• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
stoli

MyCleaner PC Plus Others - Help!

16 posts in this topic

Last night I became infected by using a trainer for a pc game. I manually went through my HJT log and got rid of some stuff. I ran CC cleaner which cleaned out a lot of crap in the temporary files. When I tried to uninstall MyCleaner PC it said it was sucesful but the control panel, add remove screen isn't responding. Along with that I am getting Internet Explorer pop ups every couple of minutes or so.

 

Heres the new log after Adaware and Spybot..

 

Logfile of HijackThis v1.99.1

Scan saved at 3:08:15 PM, on 5/31/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe

C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\UAService7.exe

C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\wscript.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\devldr32.exe

C:\Documents and Settings\Chris\My Documents\Downloads\hijackthis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://music.yahoo.com/launchcast/stations/default.asp

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Electronic Arts Licensing Service - Unknown owner - C:\Program Files\Common Files\Electronic Arts Shared\Service\EA Licensing Service.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

 

 

 

Please help! Thanks in advance!

Share this post


Link to post
Share on other sites

*Not trying to bump*

 

I noticed that the popups only start to occur when I launch firefox to go online. If I restart my computer and play a game or something no pop ups happen. However if I open up firefox the popups won't stop until I reboot.

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Again not trying to bump but thought I might add this,

 

along with the pop ups in IE I am getting a lot of stuff for WinAntiVirus (it began downloading itself when I was first infected and put an install shortcut on my desktop). When I say stuff I mean advertisments and popups saying I am infected and I need WinAntiVirus to help, that sort of thing. I am not sure if this is related to the MyCleaner PC that I noticed on my machine.

Share this post


Link to post
Share on other sites

Hi,

 

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

 

Please download SmitfraudFix (by S!Ri)

 

Extract all the content (to a folder named SmitfraudFix) on your Desktop.

 

Open the SmitfraudFix folder and double-click smitfraudfix.cmd

 

Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).

 

Please copy/paste the content of that report into your next reply.

 

Share this post


Link to post
Share on other sites

Heres the log, thanks for helping out.

 

SmitFraudFix v2.192

 

Scan done at 10:42:21.40, Tue 06/05/2007

Run from C:\Documents and Settings\Chris\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode

 

»»»»»»»»»»»»»»»»»»»»»»»» Process

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\WINDOWS\system32\wscntfy.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\Program Files\OpenOffice.org 2.2\program\soffice.exe

C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN

C:\WINDOWS\system32\cmd.exe

 

»»»»»»»»»»»»»»»»»»»»»»»» hosts

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Chris

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Chris\Application Data

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Chris\FAVORI~1

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="My Current Home Page"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS

 

Description: Realtek RTL8139 Family PCI Fast Ethernet NIC - Packet Scheduler Miniport

DNS Server Search Order: 167.206.3.227

DNS Server Search Order: 167.206.3.161

DNS Server Search Order: 167.206.3.228

 

HKLM\SYSTEM\CCS\Services\Tcpip\..\{BD366FF0-C6AF-472B-853B-AFF441F0E644}: DhcpNameServer=167.206.3.227 167.206.3.161 167.206.3.228

HKLM\SYSTEM\CS1\Services\Tcpip\..\{BD366FF0-C6AF-472B-853B-AFF441F0E644}: DhcpNameServer=167.206.3.227 167.206.3.161 167.206.3.228

HKLM\SYSTEM\CS2\Services\Tcpip\..\{BD366FF0-C6AF-472B-853B-AFF441F0E644}: DhcpNameServer=167.206.3.227 167.206.3.161 167.206.3.228

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=167.206.3.227 167.206.3.161 167.206.3.228

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=167.206.3.227 167.206.3.161 167.206.3.228

HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=167.206.3.227 167.206.3.161 167.206.3.228

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

Share this post


Link to post
Share on other sites

Not a Smitfraud infection.

 

Please download Atribune's VundoFix.exe from this site:

 

http://www.atribune.org/ccount/click.php?id=4 and place it on your desktop.

 

Double-click VundoFix.exe to run it.

 

Click the Scan for Vundo button.

 

Once it's done scanning, click the Remove Vundo button.

 

You will receive a prompt asking if you want to remove the files,

 

click YES

 

Once you click yes, your desktop will go blank as it starts removing

 

Vundo.

 

When completed, it will prompt that it will reboot your computer,

 

click OK.

 

Please post the contents of C:\vundofix.txt and a new HiJackThis log.

 

Share this post


Link to post
Share on other sites

i want to apologize, i accidentally ran the smitfraud on my laptop which isnt the hijacked computer..

 

here is the new smitfraud log which is from the hijacked computer as well as the vundo log

 

 

smitfraud

 

SmitFraudFix v2.192

 

Scan done at 2:29:32.31, Wed 06/06/2007

Run from C:\Documents and Settings\Chris\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode

 

»»»»»»»»»»»»»»»»»»»»»»»» Process

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe

C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\WINDOWS\system32\UAService7.exe

C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\devldr32.exe

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\cmd.exe

C:\Program Files\Internet Explorer\iexplore.exe

 

»»»»»»»»»»»»»»»»»»»»»»»» hosts

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Chris

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Chris\Application Data

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Chris\FAVORI~1

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="My Current Home Page"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"="wbsys.dll"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS

 

Description: VIA Compatable Fast Ethernet Adapter - Packet Scheduler Miniport

DNS Server Search Order: 167.206.3.227

DNS Server Search Order: 167.206.3.161

DNS Server Search Order: 167.206.3.228

 

HKLM\SYSTEM\CCS\Services\Tcpip\..\{60AA5322-2ECA-41C5-9C03-765B5ABA2612}: DhcpNameServer=167.206.3.227 167.206.3.161 167.206.3.228

HKLM\SYSTEM\CS1\Services\Tcpip\..\{60AA5322-2ECA-41C5-9C03-765B5ABA2612}: DhcpNameServer=167.206.3.227 167.206.3.161 167.206.3.228

HKLM\SYSTEM\CS3\Services\Tcpip\..\{60AA5322-2ECA-41C5-9C03-765B5ABA2612}: DhcpNameServer=167.206.3.227 167.206.3.161 167.206.3.228

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=167.206.3.227 167.206.3.161 167.206.3.228

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=167.206.3.227 167.206.3.161 167.206.3.228

HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=167.206.3.227 167.206.3.161 167.206.3.228

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

 

 

 

Vundo

 

 

VundoFix V6.4.2

 

Checking Java version...

 

Java version is 1.5.0.2

Old versions of java are exploitable and should be removed.

 

Scan started at 10:51:32 PM 6/5/2007

 

Listing files found while scanning....

 

C:\WINDOWS\system32\blrbydvq.ini

C:\WINDOWS\system32\ddccy.dll

C:\WINDOWS\system32\hlksbiep.dll

C:\WINDOWS\system32\jsqgqhfn.dll

C:\WINDOWS\system32\nfhqgqsj.ini

C:\WINDOWS\system32\nsvxcfun.ini

C:\WINDOWS\system32\nufcxvsn.dll

C:\WINDOWS\system32\opqss.bak1

C:\WINDOWS\system32\opqss.bak2

C:\WINDOWS\system32\opqss.ini

C:\WINDOWS\system32\opqss.ini2

C:\WINDOWS\system32\opqss.tmp

C:\WINDOWS\system32\peibsklh.ini

C:\WINDOWS\system32\qvdybrlb.dll

C:\WINDOWS\system32\rqrrpno.dll

C:\WINDOWS\system32\ssqopnn.dll

C:\WINDOWS\system32\ssqpo.dll

C:\WINDOWS\system32\txsaskmv.dll

C:\WINDOWS\system32\ubcgtwti.dll

C:\WINDOWS\system32\yccdd.ini

C:\WINDOWS\system32\yupjpqxt.dll

 

Beginning removal...

 

Attempting to delete C:\WINDOWS\system32\blrbydvq.ini

C:\WINDOWS\system32\blrbydvq.ini Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\ddccy.dll

C:\WINDOWS\system32\ddccy.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\hlksbiep.dll

C:\WINDOWS\system32\hlksbiep.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\jsqgqhfn.dll

C:\WINDOWS\system32\jsqgqhfn.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\nfhqgqsj.ini

C:\WINDOWS\system32\nfhqgqsj.ini Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\nsvxcfun.ini

C:\WINDOWS\system32\nsvxcfun.ini Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\nufcxvsn.dll

C:\WINDOWS\system32\nufcxvsn.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\opqss.bak1

C:\WINDOWS\system32\opqss.bak1 Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\opqss.bak2

C:\WINDOWS\system32\opqss.bak2 Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\opqss.ini

C:\WINDOWS\system32\opqss.ini Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\opqss.ini2

C:\WINDOWS\system32\opqss.ini2 Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\opqss.tmp

C:\WINDOWS\system32\opqss.tmp Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\peibsklh.ini

C:\WINDOWS\system32\peibsklh.ini Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\qvdybrlb.dll

C:\WINDOWS\system32\qvdybrlb.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\rqrrpno.dll

C:\WINDOWS\system32\rqrrpno.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\ssqopnn.dll

C:\WINDOWS\system32\ssqopnn.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\ssqpo.dll

C:\WINDOWS\system32\ssqpo.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\txsaskmv.dll

C:\WINDOWS\system32\txsaskmv.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\ubcgtwti.dll

C:\WINDOWS\system32\ubcgtwti.dll Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\yccdd.ini

C:\WINDOWS\system32\yccdd.ini Has been deleted!

 

Attempting to delete C:\WINDOWS\system32\yupjpqxt.dll

C:\WINDOWS\system32\yupjpqxt.dll Has been deleted!

 

Performing Repairs to the registry.

Done!

 

 

 

please note after vundo I am still getting IE pop ups when opening fire fox, thanks again!

Share this post


Link to post
Share on other sites

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

 

Smitfraud infection detected.

 

Please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

 

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

 

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

 

The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

 

Then please restart it into Normal Windows.

 

=*=

 

Your Java version is vulnerable to these infections, please update.

 

Updating Java

  • Download the latest version of Java Runtime Environment (JRE) 6u1.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6

    [*]Click the Remove or Change/Remove button.

    [*]Repeat as many times as necessary to remove each Java versions. <- important.

    [*]Reboot your computer once all Java components are removed.

    [*]Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.

 

Please post the contents of the SmitfraudFix log located at C:\rapport.txt into this thread, along with a new HijackThis log.

Share this post


Link to post
Share on other sites

Did everything you said, installed the new Java as well.

 

SmitFraud log - new scan after clean:

 

SmitFraudFix v2.192

 

Scan done at 12:01:36.18, Wed 06/06/2007

Run from C:\Documents and Settings\Chris\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode

 

»»»»»»»»»»»»»»»»»»»»»»»» Process

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe

C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\WINDOWS\system32\UAService7.exe

C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

C:\WINDOWS\system32\devldr32.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\system32\cmd.exe

 

»»»»»»»»»»»»»»»»»»»»»»»» hosts

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Chris

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Chris\Application Data

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Chris\FAVORI~1

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"="wbsys.dll"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS

 

Description: VIA Compatable Fast Ethernet Adapter - Packet Scheduler Miniport

DNS Server Search Order: 167.206.3.227

DNS Server Search Order: 167.206.3.161

DNS Server Search Order: 167.206.3.228

 

HKLM\SYSTEM\CCS\Services\Tcpip\..\{60AA5322-2ECA-41C5-9C03-765B5ABA2612}: DhcpNameServer=167.206.3.227 167.206.3.161 167.206.3.228

HKLM\SYSTEM\CS1\Services\Tcpip\..\{60AA5322-2ECA-41C5-9C03-765B5ABA2612}: DhcpNameServer=167.206.3.227 167.206.3.161 167.206.3.228

HKLM\SYSTEM\CS3\Services\Tcpip\..\{60AA5322-2ECA-41C5-9C03-765B5ABA2612}: DhcpNameServer=167.206.3.227 167.206.3.161 167.206.3.228

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=167.206.3.227 167.206.3.161 167.206.3.228

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=167.206.3.227 167.206.3.161 167.206.3.228

HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=167.206.3.227 167.206.3.161 167.206.3.228

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

 

 

HJT:

 

 

Logfile of HijackThis v1.99.1

Scan saved at 12:02:37 PM, on 6/6/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe

C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\WINDOWS\system32\UAService7.exe

C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\QuickTime\qttask.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

C:\WINDOWS\system32\devldr32.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\msiexec.exe

C:\Documents and Settings\Chris\My Documents\Downloads\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: (no name) - {9864CCA3-8400-4082-BBF3-46F511932DA0} - C:\WINDOWS\system32\jprdmvhp.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: (no name) - {B9D448AD-26D6-45D3-94AB-5D8A54411F15} - C:\WINDOWS\system32\ssqpo.dll (file missing)

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [j6201935] rundll32 C:\WINDOWS\system32\j6201935.dll sook

O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\nufcxvsn.dll",realset

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live Writer\WriterBrowserExtension.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Electronic Arts Licensing Service - Unknown owner - C:\Program Files\Common Files\Electronic Arts Shared\Service\EA Licensing Service.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

 

 

 

Thanks again!

Share this post


Link to post
Share on other sites

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

 

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

 

O2 - BHO: (no name) - {9864CCA3-8400-4082-BBF3-46F511932DA0} - C:\WINDOWS\system32\jprdmvhp.dll

O2 - BHO: (no name) - {B9D448AD-26D6-45D3-94AB-5D8A54411F15} - C:\WINDOWS\system32\ssqpo.dll (file missing)

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [j6201935] rundll32 C:\WINDOWS\system32\j6201935.dll sook

O4 - HKLM\..\Run: [ApachInc] rundll32.exe "C:\WINDOWS\system32\nufcxvsn.dll",realset

 

Click on Fix Checked when finished and exit HijackThis.

 

Delete these files in bold if found.

 

C:\WINDOWS\system32\jprdmvhp.dll

C:\WINDOWS\system32\j6201935.dll

C:\WINDOWS\system32\nufcxvsn.dll

 

Restart the computer normally to reset the registry.

 

Download Dr.Web CureIt to the desktop:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.

 

Include a fresh HijackThis log for review.

 

Let me know what problem persist.

Share this post


Link to post
Share on other sites

Dr. Web - accidentally deleted all incurable:

 

setup.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.0.2.2;Probably BACKDOOR.Trojan;Incurable.Deleted.;

inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3;Probably BACKDOOR.Trojan;Incurable.Deleted.;

Process.exe;C:\Documents and Settings\Chris\Desktop\SmitfraudFix;Tool.Prockill;Incurable.Deleted.;

restart.exe;C:\Documents and Settings\Chris\Desktop\SmitfraudFix;Tool.ShutDown.11;Incurable.Deleted.;

class3[1].htm\JavaScript.0;C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\G9EJG12F\class3[1].htm;Trojan.MulDrop.5819;;

class3[1].htm;C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\G9EJG12F;Archive contains infected objects;Moved.;

SetupPoker.exe;C:\Documents and Settings\Chris\My Documents\Downloads;Adware.Casino;Incurable.Deleted.;

Bandwidth Monitor Pro.exe;C:\Documents and Settings\Chris\My Documents\Downloads\bandwidthmonitorprov1.30regfilebaka\cracked;Probably BACKDOOR.Trojan;Incurable.Deleted.;

backup-20070607-104637-381.dll;C:\Documents and Settings\Chris\My Documents\Downloads\hijackthis\backups;Adware.Crew;Incurable.Deleted.;

Bandwidth Monitor Pro.exe;C:\Program Files\Bandwidth Monitor Pro;Probably BACKDOOR.Trojan;Incurable.Deleted.;

Yazzle1281OinAdmin.exe;C:\Program Files\Common Files;Adware.ClickSpring;Incurable.Deleted.;

WebColps.dll;C:\Program Files\Common Files\Logitech\WebColct;Adware.Altnet;Incurable.Deleted.;

piratestrn-068.exe;C:\Program Files\Firaxis Games\Sid Meier's Pirates!;Tool.GameCrack;Incurable.Deleted.;

samsung.exe;C:\Program Files\FutureDial\USB Installer\Support\Drivers\Win2k\auto\samsung;Probably BACKDOOR.Trojan;Incurable.Deleted.;

Setup.exe;C:\Program Files\FutureDial\USB Installer\Support\Drivers\Win98\auto\samsung;Probably BACKDOOR.Trojan;Incurable.Deleted.;

samsung.exe;C:\Program Files\FutureDial\USB Installer\Support\Drivers\WinMe\auto\samsung;Probably BACKDOOR.Trojan;Incurable.Deleted.;

samsung.exe;C:\Program Files\FutureDial\USB Installer\Support\Drivers\WinXp\auto\Samsung;Probably BACKDOOR.Trojan;Incurable.Deleted.;

mirc.exe;C:\Program Files\mIRC;Program.mIRC.616;Incurable.Deleted.;

Dc3.dll;C:\RECYCLER\S-1-5-21-1708537768-484061587-682003330-1029;Adware.Crew;Incurable.Deleted.;

Dc4.dll;C:\RECYCLER\S-1-5-21-1708537768-484061587-682003330-1029;Trojan.Click.2485;Deleted.;

A0231477.dll;C:\System Volume Information\_restore{63AEDE7C-274E-4FC1-82C7-2E585964EBD1}\RP770;Trojan.Virtumod;Deleted.;

A0240126.dll;C:\System Volume Information\_restore{63AEDE7C-274E-4FC1-82C7-2E585964EBD1}\RP771;Trojan.Virtumod;Deleted.;

A0242633.dll;C:\System Volume Information\_restore{63AEDE7C-274E-4FC1-82C7-2E585964EBD1}\RP775;Trojan.Virtumod;Deleted.;

A0242634.dll;C:\System Volume Information\_restore{63AEDE7C-274E-4FC1-82C7-2E585964EBD1}\RP775;Trojan.Virtumod;Deleted.;

A0242635.dll;C:\System Volume Information\_restore{63AEDE7C-274E-4FC1-82C7-2E585964EBD1}\RP775;Trojan.Virtumod;Deleted.;

A0242638.dll;C:\System Volume Information\_restore{63AEDE7C-274E-4FC1-82C7-2E585964EBD1}\RP775;Trojan.Virtumod;Deleted.;

A0242642.dll;C:\System Volume Information\_restore{63AEDE7C-274E-4FC1-82C7-2E585964EBD1}\RP775;Trojan.Virtumod;Deleted.;

A0242645.dll;C:\System Volume Information\_restore{63AEDE7C-274E-4FC1-82C7-2E585964EBD1}\RP775;Trojan.Virtumod;Deleted.;

A0242646.dll;C:\System Volume Information\_restore{63AEDE7C-274E-4FC1-82C7-2E585964EBD1}\RP775;Trojan.Virtumod;Deleted.;

A0242647.dll;C:\System Volume Information\_restore{63AEDE7C-274E-4FC1-82C7-2E585964EBD1}\RP775;Trojan.Virtumod;Deleted.;

A0242649.dll;C:\System Volume Information\_restore{63AEDE7C-274E-4FC1-82C7-2E585964EBD1}\RP775;Trojan.Virtumod;Deleted.;

A0243950.dll;C:\System Volume Information\_restore{63AEDE7C-274E-4FC1-82C7-2E585964EBD1}\RP775;Trojan.Click.2485;Deleted.;

ddccy.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;

hlksbiep.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;

jsqgqhfn.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;

nufcxvsn.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;

qvdybrlb.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;

ssqpo.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;

txsaskmv.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;

ubcgtwti.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;

yupjpqxt.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;

retadpu1000106.exe;C:\WINDOWS;Trojan.DownLoader.23066;Deleted.;

H@tKeysH@@k.DLL;C:\WINDOWS\system32;Tool.Hatkeys;Incurable.Deleted.;

in10b6.dll;C:\WINDOWS\system32;BackDoor.Agobot;Incurable.Moved.;

Process.exe;C:\WINDOWS\system32;Tool.Prockill;Incurable.Deleted.;

swuerhlg.exe;C:\WINDOWS\system32;Trojan.Click.2485;Deleted.;

dlltk67.exe;C:\WINDOWS\system32\T3;Trojan.StartPage.19993;Deleted.;

d5ll.exe;C:\WINDOWS\system32\T4;Trojan.MulDrop.6135;Deleted.;

dlwr.exe;C:\WINDOWS\system32\T6;Trojan.DownLoader.22968;Deleted.;

 

 

 

 

HJT Log:

 

Logfile of HijackThis v1.99.1

Scan saved at 11:43:23 AM, on 6/8/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe

C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\WINDOWS\system32\UAService7.exe

C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\Chris\My Documents\Downloads\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live Writer\WriterBrowserExtension.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Electronic Arts Licensing Service - Unknown owner - C:\Program Files\Common Files\Electronic Arts Shared\Service\EA Licensing Service.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

 

 

 

 

Still getting IE popups while browsing in firefox.

Share this post


Link to post
Share on other sites

Your log is clean. This may do stop the popups let me know.

 

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

 

Please download FixWareout from this site:

http://downloads.subratam.org/Fixwareout.exe

 

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

 

When your system reboots, follow the prompts. Afterwards, HijackThis will launch. If it does close it.

 

At the end of the fix, you may need to restart your computer again.

 

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log.

Share this post


Link to post
Share on other sites

Thanks for your help

 

 

Fixwareout Last edited 5/15/2007

Post this report in the forums please

...

»»»»»Prerun check

 

»»»»»

 

»»»»» Postrun check

HKLM\SOFTWARE\~\Winlogon\ "System"=""

....

....

»»»»» Misc files.

....

»»»»» Checking for older varients.

....

 

Search five digit cs, dm, kd, jb, other, files.

The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.

 

 

Click browse, find the file then click submit.

http://www.virustotal.com/flash/index_en.html

Or http://virusscan.jotti.org/

 

»»»»» Other

 

»»»»» Current runs

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"

"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Norton SystemWorks"="\"C:\\Program Files\\Norton SystemWorks\\cfgwiz.exe\" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz"

"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

....

Hosts file was reset, If you use a custom hosts file please replace it

»»»»» End report »»»»»

 

 

 

 

HJT

 

Logfile of HijackThis v1.99.1

Scan saved at 4:50:42 PM, on 6/8/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe

C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

C:\WINDOWS\system32\UAService7.exe

C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\WINDOWS\system32\devldr32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Chris\My Documents\Downloads\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live Writer\WriterBrowserExtension.dll

O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live Writer\WriterBrowserExtension.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Electronic Arts Licensing Service - Unknown owner - C:\Program Files\Common Files\Electronic Arts Shared\Service\EA Licensing Service.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

 

 

 

I've noticed less popups, since restarting (about 5min ago) I havn't gotten any yet. Thank you for your help, hopefully they are gone for good!

Share this post


Link to post
Share on other sites

Glad we could help. :)

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0