NEED HELP ASAP, keep getting popups etc, this damn ware sucks..

I only use Process Explorer when its needed for serious infections so I have not run it myself in a few months. I just downloaded a new copy from the link I sent you and everything in my instructions were present. You just did not read it and follow through.

I know being infected like this is frustrating and you want to get rid of it as fast as you can, but you can't jump ahead of me, you need to run the scans or programs that I have listed in order given. I take a lot of time going over your log and trying to figure out the best course of action to take to better help you.

Ken:)
 
Im sorry Ken, I realize this yet when I ran that prog I seen no threads tab anywhere up top, just when I would click a certain tab on the side the threads was there but i searched all and didnt see any files ending with that...

I did run sdbot fix heres a log and a new HJT log, I do know you are taking a lot of time with me and will pay you back however I can! I really appreciate it man!



sdbotfix log:

SDFix: Version 1.107

Run by Owner on Mon 10/01/2007 at 06:33 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
protect
runtime

ImagePath:
System32\drivers\protect.sys
\??\C:\WINDOWS\System32\drivers\runtime.sys

protect - Deleted
runtime - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Resetting AppInit_DLLs value


Rebooting...

Service runtime2 - Deleted after Reboot

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\SVCHQY.DLL - Deleted
C:\WINDOWS\SYSTEM32\TMP_O.DLL - Deleted
C:\WINDOWS\SYSTEM32\WIN_PMO.DLL - Deleted
C:\WINDOWS\SYSTEM32\IALMCOIN.DLL - Deleted
C:\4.TMP - Deleted
C:\4A.TMP - Deleted
C:\4B.TMP - Deleted
C:\4E.TMP - Deleted
C:\58.TMP - Deleted
C:\59.TMP - Deleted
C:\5B.TMP - Deleted
C:\5C.TMP - Deleted
C:\5D.TMP - Deleted
C:\5E.TMP - Deleted
C:\5F.TMP - Deleted
C:\60.TMP - Deleted
C:\61.TMP - Deleted
C:\62.TMP - Deleted
C:\63.TMP - Deleted
C:\64.TMP - Deleted
C:\65.TMP - Deleted
C:\67.TMP - Deleted
C:\7.TMP - Deleted
C:\A.TMP - Deleted
C:\Documents and Settings\Owner\Desktop\WinAntiSpyware 2007.lnk - Deleted
C:\Documents and Settings\Owner\Local Settings\Temp\WinAntiSpyware 2007 FreeInstall.exe - Deleted
C:\A.tmp - Deleted
C:\WINDOWS\system32\1_exception.nls - Deleted
C:\WINDOWS\system32\boa1.dat - Deleted
C:\WINDOWS\system32\cookie1.dat - Deleted
C:\WINDOWS\system32\drivers\protect.sys - Deleted
C:\WINDOWS\system32\help.txt - Deleted
C:\WINDOWS\system32\ps1.dat - Deleted
C:\WINDOWS\system32\smuhdd.dll - Deleted
C:\WINDOWS\system32\win32.exe - Deleted
C:\WINDOWS\Temp\startdrv.exe - Deleted
C:\WINDOWS\uninstall_nmon.vbs - Deleted
C:\WINDOWS\system32\drivers\runtime2.sys - Deleted


Folder C:\Program Files\InetGet2 - Removed
Folder C:\WINDOWS\system32\wsnpoem - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------




Authorized Application Key Export:

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Thu 27 Sep 2007 196 A.SHR --- "C:\BOOT.BAK"
Mon 1 Oct 2007 6,448 ..SH. --- "C:\WINDOWS\system32\gjllm.bak1"
Mon 1 Oct 2007 2,107,115 ..SH. --- "C:\WINDOWS\system32\ijkmp.bak2"
Mon 1 Oct 2007 16,954 ...HR --- "C:\WINDOWS\system32\svch51.exe"
Mon 1 Oct 2007 16,954 ...HR --- "C:\WINDOWS\system32\svchl00.exe"
Mon 1 Oct 2007 16,954 ...HR --- "C:\WINDOWS\system32\syst66x.exe"
Mon 1 Oct 2007 16,954 ...HR --- "C:\WINDOWS\system32\tmp_226.exe"
Mon 1 Oct 2007 16,954 ...HR --- "C:\WINDOWS\system32\tmp_5i.exe"
Mon 16 Apr 2007 661 A..H. --- "C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Messenger\prf83E.tmp"
Mon 16 Apr 2007 661 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Messenger\prf83E.tmp"

Finished!



HJT LOG:


SDFix: Version 1.107

Run by Owner on Mon 10/01/2007 at 06:33 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
protect
runtime

ImagePath:
System32\drivers\protect.sys
\??\C:\WINDOWS\System32\drivers\runtime.sys

protect - Deleted
runtime - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Resetting AppInit_DLLs value


Rebooting...

Service runtime2 - Deleted after Reboot

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\SVCHQY.DLL - Deleted
C:\WINDOWS\SYSTEM32\TMP_O.DLL - Deleted
C:\WINDOWS\SYSTEM32\WIN_PMO.DLL - Deleted
C:\WINDOWS\SYSTEM32\IALMCOIN.DLL - Deleted
C:\4.TMP - Deleted
C:\4A.TMP - Deleted
C:\4B.TMP - Deleted
C:\4E.TMP - Deleted
C:\58.TMP - Deleted
C:\59.TMP - Deleted
C:\5B.TMP - Deleted
C:\5C.TMP - Deleted
C:\5D.TMP - Deleted
C:\5E.TMP - Deleted
C:\5F.TMP - Deleted
C:\60.TMP - Deleted
C:\61.TMP - Deleted
C:\62.TMP - Deleted
C:\63.TMP - Deleted
C:\64.TMP - Deleted
C:\65.TMP - Deleted
C:\67.TMP - Deleted
C:\7.TMP - Deleted
C:\A.TMP - Deleted
C:\Documents and Settings\Owner\Desktop\WinAntiSpyware 2007.lnk - Deleted
C:\Documents and Settings\Owner\Local Settings\Temp\WinAntiSpyware 2007 FreeInstall.exe - Deleted
C:\A.tmp - Deleted
C:\WINDOWS\system32\1_exception.nls - Deleted
C:\WINDOWS\system32\boa1.dat - Deleted
C:\WINDOWS\system32\cookie1.dat - Deleted
C:\WINDOWS\system32\drivers\protect.sys - Deleted
C:\WINDOWS\system32\help.txt - Deleted
C:\WINDOWS\system32\ps1.dat - Deleted
C:\WINDOWS\system32\smuhdd.dll - Deleted
C:\WINDOWS\system32\win32.exe - Deleted
C:\WINDOWS\Temp\startdrv.exe - Deleted
C:\WINDOWS\uninstall_nmon.vbs - Deleted
C:\WINDOWS\system32\drivers\runtime2.sys - Deleted


Folder C:\Program Files\InetGet2 - Removed
Folder C:\WINDOWS\system32\wsnpoem - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------




Authorized Application Key Export:

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Thu 27 Sep 2007 196 A.SHR --- "C:\BOOT.BAK"
Mon 1 Oct 2007 6,448 ..SH. --- "C:\WINDOWS\system32\gjllm.bak1"
Mon 1 Oct 2007 2,107,115 ..SH. --- "C:\WINDOWS\system32\ijkmp.bak2"
Mon 1 Oct 2007 16,954 ...HR --- "C:\WINDOWS\system32\svch51.exe"
Mon 1 Oct 2007 16,954 ...HR --- "C:\WINDOWS\system32\svchl00.exe"
Mon 1 Oct 2007 16,954 ...HR --- "C:\WINDOWS\system32\syst66x.exe"
Mon 1 Oct 2007 16,954 ...HR --- "C:\WINDOWS\system32\tmp_226.exe"
Mon 1 Oct 2007 16,954 ...HR --- "C:\WINDOWS\system32\tmp_5i.exe"
Mon 16 Apr 2007 661 A..H. --- "C:\Documents and Settings\Default User\Local Settings\Application Data\Microsoft\Messenger\prf83E.tmp"
Mon 16 Apr 2007 661 A..H. --- "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Messenger\prf83E.tmp"

Finished!
 
sorry it posted the one twice, heres new hjt log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:20:34 PM, on 10/1/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Kasamba\Kasamba.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://easyrussianbrides.info/?idAff=76
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://easyrussianbrides.info/?idAff=76
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easyrussianbrides.info/?idAff=76
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easyrussianbrides.info/?idAff=76
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {669D4C76-BB20-4CED-FC8D-E840EFB99E0E} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [winptr] C:\WINDOWS\winptr.exe
O4 - HKLM\..\Run: [winload] C:\Program Files\Internet Explorer\winload.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler V3.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'Default user')
O4 - .DEFAULT User Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: TA_Start.lnk = ? (User 'Default user')
O4 - Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 7173 bytes
 
reread and tried instructions from before:
there is nothing in
procexp.exe
in winlogon.ex
with a instance of
tmp_2h.dll or
iifedca.dll once.
 
  • Next Go start> Run type cmd and hit OK
  • Type in ipconfig /flushdns then hit enter
    (that space between g and / is needed)
  • Type exit hit enter



Remove these with HJT.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://easyrussianbrides.info/?idAff=76
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://easyrussianbrides.info/?idAff=76
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://easyrussianbrides.info/?idAff=76
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://easyrussianbrides.info/?idAff=76

O2 - BHO: 0 - {669D4C76-BB20-4CED-FC8D-E840EFB99E0E} - (no file)

O4 - HKLM\..\Run: [winptr] C:\WINDOWS\winptr.exe
O4 - HKLM\..\Run: [winload] C:\Program Files\Internet Explorer\winload.exe
O4 - .DEFAULT User Startup: TA_Start.lnk = ? (User 'Default user')

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm


Please download OTMoveItby OldTimer.

  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\winptr.exe
    C:\Program Files\Internet Explorer\winload.exe
    Click to expand...
  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it into your next reply.
  • Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Download and Save the Trial of Blacklight to your desktop.
  • Download the Blacklight Beta graphical user interface version
  • Double-click blbeta.exe
  • Then accept the agreement
  • Click > scan then > next
  • You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).
  • Copy and paste this log in your next reply.
  • Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"


Let me see the OtMoveIt log, the Blacklight log and a new HJT log please
 
If you have not done so already, run these through OtMoveIt.

C:\WINDOWS\system32\gjllm.bak1
C:\WINDOWS\system32\ijkmp.bak2
C:\WINDOWS\system32\svch51.exe

Should be like this.

C:\WINDOWS\winptr.exe
C:\WINDOWS\system32\gjllm.bak1
C:\WINDOWS\system32\ijkmp.bak2
C:\WINDOWS\system32\svch51.exe
C:\Program Files\Internet Explorer\winload.exe
Click to expand...


We need to make sure all hidden files are showing :
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Once your system is clean, we suggest that you reverse this to keep critical windows files from accidently being deleted.


Go to this site Jotti Upload and under the browse feature, browse to these files

C:\WINDOWS\system32\svchl00.exe
C:\WINDOWS\system32\syst66x.exe
C:\WINDOWS\system32\tmp_226.exe
C:\WINDOWS\system32\tmp_5i.exe

Then click on upload and it will give you a report, post the report in your next reply for each file.
 
otmoveit results:

File/Folder C:\WINDOWS\winptr.exe not found.
C:\WINDOWS\system32\gjllm.bak1 moved successfully.
C:\WINDOWS\system32\ijkmp.bak2 moved successfully.
C:\WINDOWS\system32\svch51.exe moved successfully.
File/Folder C:\Program Files\Internet Explorer\winload.exe not found.

Created on 10/02/2007 16:34:26
 
cannot find blacklight from the link you gave, waiting for further instructions before I do anything else..
 
new hjt log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:11:52 PM, on 10/2/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Kasamba\Kasamba.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: PowerReg Scheduler V3.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'Default user')
O4 - .DEFAULT Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
O4 - .DEFAULT User Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe (User 'Default user')
O4 - .DEFAULT User Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: TA_Start.lnk = ? (User 'Default user')
O4 - Startup: Connect Kasamba.lnk = C:\Program Files\Kasamba\Kasamba.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 6324 bytes


Running scan now then will post
 
note: scan currently running had about 10 or so norton alerts that they removed certain virus/ trojan.pandex/ trojan/horse
 
Your log is not looking to bad :bigthumb: After you run Blacklight, update your Java . You need to do this, it will plug some holes that maybe letting this garbage in.

  • Your Java is out of date and leaving your system vulnerable.
  • Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
  • It should have an icon next to it:
    javaicon.jpg

    Select it and click Remove.
  • Reboot your system.
  • Then go to the Sun Microsystems and install the update
  • Java Runtime Environment Version 6 Update 2 <--This is what you need to download and install.
  • If you chose the online installation, it will prompt you to run the program.
  • If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
  • Then after install you can verify your installation here Sun Java Verify
I like to to do the offline installation and save the setup file in case I may need it in the future


Boot to Safemode and remove these


O4 - S-1-5-18 Startup: PowerReg Scheduler V3.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: PowerReg Scheduler V3.exe (User 'Default user')
O4 - .DEFAULT User Startup: TA_Start.lnk = ? (User 'Default user')
04 - Startup: PowerReg Scheduler V3.exe


Post a new HJT log
 
report from scan:

Scanning Report
Tuesday, October 02, 2007 17:22:14 - 19:06:59
Computer name: YOUR-FSYLY0JTWN
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 36 malware found
Adware.Ismas (spyware)
System (Disinfected)
Alexa (spyware)
System (Disinfected)
NavExcel (spyware)
System (Disinfected)
Tracking Cookie (spyware)
System (Disinfected)
Trojan-Downloader.Win32.Agent.acl (virus)
C:\WINDOWS\SYSTEM32\DRIVERS\SECDRV.SYS (Renamed)
Trojan-Downloader.Win32.Agent.cbx (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\30397F4E.EXE (Renamed)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\557B4B77.EXE (Renamed)
Trojan-Downloader.Win32.Agent.dlx (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\5A5F60EC.EXE (Renamed)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\795116E2.EXE (Renamed)
Trojan-Downloader.Win32.Agent.dpn (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\24976C1B.EXE (Renamed)
Trojan-Downloader.Win32.Small.buy (virus)
C:\WINDOWS\SYSTEM32\P1\DWDLDR1.EXE (Renamed)
Trojan-Downloader.Win32.Small.cyn (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\11582A1D.DLL (Renamed)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\59E1780C.DLL (Renamed)
Trojan-Downloader.Win32.Small.egd (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\43995B25.EXE (Renamed)
Trojan-Downloader.Win32.Small.fwu (virus)
C:\WINDOWS\SYSTEM32\S9\RW1000DR.EXE (Renamed)
Trojan-Downloader.Win32.Tiny.id (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\12AC6FCA.EXE (Renamed)
Trojan-Downloader.Win32.VB.bkw (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\1A2B6D93.EXE (Renamed)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\20803893.EXE (Renamed)
Trojan.Win32.Agent.bnd (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\04E00503.EXE (Renamed)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\20C00E55.EXE (Renamed)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\3F1974E2.EXE (Renamed)
Trojan.Win32.BHO.ab (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\13EF2C66.EXE (Renamed)
C:\PROGRAM FILES\MESSENGER\LAVUMA.DLL
Trojan.Win32.VB.bgu (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\45F7735B.EXE (Renamed)
Vundo.gen38 (virus)
C:\WINDOWS\SYSTEM32\IYDXDJIX.INI
Win32.Backdoor.Agent (spyware)
System (Disinfected)
Win32.Trojan.Agent (spyware)
System (Disinfected)
Win32.TrojanDownloader.Agent (spyware)
System (Disinfected)
WinAntiSpyware (spyware)
System (Disinfected)
not-virus:Hoax.Win32.Agent.n (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\12C63FAD.EXE
not-virus:Hoax.Win32.Renos.cy (virus)
C:\WINDOWS\SYSTEM32\WARN.HTM
C:\DOCUMENTS AND SETTINGS\OWNER\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\DESKTOP.HTT
not-virus:Hoax.Win32.Renos.kg (virus)
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\11582A1D.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\13C26099.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\31103A8E.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\664.EXE

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 48403
System: 5320
Not scanned: 7
Actions:
Disinfected: 8
Renamed: 19
Deleted: 0
None: 9
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\VMW10A\VMW10A1099.EXE
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\B1\GB83122.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\DFGAERT.DLL
C:\B4B43416D5A431B2B7AA75662E\MSI.DLL

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 7.0.171, 2007-10-03
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 0596-150-72
F-Secure Libra: 2.4.2, 2007-10-02
F-Secure Orion: 1.2.37, 2007-10-03
F-Secure Pegasus: 1.19.0, 2007-09-01
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.






Also I had norton pop up several times saying it detected viruses and it was unable to fix or delete these were:

sysgqfg.exe
sysnkqy.exe
sysowyo.exe
sysydta.exe
sysysnk.exe and a few more I think...
 
I went to remove java but the only thing I can see is:

Jave 2 Runtime Environment SE v1.4.2 and it has a computer icon not the coffee cup, is this the one I remove?
 
Just leave uninstalling Java be but install the new one, I will have to look into that.

Open up Norton and go into the Quarantine folder and remove it all.

Download Pocket Killbox to your desktop.

Highlight all the files with the complete path inside the quote and press Ctrl C on your keyboard.



  • sysgqfg.exe
    sysnkqy.exe
    sysowyo.exe
    sysydta.exe
    sysysnk.exe
    Click to expand...

  • Open Pocket Killbox
  • Go to File > Paste from clipboard
  • Set it to Delete on Reboot
  • Tick the box that says End Explorer shell while killing file
  • If its not greyed out..Click the radio button that say Unregister .dll before deleting.
  • Make sure ALL Files is selected
  • Click on the Red circle with the white X
  • It will ask you to confirm the deletion...Say yes
  • It will ask you to reboot, say yes
If you get a message "pending operations has been stopped by external process!" then reboot the computer manually.

Reboot and run Norton again and let me know of any other files it picked up.
 
ok I went to quarantined items and it said none but there was 20 something backup items in that section that I deleted is that ok? they were mostly virus etc..
 
Im not familiar with norton, ran those with killbox but how do I do a norton scan now, the little icon on bottom right of desktop isnt showing..
 
trusted antivirusinstaller just popped up and I clicked cancel but it downloaded then I had a message saying invalid point... wow my com is weird!:sad:
 
You must log in or register to reply here.
Back
Top