PDA

View Full Version : Problems with random Firefox windows popping up



JMT-Z
2006-07-25, 05:09
At first it was popping up the "Command Service" in S&D, doesnt seem to pop up after messing around with a few cleaning programs...but the problems are still here. I read the "Before you Post" post....

1. Tried the online virus scan and nothing came up.

2-3. Ran S&D in safe mode until nothing was picked up(only took once)

4. Heres the hijackthis log.(I cant find where to get rid of the wrap text on here..it is off on the notepad i copied this from.




Logfile of HijackThis v1.99.1
Scan saved at 8:51:33 PM, on 7/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\vvtfjw.exe
C:\Program Files\Common Files\{A81AB28D-031D-1033-0608-040323040001}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\TClock\TClock.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Flexlm\SolidWorks SolidNetWork License Manager\lmgrd.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Flexlm\SolidWorks SolidNetWork License Manager\SW_D.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\hyjack\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WINDOWS] C:\WINDOWS\system32\vvtfjw.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://components.metastream.com/MTSInstallers/MetaStream3.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2843D65B-D0CD-43FF-937C-9ED7BE80964C}: NameServer = 192.168.0.1
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp.dll
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\o2lu0c39ef.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB7\webserver\bin\win32\matlabserver.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SolidWorks SolidNetWork License Manager - Macrovision Corporation - C:\Flexlm\SolidWorks SolidNetWork License Manager\lmgrd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ATI Task Scheduler (TKATI) - Unknown owner - C:\WINDOWS\taskati.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

tashi
2006-07-28, 17:17
Hello and sorry for the wait.

If you are still in need of assistance we do have a sticky topic:

If you have waited four days for advice post here. (http://forums.spybot.info/showthread.php?p=4836#post4836)

pskelley
2006-08-03, 00:25
Hello and welcome to the forum. Sorry for the wait, logs are many and volunteers are few. You have a bunch of junk on your computer and my first thought is to keep it offline to keep from attracting more junk until we get it clean. I would appreciate it if you limit to checking email.

Please download Look2Me-Destroyer.exe (http://www.atribune.org/ccount/click.php?id=7) to your desktop.
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

More info:

If for some reason Look2Me-Destroyer doesn't reopen check that task scheduler is running.
If it isnt you can use sc.exe to start it

start>run sc start schedule press enter.

Post the information bolded above and I will respond with instructions as soon as possible after that.

Thanks...pskelley
Safer Networking Forums

JMT-Z
2006-08-03, 23:07
Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 8/3/2006 2:50:21 PM

Infected! C:\WINDOWS\system32\h6n00g5me6.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP541\A0289931.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP550\A0291697.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP550\A0291699.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP550\A0291700.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP550\A0291719.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291740.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291746.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291811.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291835.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291853.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291854.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291855.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291889.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291901.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291919.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291925.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291932.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291950.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291956.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291962.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291968.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291974.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0292973.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0293973.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP553\A0294640.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP553\A0294646.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP553\A0294649.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP553\A0294655.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP555\A0295786.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP555\A0295791.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP558\A0297793.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP558\A0297800.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP558\A0297801.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP558\A0297802.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP558\A0297803.dll
Infected! C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP562\A0299843.dll
Infected! C:\WINDOWS\system32\aza8l93u1.dll
Infected! C:\WINDOWS\system32\h6n00g5me6.dll
Infected! C:\WINDOWS\system32\mvl8l93u1.dll
Infected! C:\WINDOWS\system32\n2r2lc9o1f.dll
Infected! C:\WINDOWS\system32\guard.tmp

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\h6n00g5me6.dll
C:\WINDOWS\system32\h6n00g5me6.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP541\A0289931.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP541\A0289931.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP550\A0291697.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP550\A0291697.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP550\A0291699.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP550\A0291699.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP550\A0291700.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP550\A0291700.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP550\A0291719.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP550\A0291719.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291740.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291740.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291746.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291746.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291811.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291811.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291835.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291835.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291853.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291853.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291854.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291854.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291855.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291855.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291889.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291889.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291901.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291901.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291919.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291919.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291925.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291925.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291932.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291932.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291950.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291950.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291956.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291956.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291962.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291962.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291968.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291968.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291974.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0291974.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0292973.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0292973.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0293973.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP551\A0293973.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP553\A0294640.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP553\A0294640.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP553\A0294646.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP553\A0294646.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP553\A0294649.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP553\A0294649.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP553\A0294655.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP553\A0294655.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP555\A0295786.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP555\A0295786.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP555\A0295791.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP555\A0295791.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP558\A0297793.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP558\A0297793.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP558\A0297800.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP558\A0297800.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP558\A0297801.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP558\A0297801.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP558\A0297802.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP558\A0297802.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP558\A0297803.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP558\A0297803.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP562\A0299843.dll
C:\System Volume Information\_restore{25238703-D1B4-421A-AA7C-F1D755EF5EBD}\RP562\A0299843.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\aza8l93u1.dll
C:\WINDOWS\system32\aza8l93u1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\h6n00g5me6.dll
C:\WINDOWS\system32\h6n00g5me6.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mvl8l93u1.dll
C:\WINDOWS\system32\mvl8l93u1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\n2r2lc9o1f.dll
C:\WINDOWS\system32\n2r2lc9o1f.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Applets

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{0B61908E-E47B-4F39-BFA1-8994DE92B67D}"
HKCR\Clsid\{0B61908E-E47B-4F39-BFA1-8994DE92B67D}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C9A3A2B6-D4E1-40AC-900B-14B27D883992}"
HKCR\Clsid\{C9A3A2B6-D4E1-40AC-900B-14B27D883992}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{15CB2C5B-75CF-425D-8C7E-8DEE014930D9}"
HKCR\Clsid\{15CB2C5B-75CF-425D-8C7E-8DEE014930D9}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

JMT-Z
2006-08-03, 23:07
Logfile of HijackThis v1.99.1
Scan saved at 3:04:03 PM, on 8/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\MATLAB7\webserver\bin\win32\matlabserver.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Flexlm\SolidWorks SolidNetWork License Manager\lmgrd.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Flexlm\SolidWorks SolidNetWork License Manager\SW_D.EXE
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Antivirus\hyjack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - Default URLSearchHook is missing
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://components.metastream.com/MTSInstallers/MetaStream3.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2843D65B-D0CD-43FF-937C-9ED7BE80964C}: NameServer = 192.168.0.1
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB7\webserver\bin\win32\matlabserver.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SolidWorks SolidNetWork License Manager - Macrovision Corporation - C:\Flexlm\SolidWorks SolidNetWork License Manager\lmgrd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ATI Task Scheduler (TKATI) - Unknown owner - C:\WINDOWS\taskati.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

pskelley
2006-08-04, 00:24
Thanks for returning the information, let's try this next.

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

3) Take a look in Start > Control Panel > Add Remove programs and uninstall TClock if there. Also uninstall anything else you know does not belong ther. If you are not sure, let me know and I will look.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\WINDOWS\System32\shdocvw.dll
(next option, if you put it there, you may leave it)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://components.metastream.com/MTS...etaStream3.cab

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\Program Files\TClock\ <<< folder

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post a new HJT log and let me have some feedback from you.

Thanks

JMT-Z
2006-08-04, 01:36
Restart the computer and post a new HJT log and let me have some feedback from you.

Thanks
Thanks for the help. The Tclock stuff was already all gone, and i did everything else you said. Its a tough call on whether its all working or not because the pop ups are playing with my mind or something....lately they have stopped, but i havent really changed anything to stop them so I keep expecting it to come back.



Logfile of HijackThis v1.99.1
Scan saved at 5:30:51 PM, on 8/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\MATLAB7\webserver\bin\win32\matlabserver.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Flexlm\SolidWorks SolidNetWork License Manager\lmgrd.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Flexlm\SolidWorks SolidNetWork License Manager\SW_D.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Antivirus\hyjack\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2843D65B-D0CD-43FF-937C-9ED7BE80964C}: NameServer = 192.168.0.1
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB7\webserver\bin\win32\matlabserver.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SolidWorks SolidNetWork License Manager - Macrovision Corporation - C:\Flexlm\SolidWorks SolidNetWork License Manager\lmgrd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: ATI Task Scheduler (TKATI) - Unknown owner - C:\WINDOWS\taskati.exe (file missing)
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

pskelley
2006-08-04, 01:55
I understand your feeling, I have three computers and would go nuts if one of them got infected. I am constantly on the lookout.

The major player in your infection was Look2me, that is adware and that is what it does. Thanks again to Atribune, that infection would be a lot harder to remove without his fix.
Your HJT log is clean of malware, and the only issues I see is the Java program that needs and update:
http://forums.spybot.info/showpost.php?p=12880&postcount=2

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

Safe surfing...tashi:) will close your topic in a day or so.

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

JMT-Z
2006-08-04, 03:20
Thank you...I cleared the system restore and got rid of the old java versions and got the newest update. Hopefully everything is all good again....if not im sure you guys will be hearing from me again.

LonnyRJones
2006-08-08, 05:16
Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.

If you should need to post another log for the same PC let one of us know via a PM (personal message).