View Full Version : Help Please. I have 2 Viruses that I know of and probably more
As far as I know there's 2 viruses present and I'm pretty sure there's some spyware too. Any ideas?
Hello 8trac
Welcome to Safer Networking.
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
Please reply to this thread only and not start any new topics for the same problem or else your posts are going to be all over the forum and we wont be able to keep track of you, also by replying to yourself, you took yourself out of the zero replies category that our helpers look for to work logs. I have archived your previous posts so reply to this one by posting a new HJT log please.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:55:39 PM, on 10/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\system32\RunDll32.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS.0\system32\RUNDLL32.EXE
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS.0\system32\nvsvc32.exe
C:\WINDOWS.0\system32\oodag.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Logitech\QuickCam10\COCIManager.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS.0\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS.0\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Love default global mess] C:\Documents and Settings\All Users.WINDOWS.0\Application Data\great coal love default\safe creative.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Balmdrv] C:\DOCUME~1\ADMINI~1.JER\APPLIC~1\DRAWUP~1\Style Readme.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS.0\system32\oodag.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
--
End of file - 8497 bytes
Good Morning,
We need to disable the Tea Timer in Spybot Search and Destroy as to not interfere with the fix.
Open Spybot and go to Mode> Advanced Mode> Tools> Resident and take the checkmark out of Tea Timer
Please Download No Lop (http://www.spywareedge.net/nolop/NoLop.exe) to your desktop
First close any other programs you have running as this will require a reboot
Double click NoLop.exe to run it
Now click the button labeled "Search and Destroy"
<<your computer will now be scanned for infected files>>
When scanning is finished you will be prompted to reboot only if infected, Click OK
Now click the "REBOOT" Button.
A Message should pop-up from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log after completing the next steps.
--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx (http://www.boletrice.com/downloads/mscomctl.ocx) to your system32 folder then rerun the program.
Post a new HJT log please along with the Nolop log
NoLop! Log by Skate_Punk_21
Please Note: any existing old logs will have now been renamed to NoLop!OLD.log
Fix running from: C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Desktop
[10/19/2007]
[1:26:18 AM]
---Infection Files Found/Removed---
NO INFECTION FILES FOUND - Cleaning Aborted.
---Listing AppData sub directories---
C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Adobe
C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Apple Computer
C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Avg7
C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Azureus
C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Command & Conquer 3 Tiberium Wars
C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Divx
C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Draw Up
C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Dvdcss
C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Google
C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Identities
C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Leadertech
C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Macromedia
C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Microsoft
C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Microsoft Games -- EMPTY Directory
C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Mozilla
C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Securom
C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Sun
C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Teleca
C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Thunderbird
C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Utorrent
C:\Documents and Settings\Administrator.jeruse-1a91b5ed\Application Data\Vlc
C:\Documents and Settings\All Users\Application Data\Adobe -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Adobe Systems
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Cyberlink
C:\Documents and Settings\All Users\Application Data\Kazaa Lite
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Nview_profiles -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Pace Anti-piracy
C:\Documents and Settings\All Users\Application Data\Quicktime
C:\Documents and Settings\All Users\Application Data\Sony Ericsson
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Teleca
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\All Users.windows.0\Application Data\Adobe
C:\Documents and Settings\All Users.windows.0\Application Data\Apple Computer
C:\Documents and Settings\All Users.windows.0\Application Data\Avg7
C:\Documents and Settings\All Users.windows.0\Application Data\Azureus
C:\Documents and Settings\All Users.windows.0\Application Data\Google
C:\Documents and Settings\All Users.windows.0\Application Data\Google Updater
C:\Documents and Settings\All Users.windows.0\Application Data\Great Coal Love Default
C:\Documents and Settings\All Users.windows.0\Application Data\Kaspersky Lab
C:\Documents and Settings\All Users.windows.0\Application Data\Logitech
C:\Documents and Settings\All Users.windows.0\Application Data\Microsoft
C:\Documents and Settings\All Users.windows.0\Application Data\Nvidia
C:\Documents and Settings\All Users.windows.0\Application Data\Nview_profiles -- EMPTY Directory
C:\Documents and Settings\All Users.windows.0\Application Data\Sony Ericsson
C:\Documents and Settings\All Users.windows.0\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users.windows.0\Application Data\Teleca
C:\Documents and Settings\All Users.windows.0\Application Data\Windows Genuine Advantage
C:\Documents and Settings\All Users.windows.0\Application Data\Wlinstaller
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Default User.windows.0\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Localservice.nt Authority\Application Data\Avg7 -- EMPTY Directory
C:\Documents and Settings\Localservice.nt Authority\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice.nt Authority\Application Data\Microsoft
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:27:53 AM, on 10/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS.0\system32\nvsvc32.exe
C:\WINDOWS.0\system32\oodag.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\system32\RunDll32.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\WINDOWS.0\system32\RUNDLL32.EXE
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Logitech\QuickCam10\COCIManager.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS.0\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Love default global mess] C:\Documents and Settings\All Users.WINDOWS.0\Application Data\great coal love default\safe creative.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe
O4 - HKCU\..\Run: [Balmdrv] C:\DOCUME~1\ADMINI~1.JER\APPLIC~1\DRAWUP~1\Style Readme.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS.0\system32\oodag.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
--
End of file - 8112 bytes
The people that write this garbage are constantly updating and adding files, you do have a LOP infection the scan just did not pick it up.
We need to make sure all hidden files are showing :
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide file extensions for known types option.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Once your system is clean, we suggest that you reverse this to keep critical windows files from accidently being deleted.
Open HijackThis > Do a System Scan Only, close your browser and all open windows, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O4 - HKLM\..\Run: [Love default global mess] C:\Documents and Settings\All Users.WINDOWS.0\Application Data\great coal love default\safe creative.exe
O4 - HKCU\..\Run: C:\DOCUME~1\ADMINI~1.JER\APPLIC~1\DRAWUP~1\Style Readme.exe
Delete the files in RED
C:\Documents and Settings\All Users.WINDOWS.0\Application Data\great coal love default
C:\DOCUME~1\ADMINI~1.JER\APPLIC~1\DRAWUP~1
Run this free online virus scanner.
Run [b]Panda's ActiveScan from here (http://www.pandasoftware.com/activescan/com/activescan_principal.htm) and perform a full system scan.
Once you are on the Panda site click the "Scan your PC" button
A new window will open...click the big "Check Now" button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
If you are on a slow connection it will take about 15 minuites for the scanner to load.
Click on "Local Disks" to start the scan
Once scan is done, click "see report" then "save report"
Save the log someplace you can find
Reboot
Post the Panda scan results in your next reply
Post the Panda report and a New HJT log please
Hello Hello
So I fixed those entries using HijackThis, and deleted the two file folders in red.
HERE's the Panda Scan Log
Incident Status Location
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.2o7.net/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.adtech.de/]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.adultfriendfinder.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.com.com/]
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.gostats.com/]
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.hotlog.ru/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.overture.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.toplist.cz/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.weborama.fr/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[.xiti.com/]
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Mozilla\Firefox\Profiles\dg9mpl0d.default\cookies.txt[www.burstbeacon.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@2o7[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@ads.pointroll[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@azjmp[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@bs.serving-sys[2].txt
Spyware:Cookie/Bridgetrack Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@citi.bridgetrack[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@com[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@go[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@questionmarket[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@serving-sys[2].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@stat.onestat[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@tribalfusion[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@2o7[1].txt
HJT report in next post
HJT report (ran out of room on previous post)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:18:12 PM, on 10/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\system32\RunDll32.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS.0\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS.0\system32\nvsvc32.exe
C:\WINDOWS.0\system32\oodag.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Logitech\QuickCam10\COCIManager.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS.0\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Balmdrv] C:\DOCUME~1\ADMINI~1.JER\APPLIC~1\DRAWUP~1\Style Readme.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS.0\system32\oodag.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
--
End of file - 7799 bytes
This one still has to go. Remove it with HJT
O4 - HKCU\..\Run: [Balmdrv] C:\DOCUME~1\ADMINI~1.JER\APPLIC~1\DRAWUP~1\Style Readme.exe
C:\Documents and Setting\Administrator\Jer <-- Cant see full name \Application Data\DRAWUP~1 <--Delete this file in Red
All Panda found were cookies :bigthumb:
Post a new HJT log please
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:26:01 PM, on 10/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\system32\RunDll32.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS.0\system32\RUNDLL32.EXE
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS.0\system32\nvsvc32.exe
C:\WINDOWS.0\system32\oodag.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Logitech\QuickCam10\COCIManager.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS.0\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS.0\system32\oodag.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
--
End of file - 7825 bytes
Log looks good :bigthumb:
Your Java is out of date and leaving your system vulnerable.
Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
It should have an icon next to it:
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.jpg
Select it and click Remove.
Reboot your system.
Then go to the Sun Microsystems (http://www.java.com/en/download/manual.jsp) and install the update
Java Runtime Environment Version 6 Update 2 <--This is what you need to download and install.
If you chose the online installation, it will prompt you to run the program.
If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
Then after install you can verify your installation here Sun Java Verify (http://www.java.com/en/download/manual.jsp)
I like to to do the offline installation and save the setup file in case I may need it in the future
How are things running now ??
Thanx so far things are running fine. Problem is though I have this program "CiD Help" giving me IE pop ups every once in a while, I would've tried removing it from add/remove but have read elsewhere that it gives even more problems. Is that true?
CiD Help is malware and maybe part of Messenger Plus, you do not have to live with it.
Open Hijackthis
Go to Misc Tools> Open Uninstall Manager.
Click on Save List.
The list will open in Notepad.
Copy and Paste the List into this thread
Open HJT
Then open the Misc Tools section
click on Generate a Startup List Log,
Don't check the 2 boxes just yet.
Post the log into this thread
Adobe Reader 7.0.7
AGEIA PhysX v7.05.17
C-Media High Definition Audio Driver
Command & Conquer 3
Disc2Phone
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Free Mp3 Wma Converter V 1.6.3
Google Earth
Google Toolbar for Firefox
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
Half-Life 2: Episode Two
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Java(TM) 6 Update 3
Kaspersky Online Scanner
Logitech Audio Echo Cancellation Component
Logitech QuickCam
Logitech Video Enumerator
Logitech® Camera Driver
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 1.1 SP1 with KB886903 Hotfix
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2003 Resource Kit
Microsoft Office Professional Edition 2003
Microsoft Protection Service
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Live OneCare Resources v1.6.2111.38
Microsoft Windows OneCare Live AntiSpyware and AntiVirus
Microsoft Windows OneCare Live v1.6.2111.32 Idcrl Install
Microsoft Windows OneCare Live v1.6.2111.38
Mozilla Firefox (2.0.0.8)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
MSXML4 Parser
Nero 6 Enterprise Edition
Next Generation Visualisations
NVIDIA Drivers
O&O Defrag Professional Edition
Panda ActiveScan
Peggle Deluxe
PX Engine
QuickTime
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Sony Ericsson PC Suite 1.20.173
SpeechRedist
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
Steam
Tom Clancy's Ghost Recon Advanced Warfighter® 2
UMVPLStandalone
Unreal Tournament 2004
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB911280)
Update for Windows XP (KB914882)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
VideoLAN VLC media player 0.8.6c
Windows Internet Explorer 7
Windows Live installer
Windows Live Mail
Windows Live Messenger
Windows Live OneCare
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
WinRAR archiver
WinZip 10 Pro
World of Warcraft
StartupList report, 10/19/2007, 7:26:48 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16544)
* Using default options
==================================================
Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\system32\RunDll32.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS.0\system32\RUNDLL32.EXE
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS.0\system32\nvsvc32.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\WINDOWS.0\system32\oodag.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Logitech\QuickCam10\COCIManager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS.0\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users.WINDOWS.0\Start Menu\Programs\Startup]
Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS.0\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cmaudio = RunDll32 cmicnfg.cpl,CMICtrlWnd
UnlockerAssistant = C:\Program Files\Unlocker\UnlockerAssistant.exe
LogitechCommunicationsManager = "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
LogitechQuickCamRibbon = "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
OneCareUI = "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
NvMediaCenter = RUNDLL32.EXE C:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit
Sony Ericsson PC Suite = "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
NeroFilterCheck = C:\WINDOWS.0\system32\NeroCheck.exe
LVCOMSX = "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
Adobe Photo Downloader = "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe = C:\WINDOWS.0\system32\ctfmon.exe
AlcoholAutomount = "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
swg = C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
msnmsgr = "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS.0\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:
(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - (no file) - {7E853D72-626A-48EC-A868-BA8D5E23E045}
(no name) - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll - {9030D464-4C02-4ABF-8ECC-5164760863C6}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}
--------------------------------------------------
Enumerating Download Program Files:
[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS.0\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS.0\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab
[Crucial cpcScan]
InProcServer32 = C:\WINDOWS.0\Downloaded Program Files\cpcScan.dll
CODEBASE = http://www.crucial.com/controls/cpcScanner.cab
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS.0\system32\SHELL32.dll
CDBurn: C:\WINDOWS.0\system32\SHELL32.dll
WebCheck: C:\WINDOWS.0\system32\webcheck.dll
SysTray: C:\WINDOWS.0\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS.0\system32\WPDShServiceObj.dll
--------------------------------------------------
End of report, 7,215 bytes
Report generated in 0.063 seconds
Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
What I was looking for was not there. Those pop ups are malware but its hiding from us so we need to do some detective work to find the cause.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
ComboFix 07-10-17.8@ - Administrator 2007-10-19 20:38:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.650 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\winpop
.
((((((((((((((((((((((((( Files Created from 2007-09-20 to 2007-10-20 )))))))))))))))))))))))))))))))
.
2007-10-19 20:37 51,200 --a------ C:\WINDOWS.0\NirCmd.exe
2007-10-19 01:23 212 --a------ C:\delete.bat
2007-10-10 22:20 112,840 --a------ C:\WINDOWS.0\system32\drivers\msfwhlpr.sys
2007-10-10 22:20 88,008 --a------ C:\WINDOWS.0\system32\drivers\msfwdrv.sys
2007-10-09 15:53 582,656 -----c--- C:\WINDOWS.0\system32\dllcache\rpcrt4.dll
2007-10-08 15:51 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Google Updater
2007-10-08 14:34 459,264 -----c--- C:\WINDOWS.0\system32\dllcache\msfeeds.dll
2007-10-08 14:34 267,776 -----c--- C:\WINDOWS.0\system32\dllcache\iertutil.dll
2007-10-08 14:34 52,224 -----c--- C:\WINDOWS.0\system32\dllcache\msfeedsbs.dll
2007-10-08 14:34 13,824 -----c--- C:\WINDOWS.0\system32\dllcache\ieudinit.exe
2007-10-08 14:33 6,058,496 -----c--- C:\WINDOWS.0\system32\dllcache\ieframe.dll
2007-10-08 14:33 2,455,488 -----c--- C:\WINDOWS.0\system32\dllcache\ieapfltr.dat
2007-10-08 14:33 383,488 -----c--- C:\WINDOWS.0\system32\dllcache\ieapfltr.dll
2007-10-08 14:33 33,792 --a--c--- C:\WINDOWS.0\system32\dllcache\custsat.dll
2007-10-08 10:45 <DIR> d-------- C:\Program Files\draw up
2007-10-08 02:01 <DIR> d-------- C:\WINDOWS.0\system32\Kaspersky Lab
2007-10-08 02:01 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Kaspersky Lab
2007-10-08 01:40 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-05 13:31 <DIR> d-------- C:\Program Files\Free Audio Pack
2007-10-05 13:31 141,312 --a------ C:\WINDOWS.0\system32\MSCMCFR.DLL
2007-10-05 13:31 119,568 --a------ C:\WINDOWS.0\system32\VB6FR.DLL
2007-10-05 13:31 101,888 --a------ C:\WINDOWS.0\system32\VB6STKIT.DLL
2007-10-05 13:31 59,904 --a------ C:\WINDOWS.0\system32\Mscc2fr.dll
2007-10-05 13:31 32,768 --a------ C:\WINDOWS.0\system32\CMDLGFR.DLL
2007-10-05 13:31 21,504 --a------ C:\WINDOWS.0\system32\TABCTFR.DLL
2007-10-05 13:31 15,360 --a------ C:\WINDOWS.0\system32\inetfr.DLL
2007-10-04 23:11 <DIR> d-------- C:\WINDOWS.0\system32\ActiveScan
2007-10-04 22:26 <DIR> d-------- C:\Program Files\DivoCodec
2007-09-24 21:34 356,352 --ah----- C:\WINDOWS.0\system32\nvudisp.exe
2007-09-24 21:31 356,352 --a------ C:\WINDOWS.0\system32\NVUNINST.EXE
2007-09-24 21:16 <DIR> d-------- C:\WINDOWS.0\NV14884076.TMP
2007-09-24 21:04 <DIR> d-------- C:\WINDOWS.0\system32\AGEIA
2007-09-24 21:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-24 21:04 <DIR> d-------- C:\Program Files\AGEIA Technologies
2007-09-24 18:30 <DIR> d-------- C:\Program Files\Windows Live
2007-09-24 18:30 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\WLInstaller
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-19 23:33 --------- d-----w C:\Program Files\Steam
2007-10-19 23:08 0 ----a-w C:\WINDOWS.0\system32\drivers\lvuvc.hs
2007-10-19 21:14 --------- d-----w C:\Program Files\Java
2007-10-19 15:51 --------- d-----w C:\Program Files\Microsoft Windows OneCare Live
2007-10-19 15:44 --------- d-----w C:\Program Files\Google
2007-10-19 15:43 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2007-10-19 05:20 --------- d-----w C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\uTorrent
2007-10-19 05:20 --------- d-----w C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\uTorrent
2007-10-19 05:20 --------- d-----w C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\uTorrent
2007-10-18 01:22 --------- d-----w C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Spybot - Search & Destroy
2007-10-17 21:57 --------- d-----w C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\dvdcss
2007-10-17 21:57 --------- d-----w C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\dvdcss
2007-10-17 21:57 --------- d-----w C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\dvdcss
2007-09-30 04:47 --------- d-----w C:\Program Files\World of Warcraft
2007-09-28 20:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-09-28 20:36 --------- d-----w C:\Program Files\Red Storm Entertainment
2007-09-25 00:57 --------- d-----w C:\Program Files\Ubisoft
2007-09-24 22:36 --------- d-----w C:\Program Files\MSN Messenger
2007-09-20 21:28 --------- d-----w C:\Program Files\DivX
2007-09-18 02:34 --------- d-----w C:\Program Files\MSXML 6.0
2007-09-18 02:34 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-09-18 00:25 --------- d-----w C:\Program Files\MSXML 4.0
2007-09-17 18:23 823,296 ----a-w C:\WINDOWS.0\system32\divx_xx0c.dll
2007-09-17 18:23 823,296 ----a-w C:\WINDOWS.0\system32\divx_xx07.dll
2007-09-17 18:22 802,816 ----a-w C:\WINDOWS.0\system32\divx_xx11.dll
2007-09-17 18:22 739,840 ----a-w C:\WINDOWS.0\system32\DivX.dll
2007-09-17 05:57 --------- d-----w C:\Documents and Settings\All Users.WINDOWS.0\Application Data\avg7
2007-09-15 22:55 --------- d-----w C:\Program Files\Common Files\Logitech
2007-09-15 22:53 --------- d-----w C:\Program Files\Logitech
2007-09-15 22:53 --------- d-----w C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Logitech
2007-09-12 16:13 --------- d-----w C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\AVG7
2007-09-12 16:13 --------- d-----w C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\AVG7
2007-09-12 16:13 --------- d-----w C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\AVG7
2007-09-11 23:14 156,992 ----a-w C:\WINDOWS.0\system32\DivXCodecVersionChecker.exe
2007-09-11 05:08 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2007-09-02 20:47 --------- d-----w C:\Program Files\Common Files\DirectX
2007-09-02 06:37 --------- d-----w C:\Program Files\Microsoft Games
2007-09-02 06:37 --------- d-----w C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Microsoft Games
2007-09-02 06:37 --------- d-----w C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Microsoft Games
2007-09-02 06:37 --------- d-----w C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Microsoft Games
2007-08-28 04:59 --------- d-----w C:\Program Files\GameSpy Arcade
2007-08-28 04:58 --------- d-----w C:\Program Files\Jagged Alliance 2 Gold
2007-08-28 04:56 --------- d-----w C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Thunderbird
2007-08-28 04:56 --------- d-----w C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Thunderbird
2007-08-28 04:56 --------- d-----w C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Thunderbird
2007-08-26 05:41 --------- d-----w C:\Documents and Settings\All Users.WINDOWS.0\Application Data\NVIDIA
2007-08-22 23:19 --------- d-----w C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Command & Conquer 3 Tiberium Wars
2007-08-22 23:19 --------- d-----w C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Command & Conquer 3 Tiberium Wars
2007-08-22 23:19 --------- d-----w C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\Command & Conquer 3 Tiberium Wars
2007-08-22 23:11 107,888 ----a-w C:\WINDOWS.0\system32\CmdLineExt.dll
2007-08-22 23:11 --------- d--h--r C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\SecuROM
2007-08-22 23:11 --------- d--h--r C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\SecuROM
2007-08-22 23:11 --------- d--h--r C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Application Data\SecuROM
2007-08-22 16:51 97,152 ----a-w C:\WINDOWS.0\system32\drivers\Rtnicxp.sys
2007-08-21 18:37 --------- d-----w C:\Program Files\Electronic Arts
2007-08-21 06:25 683,520 ----a-w C:\WINDOWS.0\system32\inetcomm.dll
2007-08-21 00:26 81,920 ----a-w C:\WINDOWS.0\system32\dpl100.dll
2007-08-21 00:26 196,608 ----a-w C:\WINDOWS.0\system32\dtu100.dll
2007-08-16 20:17 51,568 ----a-w C:\WINDOWS.0\system32\sirenacm.dll
2007-08-15 22:33 524,288 ----a-w C:\WINDOWS.0\system32\DivXsm.exe
2007-08-15 22:33 3,596,288 ----a-w C:\WINDOWS.0\system32\qt-dx331.dll
2007-08-15 22:33 200,704 ----a-w C:\WINDOWS.0\system32\ssldivx.dll
2007-08-15 22:33 129,784 ------w C:\WINDOWS.0\system32\pxafs.dll
2007-08-15 22:33 120,056 ------w C:\WINDOWS.0\system32\pxcpyi64.exe
2007-08-15 22:33 118,520 ------w C:\WINDOWS.0\system32\pxinsi64.exe
2007-08-15 22:33 1,044,480 ----a-w C:\WINDOWS.0\system32\libdivx.dll
2007-08-15 22:31 593,920 ----a-w C:\WINDOWS.0\system32\dpuGUI11.dll
2007-08-15 22:31 57,344 ----a-w C:\WINDOWS.0\system32\dpv11.dll
2007-08-15 22:31 53,248 ----a-w C:\WINDOWS.0\system32\dpuGUI10.dll
2007-08-15 22:31 344,064 ----a-w C:\WINDOWS.0\system32\dpus11.dll
2007-08-15 22:31 294,912 ----a-w C:\WINDOWS.0\system32\dpu11.dll
2007-08-15 22:31 294,912 ----a-w C:\WINDOWS.0\system32\dpu10.dll
2007-08-15 22:30 12,288 ----a-w C:\WINDOWS.0\system32\DivXWMPExtType.dll
2007-08-13 22:54 413,696 ----a-w C:\WINDOWS.0\system32\vbscript.dll
2007-08-13 22:54 156,160 ----a-w C:\WINDOWS.0\system32\msls31.dll
2007-08-13 22:45 78,336 ----a-w C:\WINDOWS.0\system32\ieencode.dll
2007-08-13 22:44 40,960 ----a-w C:\WINDOWS.0\system32\licmgr10.dll
2007-08-13 22:39 71,680 ----a-w C:\WINDOWS.0\system32\admparse.dll
2007-08-13 22:39 55,296 ----a-w C:\WINDOWS.0\system32\iesetup.dll
2007-08-13 22:36 36,352 ----a-w C:\WINDOWS.0\system32\imgutil.dll
2007-08-13 22:32 45,568 ----a-w C:\WINDOWS.0\system32\mshta.exe
2007-08-13 22:01 48,128 ----a-w C:\WINDOWS.0\system32\mshtmler.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS.0\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS.0\system32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS.0\system32\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS.0\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS.0\system32\wucltui.dll
2007-07-30 23:19 271,224 ----a-w C:\WINDOWS.0\system32\mucltui.dll
2007-07-30 23:19 207,736 ----a-w C:\WINDOWS.0\system32\muweb.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS.0\system32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS.0\system32\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS.0\system32\wups.dll
2004-10-01 19:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-02-18 06:23]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe" [2006-06-26 09:46]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2006-06-26 10:34]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2007-10-01 09:53]
"NvCplDaemon"="C:\WINDOWS.0\system32\NvCpl.dll" [2007-06-29 00:43]
"nwiz"="nwiz.exe" [2007-06-29 00:43 C:\WINDOWS.0\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS.0\system32\NvMcTray.dll" [2007-06-29 00:43]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17]
"NeroFilterCheck"="C:\WINDOWS.0\system32\NeroCheck.exe" [2001-07-09 10:50]
"LVCOMSX"="C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe" [2006-06-26 10:33]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS.0\system32\ctfmon.exe" [2002-12-31 08:00]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-08 15:51]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-08-16 16:19]
C:\Documents and Settings\All Users.WINDOWS.0\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-10-08 15:51:50]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Balmdrv]
C:\DOCUME~1\ADMINI~1.JER\APPLIC~1\DRAWUP~1\Style Readme.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Love default global mess]
C:\Documents and Settings\All Users.WINDOWS.0\Application Data\great coal love default\Flap Dumb.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
R0 viamraid;viamraid;C:\WINDOWS.0\system32\DRIVERS\viamraid.sys
R1 MSFWHLPR;MSFWHLPR;C:\WINDOWS.0\system32\DRIVERS\msfwhlpr.sys
R2 MSFWDrv;MSFWDrv;C:\WINDOWS.0\system32\DRIVERS\msfwdrv.sys
R2 msfwsvc;OneCare Firewall;"C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe"
R2 OneCareMP;OneCare AntiSpyware and AntiVirus;"C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe"
R3 cmudax;C-Media High Definition Audio Interface;C:\WINDOWS.0\system32\drivers\cmudax.sys
R3 MpFilter;Microsoft Malware Protection Driver;C:\WINDOWS.0\system32\DRIVERS\MpFilter.sys
*Newly Created Service* - CATCHME
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6225563D-07E1-7DDA-064D-60DB26537706}]
C:\WINDOWS.0\Servcrypt\servcrypt.exe s
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-19 20:41:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-19 20:42:57
.
--- E O F ---
HJT log in next post
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:43:43 PM, on 10/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS.0\system32\RunDll32.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS.0\system32\RUNDLL32.EXE
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS.0\system32\nvsvc32.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\WINDOWS.0\system32\oodag.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Logitech\QuickCam10\COCIManager.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS.0\explorer.exe
C:\WINDOWS.0\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS.0\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS.0\system32\oodag.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
--
End of file - 7917 bytes
Lets do this.
REGEDIT4
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Balmdrv]
C:\DOCUME~1\ADMINI~1.JER\APPLIC~1\DRAWUP~1\Style Readme.exe
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Love default global mess]
C:\Documents and Settings\All Users.WINDOWS.0\Application Data\great coal love default\Flap Dumb.exe
Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes.
Reboot your system.
Please download SuperAntiSpyware (http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE)
Install the program
Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.
Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish
It is possible that the program asks to reboot in order to delete some files.
Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)
Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.
8trac, I have to look over your Combofix log for bad files, I will also need to look over your SAS log, I may have a chance this evening but I will be offline for most of tomorrow, will be back early evening, so take your time and post the logs please..We will get rid of this pest.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 10/19/2007 at 10:37 PM
Application Version : 3.9.1008
Core Rules Database Version : 3328
Trace Rules Database Version: 1329
Scan type : Complete Scan
Total Scan Time : 01:01:35
Memory items scanned : 455
Memory threats detected : 0
Registry items scanned : 5942
Registry threats detected : 0
File items scanned : 60718
File threats detected : 83
Adware.Tracking Cookie
C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@atdmt[2].txt
C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@partypoker[1].txt
C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@pandasoftware.112.2o7[1].txt
C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@azjmp[2].txt
C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@adbrite[2].txt
C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@dev[2].txt
C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@specificclick[2].txt
C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@revsci[2].txt
C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@msnportal.112.2o7[1].txt
C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@msnaccountservices.112.2o7[1].txt
C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@perf.overture[1].txt
C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@2o7[2].txt
C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@tribalfusion[1].txt
C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@stat.onestat[2].txt
C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@citi.bridgetrack[2].txt
C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@cgi-bin[2].txt
C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@bs.serving-sys[2].txt
C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@atwola[1].txt
C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@eas.apm.emediate[1].txt
C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@nextag[2].txt
C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@questionmarket[2].txt
C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@serving-sys[2].txt
C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@adcentriconline[2].txt
C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@adlegend[2].txt
C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@clicktorrent[2].txt
C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@windowsmedia[1].txt
C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@www.windowsmedia[2].txt
C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@ads.pointroll[1].txt
C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@keywordmax[1].txt
C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@divx.adbureau[2].txt
C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@bizrate[1].txt
C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@3.adbrite[1].txt
C:\Documents and Settings\Administrator.JERUSE-1A91B5ED\Cookies\administrator@workopolis.122.2o7[1].txt
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\system@2o7[1].txt
Adware.Lop-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP106\A0039613.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP106\A0039641.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP106\A0039657.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP106\A0039731.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP106\A0039815.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP106\A0039894.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP108\A0039983.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP108\A0039987.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP108\A0039991.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP109\A0040003.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP109\A0040007.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP109\A0040022.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP110\A0040026.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP110\A0040035.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP118\A0040280.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP118\A0040332.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP118\A0040340.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP118\A0040426.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP118\A0040433.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP118\A0040451.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP119\A0040496.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP120\A0040586.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP120\A0040592.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP120\A0040603.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP120\A0040695.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP121\A0040702.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP121\A0040706.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP121\A0040778.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP122\A0040915.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP122\A0040919.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP122\A0040928.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP123\A0040939.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP123\A0040943.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP123\A0040950.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP123\A0040954.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP124\A0040968.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP124\A0041068.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP124\A0041140.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP124\A0041152.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP124\A0041172.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP124\A0041251.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP124\A0041304.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP124\A0041310.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP125\A0041320.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP125\A0041324.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP125\A0041384.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP125\A0041394.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP125\A0041395.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{251B4AEE-5ECC-408C-B2CF-6B960A9E58C1}\RP125\A0041396.EXE
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:45:27 PM, on 10/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\system32\RunDll32.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS.0\system32\RUNDLL32.EXE
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS.0\system32\nvsvc32.exe
C:\WINDOWS.0\system32\oodag.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Logitech\QuickCam10\COCIManager.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS.0\system32\wuauclt.exe
C:\WINDOWS.0\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [UnlockerAssistant] C:\Program Files\Unlocker\UnlockerAssistant.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS.0\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS.0\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS.0\system32\ctfmon.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS.0\system32\oodag.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
--
End of file - 8136 bytes
Your log looks fine and all SAS found were cookies and bad entries in your System Restore program, we need to flush it all out.
System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points
Turn off System Restore.
Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.
Reboot your computer
Turn ON System Restore.
Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.
Create a new Restore Point <-- Very Important
Go to Start/ Control Panel/ Performance and Maintenance/ System Restore/ Create a New Restore Point
You need to go into the Control Panel and switch to Catagory View to be able to Create a New Restore Point
System Restore Tutorial (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- If you need it
Use your computer for a bit and let me know if you are still getting those popups, if so we need to dig deeper.
Thanks for all the help! My computer ran fine all day, no pop-ups, yet CiD Help is still in my add/remove section...Should I be worried?
I dont see it on your Add Remove list, you may be able to open Add Remove progams and right click on it and remove it from the list.
Post back in a few days if it comes back
Ken
As the problem appears to be resolved this topic has been archived. :)
If you need it re-opened, please send me a private message (pm) and provide a link to the thread.
Thanks Ken.