTRL C on your keyboard.
C:\WINDOWS\SYSTEM32\tuvvutq.dll
Open up Vundofix
Click on Scan for Vundo
When done, right click inside the white box and click on Add More Files
Paste in the first box what you just copied.
Close Window
Click on Scan for Vundo.
Close out the tool when done.
Paste the report into this thread
Download Pocket Killbox (http://www.majorgeeks.com/Pocket_KillBox_d4709.html) to your desktop.
Highlight the file with the complete path inside the Quote Box and press Ctrl C on your keyboard.
C:\WINDOWS\winshow.exe
Open Pocket Killbox
Go to File > Paste from clipboard
Set it to Delete on Reboot
Tick the box that says End Explorer shell while killing file
If its not greyed out..Click the radio button that say Unregister .dll before deleting.
Make sure Single File is selected
Click on the Red circle with the white X
It will ask you to confirm the deletion...Say yes
It will ask you to reboot, say yes
If you get a message "pending operations has been stopped by external process!" then reboot the computer manually.
C:\Program Files\s?stem32 Look here for a folder with ????? and delete it
Post a new HJT log and the Vundo log
could not find the c:\program files\s?stem32
just c:\program files\system32 but folder was empty
here is new vundo log
VundoFix V6.5.8
Checking Java version...
Java version is 1.5.0.11
Scan started at 10:37:31 PM 9/21/2007
Listing files found while scanning....
C:\WINDOWS\System32\cgyvswjn.dll
C:\windows\system32\cilygfnm.ini
C:\windows\system32\edqgygpt.ini
C:\windows\system32\ifrgubgp.dll
C:\windows\system32\mnfgylic.dll
C:\windows\system32\pgbugrfi.ini2
C:\windows\system32\pgbugrfi.tmp
C:\windows\system32\tpgygqde.dll
Beginning removal...
Attempting to delete C:\WINDOWS\System32\cgyvswjn.dll
C:\WINDOWS\System32\cgyvswjn.dll Has been deleted!
Attempting to delete C:\windows\system32\cilygfnm.ini
C:\windows\system32\cilygfnm.ini Has been deleted!
Attempting to delete C:\windows\system32\edqgygpt.ini
C:\windows\system32\edqgygpt.ini Has been deleted!
Attempting to delete C:\windows\system32\ifrgubgp.dll
C:\windows\system32\ifrgubgp.dll Has been deleted!
Attempting to delete C:\windows\system32\mnfgylic.dll
C:\windows\system32\mnfgylic.dll Has been deleted!
Attempting to delete C:\windows\system32\pgbugrfi.ini2
C:\windows\system32\pgbugrfi.ini2 Has been deleted!
Attempting to delete C:\windows\system32\pgbugrfi.tmp
C:\windows\system32\pgbugrfi.tmp Has been deleted!
Attempting to delete C:\windows\system32\tpgygqde.dll
C:\windows\system32\tpgygqde.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.8
Checking Java version...
Java version is 1.5.0.11
Scan started at 10:47:15 PM 9/21/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.9
Checking Java version...
Java version is 1.5.0.11
Scan started at 7:58:14 PM 9/22/2007
Listing files found while scanning....
C:\windows\system32\bmdxkpnk.dll
C:\windows\system32\ilnmp.bak1
C:\windows\system32\ilnmp.bak2
C:\windows\system32\ilnmp.ini
C:\windows\system32\ilnmp.ini2
C:\windows\system32\ilnmp.tmp
C:\windows\system32\pmnli.dll
C:\WINDOWS\System32\ukbgwuyd.dll
Beginning removal...
Attempting to delete C:\windows\system32\bmdxkpnk.dll
C:\windows\system32\bmdxkpnk.dll Has been deleted!
Attempting to delete C:\windows\system32\ilnmp.bak1
C:\windows\system32\ilnmp.bak1 Has been deleted!
Attempting to delete C:\windows\system32\ilnmp.bak2
C:\windows\system32\ilnmp.bak2 Has been deleted!
Attempting to delete C:\windows\system32\ilnmp.ini
C:\windows\system32\ilnmp.ini Has been deleted!
Attempting to delete C:\windows\system32\ilnmp.ini2
C:\windows\system32\ilnmp.ini2 Has been deleted!
Attempting to delete C:\windows\system32\ilnmp.tmp
C:\windows\system32\ilnmp.tmp Has been deleted!
Attempting to delete C:\windows\system32\pmnli.dll
C:\windows\system32\pmnli.dll Could not be deleted.
Attempting to delete C:\WINDOWS\System32\ukbgwuyd.dll
C:\WINDOWS\System32\ukbgwuyd.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.5.8
Checking Java version...
Java version is 1.5.0.11
Scan started at 8:04:27 PM 9/22/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.5.9
Checking Java version...
Java version is 1.5.0.11
Scan started at 2:34:00 PM 9/23/2007
Listing files found while scanning....
C:\windows\system32\ilnmp.bak2
C:\windows\system32\ilnmp.ini
C:\windows\system32\ilnmp.ini2
C:\WINDOWS\system32\nqttvdyr.dll
C:\windows\system32\pmnli.dll
C:\WINDOWS\system32\rydvttqn.ini
Beginning removal...
Attempting to delete C:\windows\system32\ilnmp.bak2
C:\windows\system32\ilnmp.bak2 Has been deleted!
Attempting to delete C:\windows\system32\ilnmp.ini
C:\windows\system32\ilnmp.ini Has been deleted!
Attempting to delete C:\windows\system32\ilnmp.ini2
C:\windows\system32\ilnmp.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\nqttvdyr.dll
C:\WINDOWS\system32\nqttvdyr.dll Could not be deleted.
Attempting to delete C:\windows\system32\pmnli.dll
C:\windows\system32\pmnli.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\rydvttqn.ini
C:\WINDOWS\system32\rydvttqn.ini Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\ilnmp.ini
C:\windows\system32\ilnmp.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\nqttvdyr.dll
C:\WINDOWS\system32\nqttvdyr.dll Has been deleted!
Attempting to delete C:\windows\system32\pmnli.dll
C:\windows\system32\pmnli.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.5.8
Checking Java version...
Java version is 1.5.0.11
Scan started at 2:55:22 PM 9/23/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.9
Checking Java version...
Java version is 1.5.0.11
Scan started at 3:12:05 PM 9/23/2007
Listing files found while scanning....
C:\WINDOWS\system32\csfmrmgu.dll
C:\windows\system32\ilnmp.bak1
C:\windows\system32\ilnmp.ini
C:\windows\system32\pmnli.dll
C:\WINDOWS\system32\ugmrmfsc.ini
Beginning removal...
Attempting to delete C:\WINDOWS\system32\csfmrmgu.dll
C:\WINDOWS\system32\csfmrmgu.dll Could not be deleted.
Attempting to delete C:\windows\system32\ilnmp.bak1
C:\windows\system32\ilnmp.bak1 Has been deleted!
Attempting to delete C:\windows\system32\ilnmp.ini
C:\windows\system32\ilnmp.ini Has been deleted!
Attempting to delete C:\windows\system32\pmnli.dll
C:\windows\system32\pmnli.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\ugmrmfsc.ini
C:\WINDOWS\system32\ugmrmfsc.ini Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\csfmrmgu.dll
C:\WINDOWS\system32\csfmrmgu.dll Has been deleted!
Attempting to delete C:\windows\system32\ilnmp.ini
C:\windows\system32\ilnmp.ini Has been deleted!
Attempting to delete C:\windows\system32\pmnli.dll
C:\windows\system32\pmnli.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.5.9
Checking Java version...
Java version is 1.5.0.11
Scan started at 5:48:46 PM 9/23/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.9
Checking Java version...
Java version is 1.5.0.11
Scan started at 10:45:26 PM 9/23/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.9
Checking Java version...
Java version is 1.5.0.11
Scan started at 5:24:26 PM 9/25/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.9
Checking Java version...
Java version is 1.5.0.11
Scan started at 3:59:50 PM 9/27/2007
Listing files found while scanning....
VundoFix V6.5.9
Checking Java version...
Java version is 1.5.0.11
Scan started at 3:13:12 AM 10/1/2007
Listing files found while scanning....
VundoFix V6.5.9
Checking Java version...
Java version is 1.5.0.11
Scan started at 3:50:25 PM 10/3/2007
Listing files found while scanning....
C:\WINDOWS\System32\ecipnlpw.dll
C:\WINDOWS\System32\lsbvmyxt.dll
C:\WINDOWS\System32\txymvbsl.ini
Beginning removal...
Attempting to delete C:\WINDOWS\System32\ecipnlpw.dll
C:\WINDOWS\System32\ecipnlpw.dll Has been deleted!
Attempting to delete C:\WINDOWS\System32\lsbvmyxt.dll
C:\WINDOWS\System32\lsbvmyxt.dll Could not be deleted.
Attempting to delete C:\WINDOWS\System32\txymvbsl.ini
C:\WINDOWS\System32\txymvbsl.ini Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\System32\lsbvmyxt.dll
C:\WINDOWS\System32\lsbvmyxt.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.9
Checking Java version...
Java version is 1.5.0.11
Scan started at 3:12:35 AM 10/4/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
Attempting to delete C:\WINDOWS\SYSTEM32\tuvvutq.dll
C:\WINDOWS\SYSTEM32\tuvvutq.dll Has been deleted!
Performing Repairs to the registry.
Done!
Here is new hjt log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:27:13 AM, on 10/4/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kasamba\Kasamba.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler V3.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'Default user')
O4 - .DEFAULT User Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: TA_Start.lnk = ? (User 'Default user')
O4 - Startup: AutoTBar.exe
O4 - Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
--
End of file - 6351 bytes
Somethings working! Dont seem to get any more popups, com is starting up faster and running smoother than ever, something you are doing is working, once I am completely clean I am donating!! Thanks for all the hard work my friend :D:
Almost home, after your log is clean you need to do a windows update and download and install all the critical updates including Service Pack 2 (SP2) . Don't do it yet, you need a clean machine before you do that. It will help stop this garbage from installing along with updating your Java. I get a lot of posters saying that they dont do SP2 because they heard it causes problems, I personally between work , home and friends have installed it on over a 100 PCs with no problems. More on this later.
Remove these with HJT.
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - .DEFAULT User Startup: TA_Start.lnk = ? (User 'Default user')
1. Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop. Click on Avenger.zip to open the file Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
Files to Delete:
C:\WINDOWS\winshow.exe
C:\WINDOWS\System32\lsbvmyxt.dll
C:\WINDOWS\system32\nqttvdyr.dll
C:\windows\system32\pmnli.dll
C:\WINDOWS\System32\ukbgwuyd.dll
Folders to delete:
C:\Program Files\system32
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
Let me see the Avenger log and a new HJT log.
After Avenger rebooted I got a cmd.exe error saying there is no disk in the drive please insert a disk into drive\device\harddisk1\dr3
heres the log
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\uouodyle
*******************
Script file located at: \??\C:\yhlbjrno.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\winshow.exe not found!
Deletion of file C:\WINDOWS\winshow.exe failed!
Could not process line:
C:\WINDOWS\winshow.exe
Status: 0xc0000034
File C:\WINDOWS\System32\lsbvmyxt.dll not found!
Deletion of file C:\WINDOWS\System32\lsbvmyxt.dll failed!
Could not process line:
C:\WINDOWS\System32\lsbvmyxt.dll
Status: 0xc0000034
File C:\WINDOWS\system32\nqttvdyr.dll not found!
Deletion of file C:\WINDOWS\system32\nqttvdyr.dll failed!
Could not process line:
C:\WINDOWS\system32\nqttvdyr.dll
Status: 0xc0000034
File C:\windows\system32\pmnli.dll not found!
Deletion of file C:\windows\system32\pmnli.dll failed!
Could not process line:
C:\windows\system32\pmnli.dll
Status: 0xc0000034
File C:\WINDOWS\System32\ukbgwuyd.dll not found!
Deletion of file C:\WINDOWS\System32\ukbgwuyd.dll failed!
Could not process line:
C:\WINDOWS\System32\ukbgwuyd.dll
Status: 0xc0000034
Folder C:\Program Files\system32 not found!
Deletion of folder C:\Program Files\system32 failed!
Could not process line:
C:\Program Files\system32
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
Heres new HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:41:27 PM, on 10/4/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kasamba\Kasamba.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler V3.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'Default user')
O4 - .DEFAULT User Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: TA_Start.lnk = ? (User 'Default user')
O4 - Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
--
End of file - 6332 bytes
Run this scan and lets see if it finds anything else.
Download AVG Anti-Spyware Free (http://free.grisoft.com/doc/download-free-anti-spyware/us/frt/0) to your desktop.
Once you have downloaded AVG Anti-Spyware Free, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run AVG and update the definition files.
On the main screen select the icon Update then select the Update now link.
Next select the Start Update button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.
Once in the Settings screen click on Recommended actions and then select Quarantine <-- Dont forget this
Under Reports
Select Automatically generate report after every scan
Uncheck Only if threats were found
Close AVG Anti-Spyware Free <-- Do not run the scan yet.
Boot your computer into Safemode
Go to Start> Shut Off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly.
This will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to SAFEMODE
Then press the Enter on your Keyboard
Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning process:
Launch AVG Anti-Spyware Free by double-clicking the icon on your desktop.
Select the Scanner icon at the top and then the Scan tab then click on Complete System Scan.
AVG will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select Apply all actions
Next select the Reports icon at the top.
Select the Save report as button in the lower left hand of the screen and save it to a text file on your system <--Don't forget this
make sure to remember where you saved that file, this is important, I need to see that log.
Close AVG Anti-Spyware Free
Remove this entry in Safemode
O4 - .DEFAULT User Startup: TA_Start.lnk = ? (User 'Default user')
TICHD003.exe Do a windows search for this file and delete it if you find it.
Boot normally and post the AVG Log and a New HJT log
Just want you to know I will be offline until sometime on
Tuesday, If I have a few minutes I will check in and look at your logs
coms been running good, heres a new hjt log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:33:01 AM, on 10/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'Default user')
O4 - .DEFAULT User Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: TA_Start.lnk = ? (User 'Default user')
O4 - Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
--
End of file - 6082 bytes
note the avg scan wouldnt save :( but I now keep prog running..
O4 - .DEFAULT User Startup: TA_Start.lnk = ? (User 'Default user')
Your log looks good outside of this entry, something on your system is preventing its removal, I see it being removed very easily on other threads.
Try booting to Safemode and removing it, then disable this if its active
SUPERAntiSpyware:
Please disable SuperAntispyware. Right-click on the shortcut from the
system tray, choose View Control Center (preferences/options), on the General and Startup tab, uncheck, Start SUPERAntispyware when Windows starts, click Close to exit.
Open up AVG Antispyware and on the General page make sure the Resident shield is disabled.
Right click on Norton in your system tray and disable or shut it down, it will become active the next time you reboot.
Then try again to remove it with HJT
Post a new log and lets see if its gone
redize, are you still with us?
8 pages..... :spider:
redize, this topic has been moved to archives.
If you need the thread re-opened, please send me a private message (pm) and provide a link.
Applies only to the original poster, anyone else with similar problems please start your own topic.
Thank you ken545.