View Full Version : Pop-ups, connection problem - please help!
I'm currently getting a lot of pop-ups, mostly advertising anti-spyware stuff.
I am also getting disconnected from the internet every 20 minutes,which I think is because of this 'command service' thing which spybot found and deleted, but it didn't fix the problem.
I downloaded hijack this and this is the log:
Logfile of HijackThis v1.99.1
Scan saved at 17:15:13, on 01/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\fc52d965.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cool.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - - (no file)
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - (no file)
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O4 - HKLM\..\Run: [fc52d965.exe] C:\WINDOWS\system32\fc52d965.exe
O4 - HKCU\..\Run: [fc52d965.exe] C:\Documents and Settings\Oliver Marsh\Local Settings\Application Data\fc52d965.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm356YYGB
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All Links with IDM - C:\PROGRA~1\INTERN~2\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\PROGRA~1\INTERN~2\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O15 - Trusted Zone: http://www.google.co.uk
O15 - Trusted Zone: www.hotmail.com
O15 - Trusted Zone: http://by109fd.bay109.hotmail.msn.com
O15 - Trusted Zone: www.msn.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{85292E93-3CC4-4CCF-912C-99A493AF98AA}: NameServer = 195.92.195.95 195.92.195.94
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
Please identify the problem and help me!
Thank you in advance.
pskelley
2006-10-02, 01:48
Welcome to the forum, tp know where the popups are directing you to helps us identify the malware. Please follow these instructions.
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
Open Windows Defender, Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R3 - URLSearchHook: (no name) - - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - (no file)
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O4 - HKLM\..\Run: [fc52d965.exe] C:\WINDOWS\system32\fc52d965.exe
O4 - HKCU\..\Run: [fc52d965.exe] C:\Documents and Settings\Oliver Marsh\Local Settings\Application Data\fc52d965.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZRxdm356YYGB
(optional removal, do you trust these four enough to give this much access to your computer?)
O15 - Trusted Zone: http://www.google.co.uk
O15 - Trusted Zone: www.hotmail.com
O15 - Trusted Zone: http://by109fd.bay109.hotmail.msn.com
O15 - Trusted Zone: www.msn.com
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINDOWS\system32\cool.exe <<< delete that file
C:\WINDOWS\system32\fc52d965.exe <<< delete that file
C:\Documents and Settings\Oliver Marsh\Local Settings\Application Data\
fc52d965.exe <<< delete that file
6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post a new HJT log, add any comments you think will help and let me know how the computer is running.
Thanks
Thank you for your help. I have followed your instructions and since then I have not encountered any pop-ups.:D:
The connection problem remains. Usually when I click on Start > Connect to, it just shows 'Alcatel Speedtouch connection', but when I lose my connection, 'ENTER' appears as another option and 'coolweb' appears shortly after. I hope that helps.
Logfile of HijackThis v1.99.1
Scan saved at 15:32:23, on 02/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.com:8080;ftp=http://www-cache.freeserve.com:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All Links with IDM - C:\PROGRA~1\INTERN~2\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\PROGRA~1\INTERN~2\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O17 - HKLM\System\CCS\Services\Tcpip\..\{85292E93-3CC4-4CCF-912C-99A493AF98AA}: NameServer = 195.92.195.94 195.92.195.95
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
pskelley
2006-10-02, 19:28
First let me say that your log appears to be clean of malware. Now let's look at this item:
Alcatel Speedtouch connection Look at the Google on this one:
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=Alcatel+Speedtouch+connection
I would start by checking with your ISP about this, it looks like a legitimate item? Malware may have made changes in your setting that are causing you these issues. The only one that can tell you how to correct the settings is the ISP technical folks.
Let's also let ewido have a look to see if it spots any other problems:
ewido scan: Delete anything ewido locates unless you know it is not bad.
First download ewido anti-spyware from HERE (http://www.ewido.net/en/download/) and save that file to your desktop.
This is a 30 day trial of the program
Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run ewido and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.
Post the results of the ewido scan and let me know what your ISP technical support had to say.
Thanks
The link( http://www.ewido.net/en/download/) you provided ends up at AVG Anti-spyware 7.5 - is this correct? I downloaded it, but when I tried to install it, it stopped when it reached: ' Registering C:\Program Files\Grisoft\AVG-Spyware 7.5\context.dll ' I tried several times, but it won't get past it.
pskelley
2006-10-02, 22:58
Grisoft which is the parent company of AVG antivirus, recently purchased ewido. At that point ewido was 3.5. It was updated to 4.0 and now it looks like they are calling it something else. It is still available and it is still free. Why you are having a problem downloading it I do not know.
When you open this link: http://www.ewido.net/en/download/ look to the extreme right on that webpage to see:
ewido anti-spyware 4.0 becomes
AVG Anti-Spyware 7.5
ewido anti-spyware 4.0 will now continue under the new product name AVG Anti-Spyware 7.5. AVG Anti-Spyware 7.5 contains the same ewido technology, but with some further enhanced features:
Highly improved cleaning
Lower resource usage
Additional languages supported
All current licenses for ewido anti-spyware 4.0 will continue to be valid, and users can change over to the new AVG Anti-Spyware 7.5 for free.
Thanks
The 'ewido' report:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 15:34:53 03/10/2006
+ Scan result:
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ADE0443-2AB2-4B23-A3F8-AC520773DE12} -> Adware.Begin2Search : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ADE0443-2AB2-4B23-A3F8-AC520773DE12} -> Adware.Begin2Search : Cleaned with backup (quarantined).
C:\Program Files\Microsoft AntiSpyware\Quarantine\F068747A-E487-4391-9B03-C6DD10\681CF5D3-B0BC-44C7-A9B4-B16D10 -> Adware.Bestofer : Cleaned with backup (quarantined).
C:\Program Files\Microsoft AntiSpyware\Quarantine\F068747A-E487-4391-9B03-C6DD10\74338995-276C-4E47-A096-CC74F8 -> Adware.Bestofer : Cleaned with backup (quarantined).
C:\Program Files\Microsoft AntiSpyware\Quarantine\F068747A-E487-4391-9B03-C6DD10\EE7E01F3-36EF-4B18-A3D1-F2E844 -> Adware.Bestofer : Cleaned with backup (quarantined).
C:\WINDOWS\chntbc.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
C:\WINDOWS\upudmdusapm.exe -> Adware.BetterInternet : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{197B8CA4-E215-46DD-8F33-E0544A80E5C4} -> Adware.SafeSurfing : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{71D1708F-973D-4600-AF01-AD86688403AE} -> Adware.SafeSurfing : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{197B8CA4-E215-46DD-8F33-E0544A80E5C4} -> Adware.SafeSurfing : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{71D1708F-973D-4600-AF01-AD86688403AE} -> Adware.SafeSurfing : Cleaned with backup (quarantined).
C:\Downloads\RiskIISetup-dm[1].exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\WINDOWS\system32\khfdded.dll -> Adware.Virtumionde : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\gba250.exe -> Dialer.GBDialer.d : Cleaned with backup (quarantined).
C:\Documents and Settings\Oliver Marsh\Local Settings\Temporary Internet Files\Content.IE5\WSJVY0IA\srvafv[1].exe -> Dialer.InstantAccess.k : Cleaned with backup (quarantined).
C:\Documents and Settings\Oliver Marsh\Local Settings\Temporary Internet Files\Content.IE5\WSJVY0IA\srvyfv[1].exe -> Dialer.InstantAccess.k : Cleaned with backup (quarantined).
C:\Documents and Settings\Oliver Marsh\Local Settings\Temporary Internet Files\Content.IE5\Y8I12CDW\srvjkb[1].exe -> Dialer.InstantAccess.k : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win39.tmp.exe -> Dialer.InstantAccess.k : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win5.tmp.exe -> Dialer.InstantAccess.k : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win6.tmp.exe -> Dialer.InstantAccess.k : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win9.tmp.exe -> Dialer.InstantAccess.k : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.10\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.11\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.12\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.13\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.14\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.15\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.16\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.17\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.18\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.19\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.20\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.21\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.22\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.23\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.24\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.25\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.26\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.27\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.28\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.29\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.30\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.31\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.32\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.33\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.34\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.35\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.36\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.37\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.38\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.39\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.40\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.41\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.8\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.9\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\close.exe -> Dialer.Riprova : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Local Settings\Application Data\fc52d965.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\miniclipGameLoader.dll -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ld8DD8.tmp -> Downloader.Zlob.ep : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ljpdbxpl.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mretljfj.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINDOWS\system32\orsuhlyn.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINDOWS\system32\spuidige.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\WINDOWS\system32\yooedmon.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
C:\Documents and Settings\Oliver Marsh\Cookies\oliver marsh@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned.
C:\Documents and Settings\Oliver Marsh\Cookies\oliver marsh@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Oliver Marsh\Cookies\oliver marsh@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Oliver Marsh\Cookies\oliver marsh@premiumtv.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Oliver Marsh\Cookies\oliver marsh@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Oliver Marsh\Cookies\oliver marsh@adtech[2].txt -> TrackingCookie.Adtech : Cleaned.
C:\Documents and Settings\Oliver Marsh\Cookies\oliver marsh@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Oliver Marsh\Cookies\oliver marsh@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Oliver Marsh\Cookies\oliver marsh@e-2dj6wflisndjmeo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Oliver Marsh\Cookies\oliver marsh@e-2dj6wfloujajkko.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Oliver Marsh\Cookies\oliver marsh@e-2dj6wjk4gicpgdq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\Oliver Marsh\Cookies\oliver marsh@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\Oliver Marsh\Cookies\oliver marsh@ivwbox[1].txt -> TrackingCookie.Ivwbox : Cleaned.
C:\Documents and Settings\Oliver Marsh\Cookies\oliver marsh@overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Oliver Marsh\Cookies\oliver marsh@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Oliver Marsh\Cookies\oliver marsh@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\Oliver Marsh\Cookies\oliver marsh@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Oliver Marsh\Cookies\oliver marsh@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\WINDOWS\Downloaded Program Files\1828.exe -> Trojan.Dialer.hc : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.10\dialere.exe -> Trojan.Dialer.hh : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\dialere.exe -> Trojan.Dialer.hh : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\dialere.exe -> Trojan.Dialer.hh : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\dialere.exe -> Trojan.Dialer.hh : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\dialere.exe -> Trojan.Dialer.hh : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\dialere.exe -> Trojan.Dialer.hh : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\dialere.exe -> Trojan.Dialer.hh : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\dialere.exe -> Trojan.Dialer.hh : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.8\dialere.exe -> Trojan.Dialer.hh : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.9\dialere.exe -> Trojan.Dialer.hh : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\dialere.exe -> Trojan.Dialer.hh : Cleaned with backup (quarantined).
C:\Documents and Settings\Oliver Marsh\Local Settings\Temporary Internet Files\Content.IE5\V6QOJH1C\srvokk[1].exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cool.exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).
C:\Program Files\BlazingTools Perfect Keylogger Basic\order.url -> Trojan.Keylog.153 : Cleaned with backup (quarantined).
C:\Program Files\BlazingTools Perfect Keylogger Basic\downloads.url -> Trojan.Keylog.154 : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} -> Trojan.Kolweb.b : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} -> Trojan.Kolweb.b : Cleaned with backup (quarantined).
C:\WINDOWS\system32\26aw.dll -> Trojan.Kolweb.f : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rock.exe -> Trojan.LowZones.dm : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024 -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldDEAF.tmp -> Trojan.Small : Cleaned with backup (quarantined).
::Report end
pskelley
2006-10-03, 17:54
OK Brian1, That program found and quarantined a load of junk HJT could not see. That's understandable, HJT would need to be a hugh program to see everything. The junk you placed in quarantine can be deleted any time you want, I see nothing there that is anything but junk. Post another HJT log for a last look and let me know how the computer is running now. I am also interested in what your ISP had to say about the connection window issue you are having.
Let me talk a look at your uninstall list like this:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Thanks
I tried clicking the "save list..." button, but nothing happened. Is this supposed to happen?
I found that whenever I lose my connection, AVG Anti-spyware brings up a warning of either:
"Trojan.Dialer.qs" in C:\WINDOWS\system32\cool.exe or C:\WINDOWS\TEMP\win29tmp.exe
or "Dialer.InstantAccess.k" in C:\WINDOWS\TEMP\win25tmp.exe
I hope this helps.
pskelley
2006-10-05, 00:11
I would like a look at your uninstall list, please follow these directions:
http://www.bleepingcomputer.com/tutorials/tutorial42.html#uniman
How to use the Uninstall Manager
The Uninstall Manager allows you to manage the entries found in your control panel's Add/Remove Programs list. When cleaning malware from a machine entries in the Add/Remove Programs list invariably get left behind. Many users understandably like to have a clean Add/Remove Programs list and have difficulty removing these errant entries. Using the Uninstall Manager you can remove these entries from your uninstall list.
To access the Uninstall Manager you would do the following:
Start HijackThis
Click on the Config button
Click on the Misc Tools button
Click on the Open Uninstall Manager button. You will now be presented with a screen similar to the one below:
If you are asked to save this list and post it so someone can examine it and advise you as to what you should remove, you can click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad into a reply in the topic you are getting help in.
____________________________________________________________
These items are no doubt bad, I can't see them in the log.
C:\WINDOWS\system32\cool.exe <<< delete that file
C:\WINDOWS\TEMP\win29tmp.exe <<< delete everything in the Temp folder
C:\WINDOWS\TEMP\win25tmp.exe
You will need to show hidden files then delete those items. Delete everything in the C:\Windows\Temp\ <<< folder If you have to, boot to safe mode to do this.
____________________________________________________________
Let's look at a combofix leg to see what it shows us:
Thanks to sUBs and anyone who helped with this fix.
1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
If the log is large You might need to post half in one reply half in another.
Post the combofix log and the uninstall list.
Thanks
Since I have deleted 'C:\WINDOWS\TEMP' folder the connection problem has stopped! Thank you!
Sorry for the delay, but the issue with HijackThis was that when I clicked 'save list...', the instructions say notepad should open with all the information in it, but it didn't open. Sometimes the 'save list...' button did nothing, other times it just closed HijackThis.
pskelley
2006-10-08, 13:11
Humm...I have no idea why that is happening in HJT and use that tool all of the time. You may want to delete HJT and download it again in case something got corrupted in the first download. This is a good download link:
http://www.merijn.org/files/HijackThis.exe
Are you saying that all of your issues appear to be resolved? If so, post a quick let me know so I can close your topic. If not, please post that combofix log.
Thanks...Phil
The connection problem had stopped for a few days, but it has now come back. AVG Anti-spyware brings up warnings of files created in the C:\WINDOWS\TEMP folder again and I sometimes have to restart my comp to re-connect to the internet.
I deleted Hijackthis and then downloaded it again, but that didn't solve it, it still won't save the list of software.
Heres the combofix log, if its still of use:
((((((((((((((((((((((((((((((( Files Created from 2006-09-13 to 2006-10-13 ))))))))))))))))))))))))))))))))))
2006-10-12 15:55 98,324 --a------ C:\WINDOWS\system32\tmegdqrl.dll
2006-10-11 07:09 93,696 --a------ C:\WINDOWS\system32\pvcqrsg.dll
2006-10-11 07:09 72,704 --a------ C:\WINDOWS\system32\akqhghi.dll
2006-10-05 15:50 763,173 ---hs---- C:\WINDOWS\system32\knnmp.ini2
2006-10-03 07:08 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-09-29 07:06 73,748 --a------ C:\WINDOWS\system32\amkaioar.dll
2006-09-29 07:06 143,380 --a------ C:\WINDOWS\system32\xwkhdald.exe
2006-09-13 07:04 764,577 ---hs---- C:\WINDOWS\system32\knnmp.bak2
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-10-13 16:48 2841 --ahs---- C:\WINDOWS\system32\MMF.SYS
2006-10-11 20:43 -------- d-------- C:\Program Files\Windows Resource Kits
2006-10-10 20:27 -------- d-------- C:\Documents and Settings\Oliver Marsh\Application Data\InstallShield
2006-10-09 16:08 -------- d-------- C:\Documents and Settings\Oliver Marsh\Application Data\BitTorrent
2006-10-09 07:10 -------- d-------- C:\Program Files\New Folder
2006-10-08 11:05 -------- d-------- C:\Documents and Settings\Oliver Marsh\Application Data\uTorrent
2006-10-07 18:47 58952 --a------ C:\WINDOWS\system32\MsgPlusLoader.dll
2006-10-02 19:26 -------- d-------- C:\Program Files\Grisoft
2006-09-10 09:06 622110 ---hs---- C:\WINDOWS\system32\knnmp.bak1
2006-09-10 09:06 577588 ---hs---- C:\WINDOWS\system32\pmnnk.dll
2006-09-10 08:46 18944 --a------ C:\WINDOWS\system32\winccf32.dll
2006-08-21 13:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 10:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 10:14 128896 --------- C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-19 16:03 -------- d--h----- C:\Program Files\Cacheman
2006-08-19 15:44 -------- d--h----- C:\Program Files\CCleaner
2006-08-19 13:11 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-08-16 15:16 -------- d--h----- C:\Program Files\Blubster
2006-08-12 08:50 221279 --ah----- C:\Darkthrone_Calculator.exe
2006-07-27 14:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 17:12 2841 --ahs---- C:\WINDOWS\system32\MMF(5).SYS
2006-07-21 09:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"pvcqrsg.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\pvcqrsg.dll,ipwnceb"
"Lexmark X1100 Series"="\"C:\\Program Files\\Lexmark X1100 Series\\lxbkbmgr.exe\""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
@=""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
@=""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=hex:95,00,00,00
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\ATI CATALYST System Tray.lnk"
"backup"="C:\\WINDOWS\\pss\\ATI CATALYST System Tray.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\ATITEC~1\\ATI.ACE\\CLI.exe SystemTray"
"item"="ATI CATALYST System Tray"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AGRSMMSG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AGRSMMSG"
"hkey"="HKLM"
"command"="AGRSMMSG.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ATICCC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cli"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ATIPTA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="atiptaxx"
"hkey"="HKLM"
"command"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\au]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DealioAu"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Dealio\\DealioAu.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ccApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccApp"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Cmaudio]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RunDll32 cmicnfg"
"hkey"="HKLM"
"command"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Creative Detector]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTDetect"
"hkey"="HKCU"
"command"="C:\\Program Files\\Creative\\MediaSource\\Detector\\CTDetect.exe /R"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\EA Core]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Core"
"hkey"="HKCU"
"command"="C:\\Program Files\\Electronic Arts\\EA Downloader\\Core.exe -silent"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\IDMan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IDMAN"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\INTERN~2\\IDMAN.EXE /onboot"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ISUSPM Startup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="isuspm"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\isuspm.exe\" -startup"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ISUSScheduler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="issch"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Lexmark X1100 Series]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lxbkbmgr"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Lexmark X1100 Series\\lxbkbmgr.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MessengerPlus3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsgPlus"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\MessengerPlus! 3\\MsgPlus.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RemoteControl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDVDServ"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\seticlient]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SETI@home"
"hkey"="HKCU"
"command"="C:\\Program Files\\SETI@home\\SETI@home.exe -min"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SoundMan]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SOUNDMAN"
"hkey"="HKLM"
"command"="SOUNDMAN.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SpeedTouch USB Diagnostics]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Dragdiag"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Alcatel\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Symantec NetDriver Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SNDMon"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7 -reboot 1"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Windows Defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MSASCui"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"inimapping"="0"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnk
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winccf32
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job
C:\WINDOWS\tasks\WTR.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
Completion time: 06-10-13 19:15:08.20
ComboFix3.txt
ComboFix2.txt
ComboFix.txt
pskelley
2006-10-13, 21:55
Let's get a new look at things, I believe you have a hidden Vundo infection and who knows what else. Please do this:
1) Return to here: C:\Program Files\hijackthis\HijackThis.exe <<< right click the .exe and rename it to say Brian1.exe or something like that.
Post that log so I can have a look at it.
2) Follow these directions: http://forums.spybot.info/showthread.php?t=4394
If you encounter a file that can't be removed the first time, it would help if you would upload the file to here:
If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com
You will know when the fix has been successful, when all files the fix locates have been "deleted", then:
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Thanks
Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 09:08, on 06-10-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Ultimate Defender\App.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Oliver Marsh\Desktop\Brian1.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {0E0C27BC-EF3E-9F38-19BD-01F3BADF4F98} - C:\WINDOWS\system32\akqhghi.dll
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\tmegdqrl.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {BE4FF55E-906C-4E8B-9831-C1D5E701E138} - C:\WINDOWS\system32\pmnnk.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [pvcqrsg.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\pvcqrsg.dll,ipwnceb
O4 - HKLM\..\Run: [Ultimate Defender] "C:\Program Files\Ultimate Defender\App.exe" hide
O4 - Startup: .protected
O4 - Global Startup: .protected
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All Links with IDM - C:\PROGRA~1\INTERN~2\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\PROGRA~1\INTERN~2\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O17 - HKLM\System\CCS\Services\Tcpip\..\{85292E93-3CC4-4CCF-912C-99A493AF98AA}: NameServer = 195.92.195.95 195.92.195.94
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: pmnnk - C:\WINDOWS\system32\pmnnk.dll
O20 - Winlogon Notify: winccf32 - C:\WINDOWS\SYSTEM32\winccf32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Vundofix.txt:
VundoFix V6.2.2
Checking Java version...
Scan started at 09:09:27 06-10-15
Listing files found while scanning....
C:\WINDOWS\system32\akqhghi.dll
C:\WINDOWS\system32\winccf32.dll
C:\WINDOWS\system32\pmnnk.dll
C:\WINDOWS\system32\knnmp.ini
C:\WINDOWS\system32\knnmp.bak1
C:\WINDOWS\system32\knnmp.bak2
C:\WINDOWS\system32\knnmp.ini2
C:\WINDOWS\system32\knnmp.tmp
C:\WINDOWS\system32\amkaioar.dll
C:\WINDOWS\system32\tmegdqrl.dll
C:\WINDOWS\system32\xwkhdald.exe
C:\WINDOWS\system32\pmnnk.dll
C:\WINDOWS\system32\knnmp.ini
C:\WINDOWS\system32\knnmp.bak1
C:\WINDOWS\system32\knnmp.bak2
C:\WINDOWS\system32\knnmp.ini2
C:\WINDOWS\system32\knnmp.tmp
C:\WINDOWS\system32\knnmp.ini
C:\WINDOWS\system32\knnmp.bak1
C:\WINDOWS\system32\knnmp.bak2
C:\WINDOWS\system32\knnmp.ini2
C:\WINDOWS\system32\knnmp.tmp
Beginning removal...
Attempting to delete C:\WINDOWS\system32\akqhghi.dll
C:\WINDOWS\system32\akqhghi.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\winccf32.dll
C:\WINDOWS\system32\winccf32.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pmnnk.dll
C:\WINDOWS\system32\pmnnk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\knnmp.ini
C:\WINDOWS\system32\knnmp.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\knnmp.bak1
C:\WINDOWS\system32\knnmp.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\knnmp.bak2
C:\WINDOWS\system32\knnmp.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\knnmp.ini2
C:\WINDOWS\system32\knnmp.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\knnmp.tmp
C:\WINDOWS\system32\knnmp.tmp Has been deleted!
Attempting to delete C:\WINDOWS\system32\amkaioar.dll
C:\WINDOWS\system32\amkaioar.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\tmegdqrl.dll
C:\WINDOWS\system32\tmegdqrl.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\xwkhdald.exe
C:\WINDOWS\system32\xwkhdald.exe Has been deleted!
Performing Repairs to the registry.
Done!
The second Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 09:24, on 06-10-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Ultimate Defender\App.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Oliver Marsh\Desktop\Brian1.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {0E0C27BC-EF3E-9F38-19BD-01F3BADF4F98} - C:\WINDOWS\system32\akqhghi.dll (file missing)
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\tmegdqrl.dll (file missing)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {BE4FF55E-906C-4E8B-9831-C1D5E701E138} - C:\WINDOWS\system32\pmnnk.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [pvcqrsg.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\pvcqrsg.dll,ipwnceb
O4 - HKLM\..\Run: [Ultimate Defender] "C:\Program Files\Ultimate Defender\App.exe" hide
O4 - Startup: .protected
O4 - Global Startup: .protected
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All Links with IDM - C:\PROGRA~1\INTERN~2\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\PROGRA~1\INTERN~2\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O17 - HKLM\System\CCS\Services\Tcpip\..\{85292E93-3CC4-4CCF-912C-99A493AF98AA}: NameServer = 195.92.195.94 195.92.195.95
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
pskelley
2006-10-15, 12:43
See this information about this rouge spyware program:
C:\Program Files\Ultimate Defender\App.exe
http://www.spywarewarrior.com/rogue_anti-spyware.htm
uses flawed, inadequate detections scheme; same app as 1stAntiVirus, KillSpy, SpyDeface, SpyContra, & XSRemover [A: 3-1-06 / U: 3-9-06]You did not download that junk did you?
C:\Documents and Settings\Oliver Marsh\Desktop\Brian1.exe <<< Move HJT from the Desktop for safety. I prefer C:\HJT\HijackThis.exe, if you need additional instructions use these: http://russelltexas.com/malware/createhjtfolder.htm
HJT was properly placed and it appears you moved it?
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) Start > Control Panel > Add Remove programs and uninstall Ultimate Defender if there. While there uninstall any programs you know do not belong there. If you are unsure, let me know and I will look.
4) We have two spyware programs running that will block the HJT changes we must make, turn them off until you are done:
First disable Ewido, as it might be trying to interfere...
Under 'Your security status', if the real time protection is active, deactivate it by clicking 'real time protection' until the status says 'inactive'
We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
Open Windows Defender, Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.
5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {0E0C27BC-EF3E-9F38-19BD-01F3BADF4F98} - C:\WINDOWS\system32\akqhghi.dll (file missing)
O2 - BHO: (no name) - {1DAEFCB9-06C8-47c6-8F20-3FB54B244DAA} - C:\WINDOWS\system32\tmegdqrl.dll (file missing)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - (no file)
O2 - BHO: (no name) - {BE4FF55E-906C-4E8B-9831-C1D5E701E138} - C:\WINDOWS\system32\pmnnk.dll (file missing)
O4 - HKLM\..\Run: [pvcqrsg.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\pvcqrsg.dll,ipwnceb
O4 - HKLM\..\Run: [Ultimate Defender] "C:\Program Files\Ultimate Defender\App.exe" hide G
O4 - Startup: .protected
O4 - Global Startup: .protected
Close all programs but HJT and all browser windows, then click on "Fix Checked"
6) RIGHT Click on Start then click on Explore. Locate and delete these items:
(may be gone, just DO NOT miss them)
C:\Program Files\Ultimate Defender\ <<< delete that folder
C:\WINDOWS\system32\pvcqrsg.dll <<< delete that file
7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post a new HJT log. Let me know how the computer is running now.
Thanks
This topic is closed due to lack of a response. :scratch:
If you need it re-opened please send me a private message (pm) and provide a link to the thread.
Applies only to the original topic starter.