Results 1 to 5 of 5

Thread: Please Help / HJT Log

  1. #1
    Junior Member
    Join Date
    Sep 2008
    Posts
    3

    Default Please Help / HJT Log

    I appreciate any help you can give. My browser is constantly shooting pop ups whenever I browse.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:16:08 PM, on 9/1/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Citrix\GoToMyPC\g2svc.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\Program Files\Citrix\GoToMyPC\g2comm.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Dantz\Retrospect\retrorun.exe
    C:\Program Files\Citrix\GoToMyPC\g2pre.exe
    C:\Program Files\Citrix\GoToMyPC\g2tray.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\nvraidservice.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\system32\hphmon06.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Napster\napster.exe
    C:\Documents and Settings\rworrell\Local Settings\Application Data\FolderShare\FolderShare.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\X1\X1FileMonitor.exe
    C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\program files\x1\X1Systray.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
    C:\WINDOWS\system32\hpbpro.exe
    C:\WINDOWS\system32\hpboid.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=5080512
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=5080512
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
    O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\Hewlett-Packard\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
    O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -logon
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
    O4 - HKCU\..\Run: [NVIDIA nTune] C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe resetprofile
    O4 - HKCU\..\Run: [Windows Live FolderShare] "C:\Documents and Settings\rworrell\Local Settings\Application Data\FolderShare\FolderShare.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [X1FileMonitor.exe] C:\Program Files\X1\X1FileMonitor.exe
    O4 - Startup: X1.lnk = C:\Program Files\X1\X1.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {8BE5651C-D60B-4B59-B5B2-F0EB93733D17} (IOBIVMUtil.VMDecoder) - https://www36.verizon.com/CallAssist.../VCAVMUtil.CAB
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O20 - Winlogon Notify: __c00DA718 - C:\WINDOWS\system32\__c00DA718.dat
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
    O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
    O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
    O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
    O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
    O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

    --
    End of file - 9499 bytes

  2. #2
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,252

    Default

    Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
    "BEFORE you POST" (READ this Procedure before Requesting Assistance)
    http://forums.spybot.info/showthread.php?t=288
    All advice given is taken at your own risk.
    Please make sure you have read this information so we are on the same page.

    Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
    This can be a tough infection to remove so do not expect fast or easy.

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

    Remove any old copies of combofix before you proceed.

    Thanks to sUBs and anyone else who helped with this fix.

    It is important that it is saved directly to your Desktop.

    Download ComboFix from Here to your Desktop
    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    Post the combofix log and a new HJT log.

    Tutorial
    http://www.bleepingcomputer.com/comb...o-use-combofix

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  3. #3
    Junior Member
    Join Date
    Sep 2008
    Posts
    3

    Default

    Thanks for the quick response. I disconnected my machine, ran ComboFix, it rebooted, and here is the latest HJT log... It appears that the symptoms of the problem have gone away. No more pop-ups. Am I clean? Thank you very much!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:46:37 PM, on 9/3/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Citrix\GoToMyPC\g2svc.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Dantz\Retrospect\retrorun.exe
    C:\Program Files\Citrix\GoToMyPC\g2comm.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Citrix\GoToMyPC\g2pre.exe
    C:\Program Files\Citrix\GoToMyPC\g2tray.exe
    C:\WINDOWS\system32\nvraidservice.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\WINDOWS\system32\hphmon06.exe
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Napster\napster.exe
    C:\Documents and Settings\rworrell\Local Settings\Application Data\FolderShare\FolderShare.exe
    C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\X1\X1FileMonitor.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\X1\X1.exe
    C:\program files\x1\X1Systray.exe
    C:\Program Files\X1\X1Service.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=5080512
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
    O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
    O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\Hewlett-Packard\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
    O4 - HKLM\..\Run: [GoToMyPC] "C:\Program Files\Citrix\GoToMyPC\g2svc.exe" -logon
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
    O4 - HKCU\..\Run: [NVIDIA nTune] C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe resetprofile
    O4 - HKCU\..\Run: [Windows Live FolderShare] "C:\Documents and Settings\rworrell\Local Settings\Application Data\FolderShare\FolderShare.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [X1FileMonitor.exe] C:\Program Files\X1\X1FileMonitor.exe
    O4 - Startup: X1.lnk = C:\Program Files\X1\X1.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
    O16 - DPF: {8BE5651C-D60B-4B59-B5B2-F0EB93733D17} (IOBIVMUtil.VMDecoder) - https://www36.verizon.com/CallAssist.../VCAVMUtil.CAB
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
    O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
    O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
    O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
    O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
    O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

    --
    End of file - 8968 bytes

  4. #4
    Junior Member
    Join Date
    Sep 2008
    Posts
    3

    Default

    Forgot the ComboFix log... Sorry...

    ComboFix 08-09-03.01 - rworrell 2008-09-03 20:36:34.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2754 [GMT -4:00]
    Running from: C:\Documents and Settings\rworrell\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\rworrell\Application Data\macromedia\Flash Player\#SharedObjects\5QGU7QZP\bin.clearspring.com
    C:\Documents and Settings\rworrell\Application Data\macromedia\Flash Player\#SharedObjects\5QGU7QZP\bin.clearspring.com\clearspring.sol
    C:\Documents and Settings\rworrell\Application Data\macromedia\Flash Player\#SharedObjects\5QGU7QZP\interclick.com
    C:\Documents and Settings\rworrell\Application Data\macromedia\Flash Player\#SharedObjects\5QGU7QZP\interclick.com\ud.sol
    C:\Documents and Settings\rworrell\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
    C:\Documents and Settings\rworrell\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
    C:\Documents and Settings\rworrell\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
    C:\Documents and Settings\rworrell\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
    C:\Documents and Settings\rworrell\Cookies\rworrell@ehg-wachovia.hitbox[2].txt
    C:\Documents and Settings\rworrell\Cookies\rworrell@www35.vzw[2].txt
    C:\WINDOWS\system32\__c00DA718.dat
    F:\Autorun.inf

    .
    ((((((((((((((((((((((((( Files Created from 2008-08-04 to 2008-09-04 )))))))))))))))))))))))))))))))
    .

    2008-09-01 21:30 . 2008-09-01 21:30 0 --a------ C:\WINDOWS\nsreg.dat
    2008-08-31 22:11 . 2008-08-31 23:00 <DIR> d-------- C:\Documents and Settings\rworrell\.housecall6.6
    2008-08-31 20:51 . 2008-08-31 20:51 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-08-31 20:51 . 2008-08-31 21:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-08-29 20:59 . 2008-08-29 20:59 <DIR> d-------- C:\Program Files\Lavasoft
    2008-08-29 20:59 . 2008-08-29 21:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-08-24 20:09 . 2008-08-24 20:09 <DIR> d-------- C:\Program Files\Trend Micro
    2008-08-18 20:15 . 2008-08-18 20:23 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
    2008-08-14 21:11 . 2004-08-03 23:10 48,128 --a------ C:\WINDOWS\system32\drivers\61883.sys
    2008-08-14 21:11 . 2004-08-03 23:10 48,128 --a------ C:\WINDOWS\system32\dllcache\61883.sys
    2008-08-12 18:49 . 2008-05-01 10:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
    2008-08-10 21:05 . 2008-08-10 21:07 <DIR> d-------- C:\Program Files\Paint.NET
    2008-08-07 21:40 . 2008-08-07 21:40 <DIR> d-------- C:\Program Files\FolderMatch
    2008-08-07 21:40 . 2004-06-07 10:21 874,248 --a------ C:\WINDOWS\system32\SmartUI2.ocx
    2008-08-07 21:40 . 2000-05-22 00:00 647,872 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
    2008-08-07 21:40 . 2002-02-05 10:59 599,800 --a------ C:\WINDOWS\system32\Cfx4032.ocx
    2008-08-07 21:40 . 2003-04-04 13:37 319,488 --a------ C:\WINDOWS\system32\SNTP Wizard2.ocx
    2008-08-07 21:40 . 2006-09-04 13:57 270,880 --a------ C:\WINDOWS\system32\MyCommandButton.ocx
    2008-08-07 21:40 . 1999-05-07 01:00 244,232 --a------ C:\WINDOWS\system32\Msflxgrd.ocx
    2008-08-07 21:40 . 2004-03-09 20:45 212,240 --a------ C:\WINDOWS\system32\RICHTX32.OCX
    2008-08-07 21:40 . 2005-07-07 10:57 159,744 --a------ C:\WINDOWS\system32\stamin32.dll
    2008-08-07 21:40 . 2001-10-08 08:46 136,976 --a------ C:\WINDOWS\system32\SfxBar.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-09-03 09:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Retrospect
    2008-09-03 01:10 --------- d-----w C:\Program Files\Handbrake
    2008-08-30 00:59 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2008-08-27 00:56 --------- d-----w C:\Documents and Settings\rworrell\Application Data\.oit
    2008-08-27 00:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
    2008-07-31 22:38 --------- d-----w C:\Program Files\Windows Media Connect 2
    2008-07-31 22:21 --------- d-----w C:\Program Files\Netflix
    2008-07-25 02:35 --------- d-----w C:\Program Files\X1
    2008-07-17 01:01 --------- d-----w C:\Program Files\MSXML 4.0
    2008-07-13 14:01 --------- d-----w C:\Program Files\XviD
    2008-07-13 14:01 --------- d-----w C:\Program Files\AutoGK
    2008-07-13 14:00 --------- d-----w C:\Program Files\Gabest
    2008-07-13 14:00 --------- d-----w C:\Program Files\AviSynth 2.5
    2008-07-12 22:07 --------- d-----w C:\Documents and Settings\rworrell\Application Data\Apple Computer
    2008-07-12 21:13 --------- d-----w C:\Program Files\DVD Decrypter
    2008-07-12 21:12 --------- d-----w C:\Program Files\ImTOO
    2008-07-12 21:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
    2008-07-11 01:22 --------- d-----w C:\Program Files\Microsoft Money Plus
    2008-05-22 01:24 3,902,784 ----a-w C:\Documents and Settings\rworrell\gosetup.exe
    2008-05-17 02:16 724,984 ----a-w C:\Documents and Settings\rworrell\gotomypc_437.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2008-01-15 106496]
    "Windows Live FolderShare"="C:\Documents and Settings\rworrell\Local Settings\Application Data\FolderShare\FolderShare.exe" [2008-04-15 925728]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
    "X1FileMonitor.exe"="C:\Program Files\X1\X1FileMonitor.exe" [2008-05-30 369336]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-01-14 8523776]
    "NVRaidService"="C:\WINDOWS\system32\nvraidservice.exe" [2007-10-26 184352]
    "PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
    "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
    "Client Access Service"="C:\Program Files\IBM\Client Access\cwbsvstr.exe" [2006-09-03 20530]
    "HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
    "DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2003-05-21 229437]
    "HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2004-04-06 172032]
    "HPHUPD06"="C:\Program Files\Hewlett-Packard\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 49152]
    "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
    "HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 659456]
    "GoToMyPC"="C:\Program Files\Citrix\GoToMyPC\g2svc.exe" [2007-06-20 258856]
    "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 413696]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
    "NapsterShell"="C:\Program Files\Napster\napster.exe" [2008-05-29 323216]
    "RTHDCPL"="RTHDCPL.EXE" [2008-01-14 C:\WINDOWS\RTHDCPL.EXE]

    C:\Documents and Settings\rworrell\Start Menu\Programs\Startup\
    X1.lnk - C:\Program Files\X1\X1.exe [2008-05-30 2533048]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    HP Digital Imaging Monitor.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2004-05-28 241664]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
    2007-06-20 11:09 10536 C:\Program Files\Citrix\GoToMyPC\G2WinLogon.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
    "C:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "C:\\Documents and Settings\\rworrell\\Local Settings\\Application Data\\FolderShare\\FolderShare.exe"=
    "C:\\Program Files\\SonicWALL\\SonicWALL Global VPN Client\\SWGVpnClient.exe"=
    "C:\\WINDOWS\\system32\\msiexec.exe"=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=

    R0 nvgts;nvgts;C:\WINDOWS\system32\drivers\nvgts.sys [2008-02-11 102400]
    R0 nvrd32;NVIDIA nForce RAID Driver;C:\WINDOWS\system32\drivers\nvrd32.sys [2008-02-11 128000]
    R1 RCFOX;SonicWALL IPsec Driver;C:\WINDOWS\system32\Drivers\RCFOX.sys [2004-10-15 91136]
    R3 rcvpn;SonicWALL VPN Adapter;C:\WINDOWS\system32\DRIVERS\rcvpn.sys [2003-08-20 23180]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    - - - - ORPHANS REMOVED - - - -

    Notify-__c00DA718 - C:\WINDOWS\system32\__c00DA718.dat


    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\Documents and Settings\rworrell\Application Data\Mozilla\Firefox\Profiles\e3m5z032.default\
    FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
    FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
    FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava11.dll
    FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava12.dll
    FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava13.dll
    FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava14.dll
    FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJava32.dll
    FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
    FF -: plugin - C:\Program Files\Java\jre1.5.0_06\bin\NPOJI610.dll
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-09-03 20:41:01
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Dantz\Retrospect\retrorun.exe
    C:\Program Files\Citrix\GoToMyPC\g2comm.exe
    C:\Program Files\Citrix\GoToMyPC\g2pre.exe
    C:\Program Files\Citrix\GoToMyPC\g2tray.exe
    C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
    C:\WINDOWS\system32\wbem\unsecapp.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\X1\X1Systray.exe
    C:\Program Files\X1\X1Service.exe
    .
    **************************************************************************
    .
    Completion time: 2008-09-03 20:42:32 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-09-04 00:42:29

    Pre-Run: 84,922,789,888 bytes free
    Post-Run: 85,235,765,248 bytes free

    176 --- E O F --- 2008-08-27 00:26:52

  5. #5
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,252

    Default

    Thanks for returning your information, please be patient while we check your machine for anything hidden.

    1) C:\Program Files\Java\jre1.5.0_06\ <<< update Java, see this information:
    http://forums.spybot.info/showpost.p...80&postcount=2

    2) Please download ATF Cleaner by Atribune
    http://www.atribune.org/public-beta/ATF-Cleaner.exe
    Save it to your Desktop. We will use this later.

    3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

    (leave this if you set it like that on purpose)

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

    Close all programs but HJT and all browser windows, then click on "Fix Checked"

    4) Run ATF Cleaner
    Double-click ATF-Cleaner.exe to run the program.
    Click Select All found at the bottom of the list.
    Click the Empty Selected button.
    Click Exit on the Main menu to close the program.

    *Cleaning Prefetch may results in a few slow starts until the folder is repopulated:
    http://www.windowsnetworking.com/art...efetch-XP.html

    5) Download Malwarebytes' Anti-Malware to your Desktop
    http://www.besttechie.net/tools/mbam-setup.exe

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform FULL SCAN, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
    * Please post contents of that file in your next reply.

    How is the computer running?

    Thanks...Phil
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •