PDA

View Full Version : Command adware



Shaad
2008-11-18, 00:12
Command adware is eating up my PC and wont let me do anything. so I would like to remove it.

When I try to remove it using the Control Panel 'Add/Remove Programs'
facility, I get directed to a website (hxxp//command.adservs.com/uninstall.php) for downloading an 'automated removal application'.

I installed Kaspersky, but it didnt help much.

Please could anyone advise to remove it. Will greatly appreciate it.

Thanks in advance.
Shaad

Shaba
2008-11-18, 16:15
Hi Shaad

Click here (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to download HJTInstall.exe
Save HJTInstall.exe to your desktop.
Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Shaad
2008-11-18, 17:24
OK here we go




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:22:59 AM, on 11/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=7.0MSN&bm=ms_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Verizon Broadband Toolbar - {A057A204-BACC-4D26-8398-26FADCF27386} - C:\PROGRA~1\VERIZO~1\VERIZO~1.DLL
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
O4 - Startup: palmOne Registration.lnk = E:\Program Files\palmOne\register.exe
O4 - Global Startup: HotSync Manager.lnk = E:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206552634906
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll c:\progra~1\google\google~1\goec62~1.dll nqxlbb.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Google Desktop Manager 5.8.809.8522 (GoogleDesktopManager-090808-172447) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8230 bytes

Shaba
2008-11-18, 17:26
Rename HijackThis.exe to Shaad.exe and post back a fresh HijackThis log, please :)

Shaad
2008-11-18, 17:30
ok this is after re-name the file



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29:19 AM, on 11/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=7.0MSN&bm=ms_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Verizon Broadband Toolbar - {A057A204-BACC-4D26-8398-26FADCF27386} - C:\PROGRA~1\VERIZO~1\VERIZO~1.DLL
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
O4 - Startup: palmOne Registration.lnk = E:\Program Files\palmOne\register.exe
O4 - Global Startup: HotSync Manager.lnk = E:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206552634906
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll c:\progra~1\google\google~1\goec62~1.dll nqxlbb.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Google Desktop Manager 5.8.809.8522 (GoogleDesktopManager-090808-172447) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8297 bytes

Shaba
2008-11-18, 17:33
Unfortunately it didn't go right.

Rename HijackThis.exe to Shaad.exe by doing the following;

Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> C:\Program Files\Trend Micro\HijackThis
Right-click on the HijackThis.exe
Choose from the pull-down menu; "Rename"
And now Rename HijackThis.exe to Shaad.exe
When you've renamed HijackThis, open HijackThis again.
Take a fresh HijackThis log (click Do a system scan and save a log file)
Post the fresh HijackThis log here.

Shaad
2008-11-18, 17:37
Hope I did it right this time.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:35:25 AM, on 11/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\Shaad.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=7.0MSN&bm=ms_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: {24ef9f34-d9ff-08ab-fbb4-9cdc7deb0b71} - {17b0bed7-cdc9-4bbf-ba80-ff9d43f9fe42} - C:\WINDOWS\system32\nqxlbb.dll
O2 - BHO: (no name) - {1DE1AC19-0761-45CD-B39B-72EAA79AA192} - C:\WINDOWS\system32\mlJAsrrR.dll
O2 - BHO: (no name) - {73259091-9574-4ED8-A40F-7F65AFC28634} - C:\WINDOWS\system32\mlJCRhhh.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Verizon Broadband Toolbar - {A057A204-BACC-4D26-8398-26FADCF27386} - C:\PROGRA~1\VERIZO~1\VERIZO~1.DLL
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Verizon Broadband Toolbar - {A057A204-BACC-4D26-8398-26FADCF27386} - C:\PROGRA~1\VERIZO~1\VERIZO~1.DLL
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
O4 - Startup: palmOne Registration.lnk = E:\Program Files\palmOne\register.exe
O4 - Global Startup: HotSync Manager.lnk = E:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206552634906
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll c:\progra~1\google\google~1\goec62~1.dll nqxlbb.dll
O20 - Winlogon Notify: mlJCRhhh - C:\WINDOWS\SYSTEM32\mlJCRhhh.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Google Desktop Manager 5.8.809.8522 (GoogleDesktopManager-090808-172447) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8968 bytes

Shaba
2008-11-18, 17:40
Yes :)

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

Shaad
2008-11-18, 17:53
Combo Text


ComboFix 08-11-17.04 - Viral 2008-11-18 10:43:27.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1271 [GMT -5:00]
Running from: c:\documents and settings\Viral\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Application Data\NetMon
c:\documents and settings\LocalService\Application Data\NetMon\domains.txt
c:\documents and settings\LocalService\Application Data\NetMon\log.txt
c:\documents and settings\Viral\Application Data\gadcom
c:\documents and settings\Viral\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\network monitor
c:\program files\network monitor\netmon.exe
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\windows\system32\atmtd.dll
c:\windows\system32\atmtd.dll._
c:\windows\system32\atuwddsq.dll
c:\windows\system32\laqxtuxp.ini
c:\windows\system32\mlJAsrrR.dll
c:\windows\system32\mlJCRhhh.dll
c:\windows\system32\MSINET.oca
c:\windows\system32\msnav32.ax
c:\windows\system32\nqxlbb.dll
c:\windows\system32\pac.txt
c:\windows\system32\qeiauz.dll
c:\windows\system32\rgdeqjpf.ini
c:\windows\system32\RrrsAJlm.ini
c:\windows\system32\RrrsAJlm.ini2
c:\windows\system32\winpfz33.sys
c:\windows\system32\zxdnt3d.cfg
c:\windows\uninstall_nmon.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE


((((((((((((((((((((((((( Files Created from 2008-10-18 to 2008-11-18 )))))))))))))))))))))))))))))))
.

2008-11-18 10:22 . 2008-11-18 10:22 <DIR> d-------- c:\program files\Trend Micro
2008-11-17 16:53 . 2008-11-17 16:53 <DIR> d-------- c:\documents and settings\Administrator
2008-11-17 16:46 . 2008-11-17 16:46 0 --a------ c:\windows\system32\lo2.txtt
2008-11-17 00:13 . 2008-11-17 00:13 64,859 --a------ c:\windows\system32\rjfmcgezzgmkckxz.exe
2008-11-17 00:09 . 2008-11-17 00:09 <DIR> d-------- c:\program files\Kaspersky Lab
2008-11-17 00:09 . 2008-11-18 10:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-11-17 00:09 . 2008-11-18 10:45 3,082,272 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-11-17 00:09 . 2008-11-18 10:47 376,864 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2008-11-17 00:09 . 2008-11-17 00:17 96,976 --a------ c:\windows\system32\drivers\klin.dat
2008-11-17 00:09 . 2008-11-17 00:09 87,855 --a------ c:\windows\system32\drivers\klick.dat
2008-11-17 00:09 . 2008-11-18 10:45 26,208 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-11-17 00:09 . 2008-11-18 10:45 3,388 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2008-11-16 23:15 . 2008-11-16 23:15 <DIR> d-------- c:\documents and settings\Viral\Application Data\IUpd721
2008-11-16 23:10 . 2008-11-17 00:23 <DIR> d-------- c:\documents and settings\Viral\Application Data\NI.GSCNS
2008-11-16 23:02 . 2008-11-17 01:39 <DIR> d-------- c:\windows\system32\wpd
2008-11-16 23:02 . 2008-11-17 01:39 <DIR> d-------- c:\windows\system32\spc
2008-11-16 23:02 . 2008-11-16 23:02 <DIR> d-------- c:\windows\system32\ocx
2008-11-16 23:02 . 2008-11-17 01:39 <DIR> d-------- c:\windows\system32\dom
2008-11-16 23:02 . 2008-11-17 00:23 <DIR> d--hs---- c:\windows\dmlydQ
2008-11-16 23:01 . 2008-11-17 01:39 <DIR> d-------- c:\windows\system32\sX3i19
2008-11-16 23:01 . 2008-11-16 23:02 <DIR> d-------- c:\temp\PRE45
2008-11-16 23:01 . 2008-11-16 23:01 35,840 --a------ c:\windows\system32\prun.exe
2008-11-16 02:24 . 2008-11-16 02:36 <DIR> d-------- c:\documents and settings\Viral\Application Data\Nero
2008-11-16 02:01 . 2008-11-16 02:01 4,767 --a------ c:\windows\Irremote.ini
2008-11-16 02:00 . 2008-11-16 02:00 <DIR> d-------- c:\program files\Windows Sidebar
2008-11-16 01:51 . 2008-11-16 02:01 <DIR> d-------- c:\program files\Nero
2008-11-16 01:51 . 2008-11-16 02:11 <DIR> d-------- c:\program files\Common Files\Nero
2008-11-16 01:51 . 2008-11-16 01:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nero
2008-11-15 18:04 . 2008-11-15 18:04 799,329 --a------ C:\IMG_0431.jpg
2008-11-09 23:29 . 2008-11-09 23:29 6,537 --a------ C:\index.html
2008-10-30 23:01 . 2008-10-30 23:02 <DIR> d-------- c:\documents and settings\Viral\Application Data\Multi-Note
2008-10-23 13:01 . 2008-10-23 13:01 <DIR> d-------- c:\documents and settings\Viral\Application Data\Motive
2008-10-23 12:56 . 2008-10-23 12:56 <DIR> d-------- c:\documents and settings\Viral\Application Data\Research In Motion
2008-10-23 12:56 . 2008-10-23 12:56 256 --a------ c:\windows\system32\pool.bin
2008-10-23 12:55 . 2008-10-23 12:55 <DIR> d-------- c:\program files\Research In Motion
2008-10-23 12:55 . 2008-10-23 12:55 <DIR> d-------- c:\program files\Common Files\Research In Motion
2008-10-23 12:55 . 2007-01-18 09:24 26,496 -ra------ c:\windows\system32\drivers\RimSerial.sys
2008-10-23 12:42 . 2008-10-23 12:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\MSN6
2008-10-23 12:39 . 2008-10-23 12:39 <DIR> d-------- c:\windows\bin
2008-10-23 12:39 . 2008-10-23 12:39 <DIR> d-------- c:\program files\Common Files\Motive
2008-10-23 12:39 . 2008-10-23 12:39 <DIR> d-------- c:\documents and settings\Viral\Application Data\Verizon
2008-10-23 12:39 . 2008-10-23 12:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Verizon
2008-10-23 12:39 . 2008-10-23 12:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Motive
2008-10-23 12:38 . 2008-10-23 12:38 <DIR> d-------- c:\program files\verizon_broad
2008-10-23 12:38 . 2008-10-23 12:38 <DIR> d-------- c:\program files\Verizon Broadband Firefox Toolbar
2008-10-23 12:38 . 2008-10-23 14:14 <DIR> d-------- c:\documents and settings\Viral\Application Data\verizon_broad
2008-10-23 12:29 . 2008-10-23 12:42 <DIR> d-------- c:\program files\Verizon

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-18 15:46 --------- d-----w c:\program files\Steam
2008-11-17 06:38 --------- d-----w c:\documents and settings\Viral\Application Data\FileZilla
2008-11-17 05:08 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-11-17 03:56 --------- d-----w c:\documents and settings\Viral\Application Data\uTorrent
2008-11-13 18:04 --------- d-----w c:\documents and settings\Viral\Application Data\Winamp
2008-11-10 03:41 --------- d-----w c:\documents and settings\Viral\Application Data\LimeWire
2008-10-15 07:45 --------- d-----w c:\program files\PeerGuardian2
2008-10-13 02:45 --------- d-----w c:\documents and settings\Viral\Application Data\SSH
2008-09-22 23:13 --------- d-----w c:\documents and settings\Viral\Application Data\WinAmp Control
2008-09-22 22:49 --------- d-----w c:\program files\Google
2008-09-06 02:16 1,900,544 ----a-w c:\windows\system32\usbaaplrc.dll
2005-07-29 21:24 472 --sha-r c:\windows\dmlydQ\xA5Vxk.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-8398-26FADCF27386}]
2008-05-30 11:42 1991680 --a------ c:\progra~1\VERIZO~1\VERIZO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-8398-26FADCF27386}"= "c:\progra~1\VERIZO~1\VERIZO~1.DLL" [2008-05-30 1991680]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{A057A204-BACC-4D26-8398-26FADCF27386}"= "c:\progra~1\VERIZO~1\VERIZO~1.DLL" [2008-05-30 1991680]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-8398-26fadcf27386}]
[HKEY_CLASSES_ROOT\verizon_broad.VERIZON_BROAD]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-03-06 50528]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Steam"="c:\program files\Steam\Steam.exe" [2008-10-08 1410296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-09-14 1603152]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-04-01 36352]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-08 289576]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-22 30192]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-09-28 936960]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 2061816]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-07-29 206088]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 c:\windows\RTHDCPL.exe]

c:\documents and settings\Viral\Start Menu\Programs\Startup\
palmOne Registration.lnk - e:\program files\palmOne\register.exe [2005-09-19 2367488]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - e:\program files\palmOne\Hotsync.exe [2004-06-09 471040]
VPN Client.lnk - c:\windows\Installer\{14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}\Icon3E5562ED7.ico [2008-04-17 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi2"= usbkt1x1.dll
"midi3"= usbkt1x1.dll
"midi4"= usbkt1x1.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.2.407\\English\\setup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe [2008-09-30 935208]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-03-23 24652]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [2008-03-13 26640]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\DRIVERS\klim5.sys [2008-04-30 24592]
R3 USBKS1X1;Midiman USB Keystation Midi Driver;c:\windows\system32\drivers\usbks1x1.sys [2008-05-30 32476]
S3 GoogleDesktopManager-090808-172447;Google Desktop Manager 5.8.809.8522;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-22 30192]
S3 UKS11LDR;Midiman USB Keystation Loader;c:\windows\system32\drivers\uks11ldr.sys [2008-05-30 15740]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8277c6f4-302c-11dd-829b-00044b038aec}]
\Shell\AutoRun\command - H:\InstallTomTomHOME.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{17b0bed7-cdc9-4bbf-ba80-ff9d43f9fe42} - c:\windows\system32\nqxlbb.dll
BHO-{1DE1AC19-0761-45CD-B39B-72EAA79AA192} - c:\windows\system32\mlJAsrrR.dll
BHO-{73259091-9574-4ED8-A40F-7F65AFC28634} - c:\windows\system32\mlJCRhhh.dll
ShellExecuteHooks-{73259091-9574-4ED8-A40F-7F65AFC28634} - c:\windows\system32\mlJCRhhh.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Viral\Application Data\Mozilla\Firefox\Profiles\3xe3bxkn.default\
FF -: plugin - c:\documents and settings\Viral\Application Data\Mozilla\Firefox\Profiles\3xe3bxkn.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-18 10:47:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-18 10:49:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-18 15:49:21

Pre-Run: 44,501,430,272 bytes free
Post-Run: 47,573,823,488 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

223



Hijack Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:29 AM, on 11/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Shaad.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=fiber&cd=7.0MSN&bm=ms_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Verizon Broadband Toolbar - {A057A204-BACC-4D26-8398-26FADCF27386} - C:\PROGRA~1\VERIZO~1\VERIZO~1.DLL
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Verizon Broadband Toolbar - {A057A204-BACC-4D26-8398-26FADCF27386} - C:\PROGRA~1\VERIZO~1\VERIZO~1.DLL
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Steam\Steam.exe -silent
O4 - Startup: palmOne Registration.lnk = E:\Program Files\palmOne\register.exe
O4 - Global Startup: HotSync Manager.lnk = E:\Program Files\palmOne\Hotsync.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206552634906
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Google Desktop Manager 5.8.809.8522 (GoogleDesktopManager-090808-172447) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7676 bytes

Shaba
2008-11-18, 17:59
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

Shaad
2008-11-18, 19:14
ok. here is the list.


Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
AIM 6
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI AVIVO Codecs
ATI Catalyst Control Center
ATI Display Driver
ATI HYDRAVISION
ATI Parental Control & Encoder
ATI Problem Report Wizard
BlackBerry Desktop Software 4.6
BlackBerry Desktop Software 4.6
Canon MP Navigator EX 1.0
Canon MP210 series
Canon My Printer
Canon Utilities Easy-PhotoPrint EX
Cisco Systems VPN Client 5.0.01.0600
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DVD X Rescue
DVDXCopy Platinum 3.2.1
FileZilla Client 3.1.0.1
Garmin WebUpdater
Garmin WebUpdater
Google Desktop
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
iTunes
J2SE Runtime Environment 5.0 Update 3
Java(TM) 6 Update 5
Kaspersky Internet Security 2009
Kaspersky Internet Security 2009
LimeWire 4.16.7
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.4)
MSXML 4.0
MSXML 4.0
MSXML 6.0 Parser
Nero 9
neroxml
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager
palmOne
QuickTime
Realtek High Definition Audio Driver
Reason 4.0
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Sony ACID Pro 6.0
Sony Media Manager 2.2
Sony Sound Forge 8.0d
SSH Secure Shell
Steam
TomTom HOME
Update for Windows XP (KB904942)
VeohTV BETA
Verizon Broadband Toolbar (IE only)
Verizon Broadband Toolbar Firefox only
Verizon Online Help and Support
Verizon Servicepoint 1.5.12
VideoLAN VLC media player 0.7.2-test2
Viewpoint Media Player
Visual C++ 8.0 CRT (x86) WinSXS MSM
Winamp
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
WinRAR archiver
Wolfram Mathematica 6
Wolfram Notebook Indexer 2.0

Shaad
2008-11-18, 19:16
PS: I don't Command Adware thing. Looks like its finally done. Thanks Shaba

Shaba
2008-11-18, 19:40
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

LimeWire 4.16.7

I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Please run a new uninstall list scan when finished and post the log back here.

Shaad
2008-11-18, 20:05
Yeah true. I dont use Limewire anyway and I wont need P2P, if i dont have limewire.


Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.2
AIM 6
Apple Mobile Device Support
Apple Software Update
ATI - Software Uninstall Utility
ATI AVIVO Codecs
ATI Catalyst Control Center
ATI Display Driver
ATI HYDRAVISION
ATI Parental Control & Encoder
ATI Problem Report Wizard
BlackBerry Desktop Software 4.6
BlackBerry Desktop Software 4.6
Canon MP Navigator EX 1.0
Canon MP210 series
Canon My Printer
Canon Utilities Easy-PhotoPrint EX
Cisco Systems VPN Client 5.0.01.0600
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DVD X Rescue
DVDXCopy Platinum 3.2.1
FileZilla Client 3.1.0.1
Garmin WebUpdater
Garmin WebUpdater
Google Desktop
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
iTunes
J2SE Runtime Environment 5.0 Update 3
Java(TM) 6 Update 5
Kaspersky Internet Security 2009
Kaspersky Internet Security 2009
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.4)
MSXML 4.0
MSXML 4.0
MSXML 6.0 Parser
Nero 9
neroxml
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager
palmOne
QuickTime
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Sony Media Manager 2.2
SSH Secure Shell
Steam
TomTom HOME
Update for Windows XP (KB904942)
VeohTV BETA
Verizon Broadband Toolbar (IE only)
Verizon Broadband Toolbar Firefox only
Verizon Online Help and Support
Verizon Servicepoint 1.5.12
VideoLAN VLC media player 0.7.2-test2
Viewpoint Media Player
Visual C++ 8.0 CRT (x86) WinSXS MSM
Winamp
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
WinRAR archiver
Wolfram Mathematica 6
Wolfram Notebook Indexer 2.0

Shaad
2008-11-18, 20:06
Also i deleted some of the unnecessary program that I don't use.

Shaba
2008-11-18, 20:10
Open notepad and copy/paste the text in the codebox below into it:


File::
c:\windows\system32\lo2.txtt
c:\windows\system32\rjfmcgezzgmkckxz.exe
c:\windows\system32\prun.exe

Folder::
c:\windows\system32\wpd
c:\windows\system32\spc
c:\windows\system32\ocx
c:\windows\system32\dom
c:\windows\dmlydQ
c:\windows\system32\sX3i19
c:\temp\PRE45
c:\windows\dmlydQ
c:\documents and settings\Viral\Application Data\uTorrent
c:\documents and settings\Viral\Application Data\LimeWire
c:\Program Files\uTorrent
c:\Program Files\LimeWire

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-



Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Shaad
2008-11-18, 21:10
shit i just deleted, ComboFix. I thought I dont need it anymore since command adware is removed off my computer. I guess im gona have to Dl again?

Shaba
2008-11-18, 21:14
Yes, you will need to download it again.

Shaba
2008-11-23, 12:23
Due to the lack of feedback this Topic is closed.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.