Horrible, Horrible Malware/SmitFraud.

Status
Not open for further replies.
T

ThePanicPuppet

New member
This is awful.
I've spent five hours trying to remove this.
This... this SmitFraud-C Toolbar8000.
This thing has gotten so bad that a fake McAffee message pops up preventing me from downloading HijackThis. I don't know what to do. For years I've been able to clear the registry keys of these types of things, but now...
I can't get HijackThis back. I can't offer you what it said there.
What I can offer you is this list of processess that are causing me supreme trouble:

retadpu1000272.exe
regsvr32.exe
dexplore.exe
smanager.7.exe

For a while, I had ipwins.exe and b122.exe popping up, but I've gotten rid of those.

I've tried SpyBot. I've tried Vundo. I've tried AVG. I've tried SmitFraudFix. Please, someone--anyone---help me.

This here is all I can offer: a post SmitFraudFix report.

SmitFraudFix v2.179

Scan done at 23:46:55.65, Thu 05/10/2007
Run from X:\Program Files\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1C850064-9EEA-46E3-8E28-E6E61FEF1C89}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1C850064-9EEA-46E3-8E28-E6E61FEF1C89}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{1C850064-9EEA-46E3-8E28-E6E61FEF1C89}: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1 192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


I've put 7 years into this computer. I won't let the work of some advertising a**holes ruin it.
 
Welcome to Safer Networking, if you still need help and are not receiving it elsewhere, it appears you have missed some important instructions our administrator has posted at the top of the forum, especially this: "BEFORE you POST" Mandatory Steps Before Requesting Assistance
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please read and follow all instructions and post all required logs or reports, anything less will slow your process. Use "Post Reply" to post the information in the instructions and stay in the same topic.

I would really like to help, but without the instructions being followed and at least a HJT log posted, it is hard to do.
You only showed me Smitfraudfix in "Clean" mode so I don't even know if you had that infection or not, no indication in the C:\report.txt. I am beginning to believe hackers are showing the Smitfraud toolbar to throw us off from the actual infection, which has been Vundo more and more trying to get folks to buy rouge software like Winfixer and errorsafe, etc.

Let's look at the information you have given me:
retadpu1000272.exe
http://fileinfo.prevx.com/fileinfo.asp?PXC=481891137716

regsvr32.exe??? appears valid???
http://www.liutilities.com/products/wintaskspro/processlibrary/regsvr32/

dexplore.exe??? appears valdi???
http://www.liutilities.com/products/wintaskspro/processlibrary/dexplore/

smanager.7.exe
http://fileinfo.prevx.com/fileinfo.asp?PXC=cb5893112585
http://www.sophos.co.uk/security/analyses/trojdwnldrguh.html
very dangerous

ipwins.exe
http://www.superadblocker.com/definition/ipwins/

b122.exe
http://www.google.com/search?hl=en&q=b122.exe+&btnG=Search
nasty item

Danny, we are going to try a multi-purpose tool, follow the directions carefully. Once combofix does it's job, then you get me a HJT log posted along with the combofix log so I can see what is going on.

Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Thanks
 
"JOSEPH" - 2007-05-11 15:10:52 Service Pack 2
ComboFix 07-05.08.3.V - Running from: "C:\Program Files\Mozilla Firefox\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\jkklm.dll
C:\WINDOWS\system32\fccdcay.dll
C:\WINDOWS\system32\ssqqqoo.dll
C:\WINDOWS\system32\winzzd32.dll
C:\WINDOWS\system32\ssqolmj.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\drsmartloadb.dat
C:\WINDOWS\enewsletterpro1.dat
C:\WINDOWS\winsysupd1.dat
C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\WINDOWS\retadpu1000272.exe
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\install.log
C:\WINDOWS\system32\wtsit.exe
C:\WINDOWS\b122.exe
C:\Program Files\Common Files\download
C:\Program Files\outerinfo
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\Program Files\MBOLS~1
C:\qoobox\purity\C\Program Files\Common Files\STEM32~1


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_RDRIV
-------\rdriv


((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-11 ))))))))))))))))))))))))))))))))))


2007-05-11 15:03 93,696 --a------ C:\WINDOWS\system32\drvgur.dll
2007-05-11 15:03 29,206 --a------ C:\WINDOWS\system32\awtuvuv.dll
2007-05-11 00:23 <DIR> d-------- C:\SmitfraudFix
2007-05-10 23:52 93,696 --a------ C:\WINDOWS\system32\drvnos.dll
2007-05-10 22:08 876,207 --a------ C:\SmitfraudFix.exe
2007-05-10 21:45 1,626 --a------ C:\WINDOWS\system32\tmp.reg
2007-05-10 21:33 33,280 --a------ C:\WINDOWS\system32\rundll32.exe
2007-05-10 21:31 <DIR> d-------- C:\WINDOWS\Options
2007-05-10 20:04 93,696 --a------ C:\WINDOWS\system32\drvwix.dll
2007-05-10 20:04 60,928 --a------ C:\WINDOWS\system32\sewgbour.dll
2007-05-10 20:04 2 --a------ C:\WINDOWS\system32\wtsisvit.exe
2007-05-10 18:33 99,328 --a------ C:\VundoFix.exe
2007-05-10 18:33 <DIR> d-------- C:\VundoFix Backups
2007-05-10 18:00 93,696 --a------ C:\WINDOWS\system32\drvfal.dll
2007-05-10 18:00 43 --a------ C:\Program Files\RUNME.bat
2007-05-10 18:00 12,374 --a------ C:\Program Files\install.exe
2007-05-07 21:18 <DIR> d-------- C:\DOCUME~1\JOSEPH\Incomplete
2007-05-07 21:17 <DIR> d-------- C:\DOCUME~1\JOSEPH\APPLIC~1\LimeWire
2007-05-04 21:53 <DIR> d-------- C:\DOCUME~1\TOM\APPLIC~1\Google
2007-04-25 19:54 <DIR> d-------- C:\DOCUME~1\NICOLE\APPLIC~1\InstallShield
2007-04-25 19:50 <DIR> d-------- C:\Program Files\Avanquest update
2007-04-25 19:49 25,600 --a------ C:\WINDOWS\system32\drivers\usbser.sys
2007-04-25 19:47 24,192 --a------ C:\DOCUME~1\NICOLE\usbsermptxp.sys
2007-04-25 19:47 22,768 --a------ C:\WINDOWS\system32\drivers\usbsermpt.sys
2007-04-25 19:47 22,768 --a------ C:\DOCUME~1\NICOLE\usbsermpt.sys
2007-04-25 19:46 <DIR> d-------- C:\Program Files\Motorola Phone Tools
2007-04-25 19:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BVRP Software


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-11 19:34:56 30,577 ----a-w C:\WINDOWS\system32\tablet.dat
2007-05-09 20:13:53 -------- d-----w C:\Program Files\Soulseek
2007-05-08 22:49:39 15,196 -c--a-w C:\WINDOWS\mozver.dat
2007-05-03 02:53:34 -------- d-----w C:\Program Files\iPod
2007-04-30 23:30:46 -------- d-----w C:\Program Files\ArtMoney
2007-04-25 23:50:26 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-19 18:36:32 -------- d-----w C:\Program Files\America Online 9.0
2007-04-07 03:23:06 6,511 ----a-w C:\WINDOWS\system32\SpoonUninstall-Nostalgia, an Intellivision Emulator.dat
2007-04-07 03:23:06 164,352 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{02478D38-C3F9-4EFB-9B51-7695ECA05670}"="C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll"
"{4EC5F862-6FD5-7C2C-F63B-68E33DE5F89B}"="C:\WINDOWS\system32\sewgbour.dll"
"{AA58ED58-01DD-4d91-8333-CF10577473F7}"="c:\program files\google\googletoolbar3.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"QuickTime Task"="\"X:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"X:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SManager"="smanager.7.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"PopUpStopperFreeEdition"="\"C:\\PROGRA~1\\PANICW~1\\POP-UP~1\\PSFree.exe\""
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Yahoo! Pager"="1"
"Lynwtaw"="\"C:\\Program Files\\??mbols\\r?gsvr32.exe\""
"Usrr"="\"C:\\PROGRA~1\\COMMON~1\\STEM32~1\\dexplore.exe\" -vt ndrv"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="C:\Program Files\ewido anti-malware\shellhook.dll"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^adobe gamma loader.lnk
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^america online 8.0 tray icon.lnk
C:\PROGRA~1\AMERIC~2.0\aoltray.exe -check

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^america online 9.0 tray icon.lnk
C:\PROGRA~1\AMERIC~3.0\aoltray.exe -check

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^bigfix.lnk
C:\PROGRA~1\BigFix\BigFix.exe /atstartup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^compuserve 7.0 tray icon.lnk
C:\PROGRA~1\COMPUS~1.0B\cstray.exe -check

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^intervideo wincinema manager.lnk
C:\PROGRA~1\INTERV~1\Common\Bin\WINCIN~1.EXE

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^kodak easyshare software.lnk
C:\PROGRA~1\Kodak\KODAKE~1\bin\EASYSH~1.EXE -h

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^kodak software updater.lnk
C:\PROGRA~1\Kodak\KODAKS~1\7288971\Program\BACKWE~1.EXE

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^microsoft office.lnk
C:\PROGRA~1\MICROS~2\Office\OSA9.EXE -b -l

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^tabuserw.exe.lnk
C:\WINDOWS\system32\WTablet\TabUserW.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^joseph^start menu^programs^startup^umax vistaaccess.lnk
C:\VSTASCAN\vsaccess.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^tom^start menu^programs^startup^screen saver control.lnk
C:\WINDOWS\FSScrCtl.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aim
C:\Program Files\AIM95\aim.exe -cnetwait.odl

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aim6
"C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aol spyware protection
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aolspscheduler
C:\Program Files\Common Files\AOL\1137880939\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ati launchpad
"C:\Program Files\ATI Multimedia\main\launchpd.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\atipta
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bjcfd
C:\Program Files\BroadJump\Client Foundation\CFD.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bullseye network
C:\Program Files\BullsEye Network\bin\bargains.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bxb1
C:\WINDOWS\treggd.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\directx64
C:\WINDOWS\System32\DirectXset.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dxprgc
C:\Program Files\Nvrb\Kptpftj.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\emailscan
C:\Program Files\mcafee.com\antivirus\mcvsescn.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ez
C:\documents and settings\nicole\local settings\temp\ez.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hostmanager
C:\Program Files\Common Files\AOL\1137880939\ee\AOLSoftware.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hp component manager
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hp software update
"C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpdj taskbar utility
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hphmon05
C:\WINDOWS\System32\hphmon05.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hphupd05
C:\Program Files\Hewlett-Packard\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\internet optimizer
"C:\Program Files\Internet Optimizer\optimize.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ist service
C:\Program Files\ISTsvc\istsvc.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ituneshelper
"C:\Program Files\iTunes\iTunesHelper.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kazaa
C:\Program Files\KaZaA\kazaa.exe /SYSTRAY

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\load
C:\OPLIMIT\ocraware.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcafee.instantupdate.monitor
"C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\microsoft servicez manager
servicemgrz.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\microsoft updat3
mswkst32.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mpfexe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmc
C:\WINDOWS\System32\msmc.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmsgs
"C:\Program Files\Messenger\msmsgs.exe" /background

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mssvc322
C:\WINDOWS\System32\MSsvc32.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\oasclnt
C:\Program Files\mcafee.com\antivirus\oasclnt.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\plaxoupdate
C:\Program Files\Plaxo\2.5.10.17\PlaxoHelper.exe -a

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\popupstopperfreeedition
"C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task
"C:\Program Files\QuickTime\qttask.exe" -atboottime

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\secure
C:\WINDOWS\System32\Ottlzk.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sscrun
C:\Program Files\Common Files\AOL\1137880939\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sunjavaupdatesched
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\t9u65ekh
C:\WINDOWS\System32\t9u65ekh.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tkbellexe
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tray temperature
C:\DOCUME~1\JOSEPH\LOCALS~1\Temp\MiniBug.exe 1

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\version
C:\WINDOWS\System32\Epmera.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\viewmgr
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wildtangent cda
RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winsock2 driver
xabmhd.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winsvc32
C:\WINDOWS\System32\winsvc32.exe


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"svehost32"=dword:00000002
"SpywareCleanerService"=dword:00000002
"Alerter"=dword:00000003

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0
HTTPFilter HTTPFilter\0\0
DcomLaunch DcomLaunch\0TermService\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ENTDRV51


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\HP Usg Daily.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-11 15:36:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-11 15:50:42 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-11 15:50


I can't do a "HijackThis" log because my computer deletes it upon downloading.
 
I can't do a "HijackThis" log because my computer deletes it upon downloading.
Click to expand...

Joseph? Is it Joseph? We are in charge here, not the malware and we can't clean the computer without a HJT log. The option is a reformat.

Please explain exactly what happens when you try to download HJT, step by step.

This is probably a Vundo infection do you have another computer you can download it to? I need more information about how it is happening. If you can download the file to say your Desktop, and rename it before you run it,
or download it to a CD or floppy on another computer and rename the file before installing it on the infected computer, you may be able to fool the infection and get it done.

Here is an option, this version is self-extracting, you may also give it a try, here are the instructions:
Download a self-extracting copy of HijackThis from :-
http://downloads.malwareremoval.com/hijackthis_sfx.exe
1. save it to your Desktop.
2. Double-click on the file hijackthis_sfx.exe and it will self-extract into its own folder,
C:\Program Files\HijackThis
3. Go to this folder and run the hijackthis.exe file
4. click Do a system scan and save a logfile
5. Copy & paste the logfile into your next post here...

Remember, we are in charge, not the malware, do what you have to do to post a HJT log so I can see the infection.

Thanks
 
Sorry for my touchiness.
I ran it in SafeMode after downloading the WinZip to my desktop.
I messed around in the registry key, got rid of some files...
...SpyBot came up clean in both SafeMode and regular mode. The processes mentioned are gone. I think i got it.
Here's my HijackThis.log for to make examinations over.



Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:54:32 PM, on 5/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
X:\Program Files\HjckThs\HiJackThis_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\JOSEPH\Application Data\Mozilla\Profiles\default\zh8wznw0.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {4EC5F862-6FD5-7C2C-F63B-68E33DE5F89B} - C:\WINDOWS\system32\sewgbour.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [QuickTime Task] "X:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "X:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [Lynwtaw] "C:\Program Files\??mbols\r?gsvr32.exe"
O4 - HKCU\..\Run: [Usrr] "C:\PROGRA~1\COMMON~1\STEM32~1\dexplore.exe" -vt ndrv
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 5868 bytes
 
Hey, no problem, I have three computer and I know how I would feel if one of them got infected. We do have a problem though, this version of HJT is a beta version that we are not using yet. If you got it from the link I provided, I sincerely apologize, http://forums.spybot.info/showthread.php?t=288
At the present time, do NOT run Trend Micro HijackThis v2.0.0 (BETA) to produce a log for this forum, unless specifically requested, or you have a Vista Operating System.
Click to expand...

I need you to delete that version and download from here, we must use version 1.99.1, once again, I am sorry.
http://ralphcaddell.com/Uploads/HjThis.exe to download a self-extracting version of Hijackthis. Double click on the file, by default it will extract itself to *C:\Hijackthis*

I will respond as soon as possible after you post the new HJT log.

Thanks
 
Seems identical. Maybe a few tracking cookies showed up, but other than that, seems okay to me...


Logfile of HijackThis v1.99.1
Scan saved at 5:59:13 PM, on 5/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\JOSEPH\Application Data\Mozilla\Profiles\default\zh8wznw0.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {4EC5F862-6FD5-7C2C-F63B-68E33DE5F89B} - C:\WINDOWS\system32\sewgbour.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [QuickTime Task] "X:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "X:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [Lynwtaw] "C:\Program Files\??mbols\r?gsvr32.exe"
O4 - HKCU\..\Run: [Usrr] "C:\PROGRA~1\COMMON~1\STEM32~1\dexplore.exe" -vt ndrv
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
 
Exactly and also markers for the PurityScan/OIN adware junk, combofix is a great tool, but it can not do it all. But we are making great progress..correct?
You would not believe how many times I have looked at a log from HJT version 1.99.1

1) C:\Program Files\ewido anti-malware\ <<< this program is obsolete, purchased by AVG and reworked into AVG Anti-Spyware 7.5, it is available in a trial version if you even need it.
Uninstall that program from your computer.

2) See this information: http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\jre1.5.0_06\ <<< Java is out of date, download the newest version and uninstall all old version in Add Remove Programs.

3) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

4) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

5) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {4EC5F862-6FD5-7C2C-F63B-68E33DE5F89B} - C:\WINDOWS\system32\sewgbour.dll
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKCU\..\Run: [Lynwtaw] "C:\Program Files\??mbols\r?gsvr32.exe"
O4 - HKCU\..\Run: [Usrr] "C:\PROGRA~1\COMMON~1\STEM32~1\dexplore.exe" -vt ndrv

Close all programs but HJT and all browser windows, then click on "Fix Checked"

7) RIGHT Click on Start then click on Explore. Locate and delete these items:

smanager.7.exe <<< delete that file (you will have to search for that one, could be in C:\Windows\System32\

C:\Program Files\??mbols\ <<< delete that folder

C:\PROGRAM FILES~1\COMMON FILES~1\STEM32~1\ <<< delete the folder

8) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Post the uninstall list and a new HJT log. Let me know how the computer if running now.

Thanks...Phil
 
HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:05:34 PM, on 5/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM95\aim.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\hijackthis\HijackThis.exe

N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\JOSEPH\Application Data\Mozilla\Profiles\default\zh8wznw0.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [QuickTime Task] "X:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "X:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


Uninstall Log:

ACDSee 32
Adobe Acrobat 5.0
Adobe Flash Player 9
Adobe Photoshop 7.0
Adobe Photoshop Elements 3.0
Adobe Reader 6.0.1
Adobe Shockwave Player
Adobe SVG Viewer
Aladdin
ALi USB2.0 Driver
Anapod CopyGear (remove only)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Instant Messenger
AOL Toolbar 2.0
AOL Uninstaller (Choose which Products to Remove)
Apple Software Update
ArcSoft Software Suite
ArtMoney v6.26
aspi
ATI Control Panel
ATI Display Driver
ATI DVD Decoder 2.1.0.1
ATI Multimedia Center 8.1.0.0
Avance AC'97 Audio
Avanquest update
AVOne - All to MP3 Converter (a)
BigFix
BroadJump Client Foundation
CCHelp
CCleaner (remove only)
CCScore
CD Ripper
CleanUp!
Comcast High-Speed Internet Install Wizard
CompuServe
Conexant SoftK56 Modem(M)
Corel Painter Essentials 2
DAO
DivX Player
DivX Pro Codec Adware
ESSAdpt
ESSANUP
ESSCAM
ESSCDBK
ESScore
ESSgui
ESShelp
ESSini
ESSPCD
ESSTUTOR
ESSvpaht
ESSvpot
ewido anti-malware
GameTap
gmax
Google Earth
Google Toolbar for Internet Explorer
HijackThis 1.99.1
hp instant support
HP Memories Disc
HP Software Update
HydraVision
ICQ
InterVideo WinDVD Platinum 5
iPod for Windows 2005-03-23
iPod for Windows 2006-01-10
iTunes
J2SE Runtime Environment 5.0 Update 6
KazAa Skins
Kodak EasyShare software
KSU
Learn2 Player (Uninstall Only)
Lernout & Hauspie TruVoice American English TTS Engine
Lexmark Supplies Monitor
Lexmark Z25-Z35
LimeWire 4.12.11
LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
Macromedia Dreamweaver MX
Macromedia Extension Manager
Macromedia Fireworks MX
Macromedia Flash MX
Macromedia FreeHand 10
Microsoft .NET Framework 2.0
Microsoft Data Access Components KB870669
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft Office 2000 Premium
Microsoft Works 2000
Microsoft XML Parser and SDK
Mocha W32 TN5250
Motorola Phone Tools
Mozilla Firefox (1.5.0.11)
MSN Messenger 7.0
MSXML 4.0 SP2 (KB927978)
Netscape 6 (6.2.1)
Netscape Browser (remove only)
Network Play System (Patching)
NetworkAddonMod Beta Version 2005.09.30
NHL 99
nik Color Efex Pro 2.0 IE
Nostalgia, an Intellivision Emulator
Notifier
openCanvas4.06E Plus
OTtBP
Outerinfo
Paradise Poker
Photosmart 140,240,7200,7600,7700,7900 Series
Plaxo Toolbar for Outlook and Outlook Express
Pop-Up Stopper Free Edition
PowerDesk 2.0
ProSavageDDR and Utilities
QuickTime
RealPlayer
Roll
S3Display
S3Gamma2
S3Info2
S3Overlay
Samsung YP-N30
SC4Terraformer V.07
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
SFR
SFR2
Shockwave
SimCity 3000 Unlimited
SimCity 4 Rush Hour
Snood for Windows version 3.52-W
SoulSeek Client 156c
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Tablet
Tansee iPod Transfer v3.2
The Sims 2
The Sims 2 Glamour Life Stuff
The Sims 2 Nightlife
The Sims 2 Open For Business
The Sims 2 Pets
The Sims 2 University
The Sims Make-A-Celebrity
The Sims Makin' Magic
Ultimate Pinball
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
USB MassStorage CardReader
VIA Audio Driver Setup Program
Viewpoint Manager (Remove Only)
Viewpoint Media Player
VistaShuttle
Winamp (remove only)
Winamp3 (remove only)
Windows Backup Utility
Windows Installer 3.1 (KB893803)
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
WinZip
Yahoo! Install Manager
Yahoo! Toolbar
Yrefresher 1.00


After ComboFix and my registry-messings it worked a lot faster. Those processes haven't come up since. Thanks a bunch.
 
Good morning, the HJT log is looking a lot better this morning, looks like all of the malware is out of it. I can still see a few issues, but let's look at your uninstall list first. I am looking for security issues and malware, it's a great chance for you to look for programs you no longer use, to get rid of them, your call.

Uninstall list:

CCleaner
CleanUp!
Just for your information, I think both progreams do the same thing or close to it? Does not hurt a thing if you have plenty of drive space, and they are not running.

ewido anti-malware
Mentioned this on in my last post, obsolete program, running from you services also. Using a bunch of your resrouces to do nothing.
I would have posted instructions to remove the folder in my next post, but cannot because the program needs to be uninstalled first.

J2SE Runtime Environment 5.0 Update 6
Very dangerous, already posted in the last post, understand if you visit a site with malware exploits by accident, you can get infected via this out of date program without doing anything at all.

LimeWire 4.12.11
Program may be valid, put here are just a couple of links about p2p file sharing, which infects mre people than any other method:
http://www3.ca.com/securityadvisor/pest/Pest.aspx?id=453088059
http://pcpitstop.com/spycheck/p2p.asp
http://pcpitstop.com/spycheck/badtorrent.asp

Mozilla Firefox (1.5.0.11)
Out of date...just like Windows/IE, if you are going to run the program you need to keep it updated.

Outerinfo <<< PurityScan adware that we have been fighting, uninstall this one NOW. If you have an issues, here is an uninstaller:
UNINSTALLER
http://www.outerinfo.com/OiUninstaller.exe
TUTORIAL
http://www.outerinfo.com/howto.html

Paradise Poker
Dangerous, there is no free, if you are going to run this stuff, you are going to pay for it!

Viewpoint Manager (Remove Only)
Viewpoint Media Player
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.clickz.com/news/article.php/3561546
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/showPage.html?page=3561546
http://www.clickz.com/news/article.php/3561546

Logfile of HijackThis v1.99.1 Scan saved at 9:05:34 PM, on 5/11/2007

You HJT log is clean except for the issues I mentioned above. Please do this now:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

For your benefit:
Help! My computer is slow!
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
How to prevent Malware
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
 
As the problem appears to be resolved this topic has been closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.

Thanks
 
Status
Not open for further replies.
Back
Top