View Full Version : AdvancedCleaner popups
Popups from AdvanceCleaner are coming up whenever I browse. Spybot did not fix it, nor did mcaffee. Neither site has any posting about this.
I run xp home sp2, ie7. This started happening shortly after I upgraded to ie7.
Any ideas. Please help.
Phil
__RiP_ChAiN_
2007-12-14, 04:20
Hello pbarr,
Please have a look through this thread (http://forums.spybot.info/showthread.php?t=288), and if you still require assistance afterwards, please post the required logs.
I'm still getting loads of popups even though spybot, mcaffe and your recomended virus scanner found nothing in memeory or disk. --help
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33:35 PM, on 12/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\aspimgr.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\BRMFRSMG.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Palm\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Microsoft copyright - {5DF6AFEE-2291-4041-9A74-354624861746} - judgemq.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: eFax DllCmd 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SmartUI.lnk = ?
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/02d36b81cd3a64152803/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133264723490
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://easyaccess.trinity-health.org/dana-cached/setup/JuniperSetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Barr
O17 - HKLM\Software\..\Telephony: DomainName = Barr
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Barr
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Microsoft ASPI Manager (aspimgr) - Unknown owner - C:\WINDOWS\system32\aspimgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
--
End of file - 7997 bytes
__RiP_ChAiN_
2007-12-14, 06:18
Hello pbarr,
Important information: You have signs of a backdoor trojan (http://www.geekstogo.com/2007/10/03/what-is-a-backdoor-trojan/) and/or rootkit on your system (more info (http://www.geekstogo.com/forum/Malware-FAQ-t165867.html)). These have the potential to harvest confidential data, and require special attention. Although rare, identity theft, or other fraudulent financial activity is a possibility. We generally have good success removing all signs of these infections. However, if you have adequate backups, required media (CDs), and the ability, at this point it would be wise to consider reformatting and reinstalling your operating system and applications. We can provide you with some helpful links if needed.
Before we proceed, we recommend that you temporarily disconnect the infected system from the Internet to protect yourself, and others. This is because these infections may use the Internet for remote access, or even remote control of an infected system. If you don’t have access to another system, and require Internet access, be sure to have a firewall installed. We recommend the free version of Comodo (http://www.personalfirewall.comodo.com/). Note: never run more than one firewall.
If you used the infected system for online banking, any online financial transactions (including eBay and Paypal), or access any sensitive information online, please use a known clean computer, and change your passwords as soon as possible. It would also be wise to contact those same financial institutions to let them know your account information and passwords may have been compromised. Closely monitor all bank and credit card statements. In the event you do notice suspicious activity, it's important you act quickly. Follow these steps recommended by the FTC: Defend: Recover From Identity Theft (http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/defend.html).
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
Please download ComboFix by sUBs from HERE (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or HERE (http://subs.geekstogo.com/ComboFix.exe)
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ComboFix died when it got the the "deleting Files/Folders:" step.
It does not show any filees deleted.
I'm going to reboots and try to run it from safe mode.
Phil
actually when In hit cntl-c in the ComboFix window, I was prompted to terminate batch job. When I responded 'no', the program continued and did delete several files (hopefully logging them).
It then completed and rebooted. I'm not starting in safemode and plan to re-run ComboFix if I can find it.
Oh..surprise..surprise, ComboFix began running on bootup in safemode. Smart little devil. I'll go back to my infected machine now and send the logs.
actually when In hit cntl-c in the ComboFix window, I was prompted to terminate batch job. When I responded 'no', the program continued and did delete several files (hopefully logging them).
It then completed and rebooted. I'm not starting in safemode and plan to re-run ComboFix if I can find it.
Oh..surprise..surprise, ComboFix began running on bootup in safemode. Smart little devil. I'll go back to my infected machine now and send the logs.
THe network connection did not come back.
The help and support
there are a 73 files which were created by ComboFix.
Any idea how to get the netwok restarted? Many of ther services will no longer start.
I'm tired and going to rest, Will try tomorrow.
__RiP_ChAiN_
2007-12-14, 17:52
THe network connection did not come back.
The help and support
Did you do a complete computer reboot?
Hi Rip Chain,
Yes I've rebooted several times. Still no internet
Here's my logs (transfered usung usb drive):
combofix log
uninstall list (did not chage before or after, i did a file compare)
======== combo fix.txt [there are lots of other files in the combofix log directory] ==================
ComboFix 07-12-14.4 - Pink 2007-12-14 0:47:10.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.294 [GMT -5:00]
Running from: C:\Documents and Settings\Pink\Local Settings\Temporary Internet Files\Content.IE5\4L230TIB\ComboFix[1].exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Pink\g2mdlhlpx.exe
C:\RECYCLER\rap group email list.xls.LNK
C:\WINDOWS\g32.txt
C:\WINDOWS\s32.txt
C:\WINDOWS\system32\aspimgr.exe
C:\WINDOWS\ws386.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_ASPIMGR
-------\aspimgr
((((((((((((((((((((((((( Files Created from 2007-11-14 to 2007-12-14 )))))))))))))))))))))))))))))))
.
2007-12-13 23:33 . 2007-12-13 23:33 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-13 22:41 . 2007-12-13 22:41 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-13 22:41 . 2007-12-13 22:41 <DIR> d-------- C:\WINDOWS\LastGood
2007-12-13 22:41 . 2007-12-13 22:41 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2007-12-13 22:17 . 2007-12-13 22:17 <DIR> d-------- C:\Program Files\Safer Networking
2007-12-13 00:11 . 2007-12-13 00:18 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2007-12-12 16:56 . 2007-12-13 19:15 22 --a------ C:\WINDOWS\system32\lt.res
2007-12-12 10:46 . 2007-12-12 10:46 25,600 --a------ C:\WINDOWS\system32\judgemq.dll
2007-12-12 10:46 . 2007-12-13 19:15 4,455 --a------ C:\WINDOWS\system32\sft.res
2007-12-08 17:05 . 2007-12-07 16:20 9,555 --a------ C:\WINDOWS\system32\Custom - Item Web Export.qrp
2007-12-08 12:35 . 2007-12-08 12:35 <DIR> d-------- C:\Program Files\Notepad++
2007-12-08 12:35 . 2007-12-08 15:02 <DIR> d-------- C:\Documents and Settings\Pink\Application Data\Notepad++
2007-12-06 19:32 . 2007-10-10 18:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-06 19:32 . 2007-04-17 04:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-06 19:32 . 2007-03-08 00:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-06 19:32 . 2007-10-10 18:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-06 19:32 . 2007-10-10 18:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-06 19:32 . 2007-10-10 18:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-06 19:32 . 2007-10-10 18:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-06 19:32 . 2007-10-10 18:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-06 19:32 . 2007-10-10 05:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-05 20:25 . 2007-12-05 20:25 <DIR> d-------- C:\Documents and Settings\Pink\Application Data\Helios
2007-12-05 20:24 . 2007-12-05 20:26 <DIR> d-------- C:\Program Files\TextPad 5
2007-11-24 10:31 . 2007-11-24 10:31 <DIR> d---s---- C:\Documents and Settings\Hugo's People\UserData
2007-11-22 16:21 . 2007-11-22 16:21 <DIR> d-------- C:\Documents and Settings\Hugo's People\Application Data\Juniper Networks
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-10 07:59 --------- d-----w C:\Documents and Settings\Pink\Application Data\SSH
2007-12-08 12:44 --------- d-----w C:\Program Files\Apple Software Update
2007-11-28 04:56 --------- d-----w C:\Program Files\ScottradeELITE
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 13:32 --------- d-----w C:\Documents and Settings\Pink\Application Data\Juniper Networks
2007-10-15 12:22 --------- d-----w C:\Documents and Settings\Pink\Application Data\Skype
1998-12-09 02:53 99,840 -c--a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 -c--a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 -c--a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 -c--a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 -c--a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 -c--a-w C:\Program Files\Common Files\IRASRIAL.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5DF6AFEE-2291-4041-9A74-354624861746}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 08:48]
"PaperPort PTD"="C:\Program Files\Scansoft\PaperPort\pptd40nt.exe" [2002-08-12 08:33]
"IndexSearch"="C:\Program Files\Scansoft\PaperPort\IndexSearch.exe" [2002-08-12 10:07]
"SetDefPrt"="C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe" [2003-07-03 15:31]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-12-01 22:28]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 17:44]
C:\Documents and Settings\Phil\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Palm\HOTSYNC.EXE [2004-04-13 17:03:10]
C:\Documents and Settings\Pink\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Palm\HOTSYNC.EXE [2004-04-13 17:03:10]
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
eFax DllCmd 4.0.lnk - C:\Program Files\eFax Messenger 4.0\J2GDllCmd.exe [2005-12-01 02:04:36]
eFax Tray Menu 4.0.lnk - C:\Program Files\eFax Messenger 4.0\J2GTray.exe [2005-12-01 02:04:37]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56]
SmartUI.lnk - C:\Program Files\Scansoft\PaperPort\SmartUI\SmartUI.exe [2003-02-03 10:29:12]
Symantec Fax Starter Edition Port.lnk - C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 16:51:54]
S1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
S1 NEOFLTR_550_11711;Juniper Networks TDI Filter Driver (NEOFLTR_550_11711);\??\C:\WINDOWS\system32\Drivers\NEOFLTR_550_11711.SYS
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys
S3 BrSerWDM;Brother Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys
S3 BrUsbMdm;Brother MFC USB Fax Only Modem;C:\WINDOWS\system32\Drivers\BrUsbMdm.sys
S3 BrUsbScn;Brother MFC USB Scanner driver;C:\WINDOWS\system32\Drivers\BrUsbScn.sys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0ERSvc\0EventSystem\0FastUserSwitchingCompatibility\0HidServ\0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Messenger\0Netman\0Nla\0Ntmssvc\0NWCWorkstation\0Nwsapagent\0Rasauto\0Rasman\0Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedaccess\0SRService\0Tapisrv\0Themes\0TrkWks\0W32Time\0WZCSVC\0Wmi\0WmdmPmSp\0winmgmt\0TermService\0wuauserv\0BITS\0ShellHWDetection\0helpsvc\0xmlprov\0wscsvc\0WmdmPmSN
.
Contents of the 'Scheduled Tasks' folder
"2007-12-08 12:44:28 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-14 01:46:33
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-14 1:48:19 - machine was rebooted
.
2007-12-13 08:15:17 --- E O F ---
============================= end combofix log =================
=======Uninstall [list did not change ] from before or after =============================
Adobe Flash Player ActiveX
Adobe Reader 7.0.9
Apple Mobile Device Support
Apple Software Update
Brother MFL-Pro Suite
Dragon NaturallySpeaking Preferred
eFax Messenger 4.0
Epocrates Essentials
FreeMind
FreeZip
HijackThis 2.0.2
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
ieSpell 2.2.0 (build 647)
iPod Reset Utility
iTunes
J2SE Runtime Environment 5.0 Update 6
Juniper Networks Secure Application Manager
Kaspersky Online Scanner
McAfee VirusScan Enterprise
MetaFrame Presentation Server Web Client for Win32
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Professional
Microsoft XML Parser and SDK
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Notepad++
PAIGE Patient Instruction Generator
Palm Desktop
PaperPort 8.0 SE
PENTAX USB DISK Device
QuickTime
RealPlayer
RunAlyzer
SecureShell
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
Skype 2.0
Spybot - Search & Destroy
TextPad 5
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
VNC Free Edition 4.1.1
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
======== end uninstall list ============
I hope you have some advise. I'm still down.
Here's what some others say.
What 411-spyware.com says (although they recommend using spyhunter so I don't know if I should trust them)
What symantec says
Any idea why spybot can't detect this malware?
Thanks, Phil
=========411 spyware ===========
How to Detect & Remove AdvancedCleaner
Share This Close
Social Web E-mail del.icio.us Digg Furl Netscape Yahoo! My Web StumbleUpon Google Bookmarks Technorati BlinkList Newsvine ma.gnolia reddit Windows Live Tailrank E-mail It
To Address:
Your Name:
Your Address:
What is AdvancedCleaner?
AdvancedCleaner Threat Level:
AdvancedCleaner may be a rogue anti-spyware program that may falsely report computer infection in order to scare you into buying AdvancedCleaner. AdvancedCleaner’s fake security alerts may read:
“Unregistered AdvancedCleaner Version
This feature is available in the registered version only. You need to purchase AdvancedCleaner to access this feature…
To purchase AdvancedCleaner please Register!”
AdvancedCleaner may be compared to VirusBlast, SpySheriff, and MySpyProtector.
Send all your love letters and fan mail to AdvancedCleaner.com, and download and install Firefox Mozilla web browser — a lot of spyware and malware like ContraVirus can infect your computer by sneaking through Internet Explorer. Leave any questions you may have in the comments box, and our community will answer them.
Automatically Detect AdvancedCleaner
You can repair your computer manually, but this may mean searching your PC’s folders and registry for hours for AdvancedCleaner’s hidden files. To save time, you can automatically scan your PC for AdvancedCleaner and other spyware parasites.
SpyHunter’s FREE Spyware Scan for AdvancedCleaner
You can easily detect AdvancedCleaner with SpyHunter’s FREE spyware scanner. If you’re really infected with AdvancedCleaner, you can purchase the full-version of SpyHunter to remove AdvancedCleaner and other spyware, adware, tracking cookies, and more.
How to Get Rid of AdvancedCleaner
Your best protection against AdvancedCleaner is to quickly detect and remove AdvancedCleaner processes, registry keys, DLLs, and other AdvancedCleaner files from your PC.
Manually Remove AdvancedCleaner
Manual removal of any spyware can be difficult. When you try to manually remove AdvancedCleaner, you risk destroying your PC. It’s highly recommended you use an automatic spyware scanner to determine you’re infected with AdvancedCleaner. It’s also recommended you backup your system any time before editing your registry.
To remove AdvancedCleaner manually, you need to delete various AdvancedCleaner files. Not sure how to delete AdvancedCleaner files, DLLs, registry keys? Click here. Otherwise, go ahead and…
Remove AdvancedCleaner processes:
%ProgramFiles%\AdvancedCleaner Free\InstStat.exe
%UserProfile%\Local Settings\Temp\UADC_0001_[EIGHT RANDOM CHARACTERS]\installer.exe
%ProgramFiles%\AdvancedCleaner Free\unins000.exe
%ProgramFiles%\AdvancedCleaner Free\UADCcw.exe
%ProgramFiles%\AdvancedCleaner Free\UADC.exe
Delete AdvancedCleaner DLLs:
%ProgramFiles%\AdvancedCleaner Free\atl71.dll
%ProgramFiles%\AdvancedCleaner Free\mfc71.dll
%ProgramFiles%\AdvancedCleaner Free\msvcp71.dll
%ProgramFiles%\AdvancedCleaner Free\msvcr71.dll
Delete AdvancedCleaner DATs:
%ProgramFiles%\AdvancedCleaner Free\acu.dat
%ProgramFiles%\AdvancedCleaner Free\AppDB\profiles.dat
%ProgramFiles%\AdvancedCleaner Free\AppDB\prowords.dat
%ProgramFiles%\AdvancedCleaner Free\lapv.dat
%ProgramFiles%\AdvancedCleaner Free\tasks.dat
%ProgramFiles%\AdvancedCleaner Free\upser.dat
%ProgramFiles%\AdvancedCleaner Free\unins000.dat
%ProgramFiles%\AdvancedCleaner Free\transformer.dat
%ProgramFiles%\AdvancedCleaner Free\naglinks.dat
%ProgramFiles%\AdvancedCleaner Free\report.dat
%ProgramFiles%\AdvancedCleaner Free\req.dat
%ProgramFiles%\AdvancedCleaner Free\request.dat
%ProgramFiles%\AdvancedCleaner Free\appv.dat
%ProgramFiles%\AdvancedCleaner Free\antiVlog.dat
%ProgramFiles%\AdvancedCleaner Free\appAct.dat
Detect and Remove these AdvancedCleaner files:
%UserProfile%\Desktop\AdvancedCleaner Free.lnk
%ProgramFiles%\AdvancedCleaner Free\AppDB\AppBase.xml
C:\Documents and Settings\All Users\Start Menu\Programs\AdvancedCleaner Free\AdvancedCleaner HomePage.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\AdvancedCleaner Free\AdvancedCleaner Online Manual.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\AdvancedCleaner Free\Uninstall AdvancedCleaner.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\AdvancedCleaner Free\AdvancedCleaner.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\AdvancedCleaner Free\AdvancedCleaner Online Support.lnk
%ProgramFiles%\AdvancedCleaner Free\img\button.gif
%ProgramFiles%\AdvancedCleaner Free\manual.url
%ProgramFiles%\AdvancedCleaner Free\readme.rtf
%ProgramFiles%\AdvancedCleaner Free\support.url
%ProgramFiles%\AdvancedCleaner Free\UADC.url
%ProgramFiles%\AdvancedCleaner Free\UADC.xml
%ProgramFiles%\AdvancedCleaner Free\img\button2.gif
%ProgramFiles%\AdvancedCleaner Free\img\header.gif
%ProgramFiles%\AdvancedCleaner Free\license.rtf
%ProgramFiles%\AdvancedCleaner Free\img\logo.gif
%ProgramFiles%\AdvancedCleaner Free\img\spacer.gif
%ProgramFiles%\AdvancedCleaner Free\img\top1.jpg
%ProgramFiles%\AdvancedCleaner Free\img\top2.jpg
%ProgramFiles%\AdvancedCleaner Free\img\top_line.gif
%ProgramFiles%\AdvancedCleaner Free\uninstall.ico
%ProgramFiles%\AdvancedCleaner Free\UninstallPage.html
AdvancedCleaner changed your homepage?
Click Windows Start menu > Control Panel > Internet Options. Next, under Home Page, select the General > Use Default. Type in the URL you want as your home page (e.g., “http://www.homepage.com”). Then select Apply > OK. You’ll want to open a fresh web page and make sure that your new default home page pops up.
How Do I Remove AdvancedCleaner Files?
Need help figuring out how to delete files, DLLs, and registry keys? While there’s some risk involved, and you should only manually remove AdvancedCleaner files if you’re comfortable and confident editing your system, you’ll find it’s fairly easy to delete AdvancedCleaner files in Windows.
How to delete AdvancedCleaner files in Windows XP and Vista:
Click your Windows Start menu, and from “Search,” click “For Files and Folders…“
A speech bubble will pop up asking you, “What do you want to search for?” Click “All files and folders.”
Type any file name in the search box, and select “Local Hard Drives.”
Click “Search.” Once the file is found, delete it.
How to stop AdvancedCleaner processes:
Click Start menu, select Run > cmd, and click “OK” to launch Windows Task Manager.
Click “Image Name” to search and find AdvancedCleaner processes by name.
Once you’ve found the AdvancedCleaner process, click “End Process” to kill the AdvancedCleaner process.
Finally, remove AdvancedCleaner process files from your system.
How to remove AdvancedCleaner registry keys:
Your Windows registry is the core of your Windows operating system, storing information about user settings, system preferences, and software, including which applications automatically launch at start up. Because of this, spyware, malware, and adware will often bury their own files into your Windows registry so that they automatically launch every time your start up your PC.
Because your registry is such a key piece of your Windows system, you should always backup your registry before you make any changes to it. Editing your registry can be intimidating if you’re not a computer expert, and when you change or a delete a critical registry key or registry value, there’s a chance you may need to reinstall your entire Windows operating system. Make sure your backup your registry before editing it.
Select your Windows menu “Start,” and click “Run.” An “Open” field will appear. Type “regedit” and click “OK” to open up your Registry Editor.
Registry Editor will open as a window with two panes. The left side Registry Editor’s window lets you select various registry keys, and the right side displays the registry values of the registry key you select.
To find a registry key, such as any AdvancedCleaner registry keys, select “Edit,” then select “Find,” and in the search bar type any of AdvancedCleaner’s registry keys.
As soon as AdvancedCleaner registry key appears, you can delete the AdvancedCleaner registry key by right-clicking it and selecting “Modify,” then clicking “Delete.”
Computer acting funny after you’ve edited your registry and deleted AdvancedCleaner registry keys? Just restore your registry with your backup.
How to remove AdvancedCleaner DLL files:
Like most any software, spyware, adware, and malware may also use DLL files. DLL is short for “dynamically linked library,” and AdvancedCleaner DLL files, like other DLLs, carryout predetermined tasks. To manually delete AdvancedCleaner DLL files, you’ll use Regsver32, a Windows tool designed to help you remove DLL and other files.
First you’ll locate AdvancedCleaner DLL files you want to delete. Open your Windows Start menu, then click “Run.” Type “cmd” in Run, and click “OK.”
To change your current directory, type “cd” in the command box, press your “Space” key, and enter the full directory where the AdvancedCleaner DLL file is located. If you’re not sure if the AdvancedCleaner DLL file is located in a particular directory, enter “dir” in the command box to display a directory’s contents. To go one directory back, enter “cd ..” in the command box and press “Enter.”
When you’ve located the AdvancedCleaner DLL file you want to remove, type “regsvr32 /u SampleDLLName.dll” (e.g., “regsvr32 /u jl27script.dll”) and press your “Enter” key.
That’s it. If you want to restore AdvancedCleaner DLL file you removed, enter “regsvr32 DLLJustDeleted.dll” (e.g., “regsvr32 jl27script.dll”) into your command box, and press your “Enter” key.
==============end 411 spyware =========
========= symantec ========
Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal.
Navigate to and delete the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"AdvancedCleaner Free" = ""C:\Program Files\AdvancedCleaner Free\UADC.exe" /min"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"UADC_104911963" = ""C:\Program Files\AdvancedCleaner Free\UADCcw.exe" -c"
Navigate to and delete the following registry subkeys:
HKEY_ALL_USERS\SofTware\AdvancedCleaner Free
HKEY_LOCAL_MACHINE\SOFTWARE\AdvancedCleaner Free
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\UADC_is1
HKEY_LOCAL_MACHINE\SOFTWARE\UADC_[EIGHT RANDOM CHARACTERS]
=========== end symantec =========
__RiP_ChAiN_
2007-12-17, 06:27
Hello pbarr,
What happened to you appears to have been a rare yet very pesky bug in CF, there is a repair tool we can run to fix the problem but please delete anything you downloaded in regards to combofix first.
Then please download and run the following tool: http://download.bleepingcomputer.com/sUBs/Beta/NetSvc_Repair.exe
Then please let me know if that got your network working properly again.
Rip.
I've got the fix you sent, but before I run it, any thoughts on how to rid myself of the advancedcleaner bug?
The searches I did didn't lead to anything. I don't have thier software installed just the popups that want me to buy thier sorftware.
What else can I send you??
Is there something I can put on which will catch programs trying to send data out?
Phil
I have no network connections. When I try to create one, I go through the wizard but nothing gets created.
Phil
__RiP_ChAiN_
2007-12-19, 08:07
Hello pbarr,
Is there something I can put on which will catch programs trying to send data out?
A very good firewall?
Something seems to have gone terriblly wrong during the running of combofix, let's attempt to restore some created backups.
If you have system restore active on your computer, I would advise you to restore it to a date before combofix was downloaded and ran. If this is not an option, do this instead:
Navigate to C:\WINDOWS\ERDNT\subs\ and double click on erdnt.exe
Reboot & post new logs
I do have system retore points however when I try to run system restore (or help or many other programs) I get the message
"System retore is not able to protect you computer. Please Restart your computer, and then try to run system restore again."
rebooting does not help.
Is there a way to run system restore from the command prompt?
__RiP_ChAiN_
2007-12-20, 16:35
Hello pbarr,
Try this:
Start the System Restore Utility (http://keith.geekstogo.com/systemrestore.htm) at a command prompt
1. Restart your computer, and keep tapping F8 during the initial start-up until you get options, select Safe Mode with a Command Prompt then press enter.
2. Log on to your computer with an administrator account or with an account that has administrator credentials.
3. Type the following command at a command prompt, and then press ENTER:
%systemroot%\system32\restore\rstrui.exe
4. Follow the instructions that appear on the screen to restore your computer to an earlier state.
Look for the most recent system checkpoint created before the errors to restore from
For additional information about the Safe mode with a command prompt, click 315222 (http://support.microsoft.com/kb/315222/) to see a description of the Safe Mode Boot Options in Windows XP
__RiP_ChAiN_
2008-01-04, 04:45
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
If it had been 10 days or more since your last post, and especially if the helper assisting you posted a response to that post to which you did not reply, the topic will not be reopened.
In that situation, if you still require help, it would be best to start a new topic and include a fresh HijackThis log with a link to your original thread.
Everyone else please begin a New Topic.