• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.   EDIT: I have asked our hosting service to do the restore at 9 PM Central time and it looks like it will go forward at that time.  Please prepare whatever you need to prepare so that we can restore your topics when the forum is stable again.
Sign in to follow this  
Followers 0
lilpixi

IE running w/o opening

30 posts in this topic

I've been having computer problems since March 2007 and can't figure out what's wrong. It started with MSIE v6 opening slow. (first window and any new windows). So i started using firefox. Then i noticed that the process "iexplore.exe" was running even though i never opened MSIE. I searched my computer for the file and it seemed to be in normal folders program files, and service packs). More recently i have been getting pop ups in MSIE (and i'm not using the program) mostly about online schools. The process iexplore.exe still opens on its own (and most of the time i don't see a pop up). I have seen the processes cscript.exe and cmd.exe running sometimes (i dunno if these are a problem but they show up when iexplore does.). I have also had problems related to msmss.exe.

 

Here's what i've done to try and fix the problems::

in March/April:

cleared up disk space (because initially i thought this was part of the problem)

error checking (and it found errors)

disk clean up (couldn't complete. major error)

 

Recently (May 29-30ish):

AdAware (several times)

Spyboy Search and destroy

AVG Anti-Spyware 7.5 (trial)

HiJack This log below (after all the scans and fixes above)

 

Thank you.

 

Logfile of HijackThis v1.99.1

Scan saved at 7:06:01 PM, on 5/31/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\S3apphk.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\SpybotSearchDestroy\TeaTimer.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\Program Files\AIM6\aim6.exe

C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Xtra\Programs\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\SpybotSearchDestroy\SDHelper.dll

O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll

O2 - BHO: (no name) - {8ace7a1e-6de5-4ff1-a1da-fe8c6cf4b1a2} - C:\WINDOWS\system32\c_7dsp.dll (file missing)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [s3apphk] S3apphk.exe

O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.safeway.com

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095139851093

O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.7) - http://gameadvisor.futuremark.com/global/msc37.cab

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

O20 - Winlogon Notify: c_7dsp - c_7dsp.dll (file missing)

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O21 - SSODL: mssms - {C71732C2-CB58-4877-8C03-E35A630388F9} - C:\WINDOWS\mssms.dll

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Welcome to the forum :wave:

 

I apologize for the delay getting to you, the helpers here are all volunteers and we have been very busy here lately.

 

Download SDFix and save it to your Desktop.

 

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

 

Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press the F8 key
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Share this post


Link to post
Share on other sites

thank you. SDfix log first follwed by HJT log

-------------------------------------------------------------------

 

SDFix: Version 1.86

 

Run by Owner - Wed 06/06/2007 - 22:32:00.39

 

Microsoft Windows XP [Version 5.1.2600]

 

Running From: C:\SDFix

 

Safe Mode:

Checking Services:

 

Restoring Windows Registry Values

Restoring Windows Default Hosts File

 

Rebooting...

 

 

Normal Mode:

Checking Files:

 

Below files will be copied to Backups folder then removed:

 

C:\DOCUME~1\Owner\LOCALS~1\Temp\abc123.pid - Deleted

C:\DOCUME~1\Owner\LOCALS~1\Temp\hd-log.txt - Deleted

C:\DOCUME~1\Owner\LOCALS~1\Temp\uninstall.exe - Deleted

C:\WINDOWS\ietools.dll - Deleted

C:\WINDOWS\mssms.dll - Deleted

C:\WINDOWS\search_res.txt - Deleted

C:\DOCUME~1\Owner\LOCALS~1\Temp\tmp*.tmp - Deleted

 

Removing Temp Files...

 

ADS Check:

 

Checking if ADS is attached to system32 Folder

C:\WINDOWS\system32

No streams found.

 

Checking if ADS is attached to svchost.exe

C:\WINDOWS\system32\svchost.exe

No streams found.

 

Checking if ADS is attached to ntoskrnl.exe

C:\WINDOWS\system32\ntoskrnl.exe

No streams found.

 

Final Check:

 

Remaining Services:

------------------

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"C:\\Program Files\\WS_FTP\\WS_FTP95.exe"="C:\\Program Files\\WS_FTP\\WS_FTP95.exe:*:Enabled:WS_FTP 95"

"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"="C:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe:*:Enabled:Dreamweaver MX 2004"

"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"

"C:\\Program Files\\AIM95\\aim.exe"="C:\\Program Files\\AIM95\\aim.exe:*:Enabled:AOL Instant Messenger"

"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

"C:\\Program Files\\BitTorrent\\btdownloadgui.exe"="C:\\Program Files\\BitTorrent\\btdownloadgui.exe:*:Disabled:btdownloadgui"

"C:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe"="C:\\Program Files\\hp center\\137903\\Program\\BackWeb-137903.exe:*:Disabled:BackWeb-137903"

"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"

"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"

"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"

"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"="C:\\Program Files\\Real\\RealOne Player\\realplay.exe:*:Disabled:RealPlayer"

"C:\\Program Files\\EA GAMES\\The Sims 2\\TSBin\\Sims2.exe"="C:\\Program Files\\EA GAMES\\The Sims 2\\TSBin\\Sims2.exe:*:Enabled:The Sims 2"

"C:\\Program Files\\EA GAMES\\The Sims 2 Nightlife\\TSBin\\Sims2EP2.exe"="C:\\Program Files\\EA GAMES\\The Sims 2 Nightlife\\TSBin\\Sims2EP2.exe:*:Enabled:The Sims 2 Nightlife"

"C:\\Program Files\\EA GAMES\\The Sims 2 University\\TSBin\\Sims2EP1.exe"="C:\\Program Files\\EA GAMES\\The Sims 2 University\\TSBin\\Sims2EP1.exe:*:Enabled:The Sims 2 University"

"C:\\Xtra\\Programs\\Alice\\ALICE\\alice.exe"="C:\\Xtra\\Programs\\Alice\\ALICE\\alice.exe:*:Disabled:American McGee's Alice"

"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Disabled:Yahoo! Messenger"

"C:\\WINDOWS\\system32\\a.exe"="C:\\WINDOWS\\system32\\a.exe:*:Disabled:0"

"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"

"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Disabled:AIM"

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\AIM95\\aim.exe"="C:\\Program Files\\AIM95\\aim.exe:*:Enabled:AOL Instant Messenger"

 

Remaining Files:

---------------

 

Backups Folder: - C:\SDFix\backups\backups.zip

 

Listing Files with Hidden Attributes:

 

C:\Documents and Settings\Owner\NetHood\careers on www.forever21.com\Desktop.ini

C:\Documents and Settings\Owner\NetHood\Documents on www.regymnastics.com\Desktop.ini

C:\Documents and Settings\Owner\NetHood\glide-kip.com\Desktop.ini

C:\WINDOWS\twain.dll

C:\WINDOWS\twain_32.dll

C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe

C:\Program Files\Detto\DettoWeb.exe

C:\Program Files\Detto\IntelliMover Demo.exe

C:\WINDOWS\system32\KGyGaAvL.sys

C:\Documents and Settings\Sims2\Local Settings\Temp\BIT4.tmp

 

Listing User Accounts:

 

User accounts for \\CEM_HP

 

Administrator ASPNET Guest

HelpAssistant Owner Sims2

SUPPORT_388945a0 SUPPORT_fddfa904

 

Finished

-------------------------------------------------------------------------

 

Logfile of HijackThis v1.99.1

Scan saved at 11:10:12 PM, on 6/6/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\S3apphk.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\SpybotSearchDestroy\TeaTimer.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\Program Files\AIM6\aim6.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Xtra\Programs\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [s3apphk] S3apphk.exe

O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.safeway.com

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095139851093

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Share this post


Link to post
Share on other sites

Please download ComboFix by sUBs:

 

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.

  • Save it to your desktop.
  • Double-click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply along with a fresh HijackThis log.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Share this post


Link to post
Share on other sites

Ok I ran ComboFix.

 

When i started the program, it wanted me to change my search settings (Google) and my screen saver (it is currently the shooting stars that comes with windows). I denied these changes (using TeaTimer) but allowed a couple changes. The program also seemed to turn off my Windows firewall. And when i started Firefox it said it was no longer my default browser. Can i safely keep these things?

 

And i wanted to let you know that i have to windows user accounts.

Both logs are posted below.

Thank you.

 

ComboFix log:

 

"Owner" - 2007-06-08 1:02:31 Service Pack 2 NTFS

ComboFix 07-06-3B - Running from: "C:\Documents and Settings\Owner\Desktop\"

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

 

-- Purity Folders:

C:\Program Files\SMBOLS~1

C:\WINDOWS\install.exe

 

 

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

-------\nm

 

 

((((((((((((((((((((((((( Files Created from 2007-05-08 to 2007-06-08 )))))))))))))))))))))))))))))))

 

 

2007-05-31 18:47 37,447 --a------ C:\WINDOWS\system32\hkcmd.exe

2007-05-31 18:44 37,447 --a------ C:\WINDOWS\system32\igfxtray.exe

2007-05-31 15:15 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-07 07:38:53 -------- d-----w C:\Program Files\PaintShopPro6

2007-06-06 06:09:10 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\AdobeUM

2007-05-31 07:15:09 -------- d-----w C:\Program Files\SpybotSearchDestroy

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

2007-03-17 05:17:36 27,281 ----a-w C:\WINDOWS\system32\gebcd.exe

2007-03-16 05:15:21 1,168 ----a-w C:\WINDOWS\mozver.dat

2007-03-09 08:35:41 335 ----a-w C:\WINDOWS\nsreg.dat

2007-03-09 08:14:15 10,022 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll

2007-03-08 15:36:28 40,960 ------w C:\WINDOWS\system32\mf3216.dll

2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll

2007-03-08 13:47:48 1,843,584 ------w C:\WINDOWS\system32\win32k.sys

2001-08-18 12:00:00 94,784 --sh--w C:\WINDOWS\twain.dll

2004-08-04 07:56:46 50,688 --sh--w C:\WINDOWS\twain_32.dll

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll [2003-05-15 00:47]

{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

{56071E0D-C61B-11D3-B41C-00E02927A304}=C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll [2002-03-04 22:42]

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 16:29]

{65D886A2-7CA7-479B-BB95-14D1EFB7946A}=C:\Program Files\Yahoo!\Common\YIeTagBm.dll [2006-07-28 12:36]

{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-20 00:55]

{AE7CD045-E861-484f-8273-0445EE161910}=C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 01:03]

{BDF3E430-B101-42AD-A544-FADC6B084872}=c:\Program Files\Norton AntiVirus\NavShExt.dll [2002-02-27 18:07]

{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}=c:\Program Files\Microsoft Money\System\mnyviewer.dll [2001-07-25 17:00]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PreloadApp"="c:\hp\drivers\printers\photosmart\hphprld.exe" [2001-12-12 23:05]

"nwiz"="nwiz.exe" [2002-03-09 16:53 C:\WINDOWS\system32\nwiz.exe]

"S3apphk"="S3apphk.exe" [2002-03-15 22:51 C:\WINDOWS\system32\S3apphk.exe]

"NAV Agent"="c:\PROGRA~1\NORTON~1\navapw32.exe" [2007-03-08 00:18]

"AdobeVersionCue"="C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2007-03-08 00:18]

"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe" [2007-03-08 00:18]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-08 00:18]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-03-08 00:18]

"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-03-08 00:18]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 05:20]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="C:\Program Files\SpybotSearchDestroy\TeaTimer.exe" [2005-05-31 01:04]

"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-05-31 18:46]

"Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 08:29]

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableRegistryTools"=0 (0x0)

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 07:13]

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

 

 

Contents of the 'Scheduled Tasks' folder

2006-11-25 00:05:00 C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job

2007-06-08 08:16:49 C:\WINDOWS\tasks\Symantec NetDetect.job

 

**************************************************************************

 

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-08 01:15:52

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-06-08 1:20:31 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-06-08 01:20

 

--- E O F ---

 

 

HiJackThis log:

 

Logfile of HijackThis v1.99.1

Scan saved at 1:33:36 AM, on 6/8/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\S3apphk.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\SpybotSearchDestroy\TeaTimer.exe

C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Xtra\Programs\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [s3apphk] S3apphk.exe

O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.safeway.com

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095139851093

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Share this post


Link to post
Share on other sites
Ok I ran ComboFix.

When i started the program, it wanted me to change my search settings (Google) and my screen saver (it is currently the shooting stars that comes with windows). I denied these changes (using TeaTimer) but allowed a couple changes. The program also seemed to turn off my Windows firewall. And when i started Firefox it said it was no longer my default browser. Can i safely keep these things?

 

Yes, that is fine Combofix was just trying to reset IE settings to default in case they were Hijacked, but I do not believe that is the case in your situation. Go ahead and turn your Windows Firewall back on. One of the infections that sdfix removed probably turned it off as well as the notification that it was off.

 

[*]Delete the following file:

  • C:\WINDOWS\system32\gebcd.exe

Please reboot your computer and let me know if you are still having the IE problems.

 

If so, lets try something go to Start->Control Panel->Automatic Updates and temporarily Turn Off automatic updates. Let me know if the problem persists with IE. If this fixes it we will need come up with a more permanent solution.

Share this post


Link to post
Share on other sites

Yes I am still having IE problems after deleting the file and turning off automatic updates.

 

I have reoccurring problems with mssms.dll

TeaTimer is constantly letting me know it's being added and keeps letting me know unless i allow the change.

I've tried removing it in Safe Mode and it comes back later. I've turned off system restore and tired removing it and it still comes back. And i get popups in IE sometimes too (they're ebay or education related)

 

I remember i had Smitfraud when i ran Spybot a while back.... i read they're related.

Share this post


Link to post
Share on other sites

Let's take a look, I do not see other evidence of smitfraud so it might be leftover from previous infection, but lets make sure.

 

Please download Smitfraudfix . If you have previously downloaded Smitfraudfix, please delete that version and download the new one.

Then double click Smitfraudfix.exe. Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present, after a few minutes).

Please copy/paste the content of that report into your next reply.

Share this post


Link to post
Share on other sites

thanks for continuing to help me.

 

I'm still getting IE pop ups and i notice iexplore.exe process running. (And i don't use IE right now!)

 

Here's the SmitfraudFix log:(i didn't use any other features yet)

 

SmitFraudFix v2.195

 

Scan done at 1:22:47.53, Fri 06/15/2007

Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode

 

»»»»»»»»»»»»»»»»»»»»»»»» Process

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\S3apphk.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\SpybotSearchDestroy\TeaTimer.exe

C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\cmd.exe

 

»»»»»»»»»»»»»»»»»»»»»»»» hosts

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="My Current Home Page"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"="c:\\windows\\system32\\jkklihh.dll"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS

 

Description: MAC Bridge Miniport - Packet Scheduler Miniport

DNS Server Search Order: 208.180.42.100

DNS Server Search Order: 208.180.42.68

 

HKLM\SYSTEM\CCS\Services\Tcpip\..\{48054A6A-526C-4752-B305-EE0BBF1D8477}: DhcpNameServer=208.180.42.100 208.180.42.68

HKLM\SYSTEM\CS1\Services\Tcpip\..\{48054A6A-526C-4752-B305-EE0BBF1D8477}: DhcpNameServer=208.180.42.100 208.180.42.68

HKLM\SYSTEM\CS2\Services\Tcpip\..\{48054A6A-526C-4752-B305-EE0BBF1D8477}: DhcpNameServer=208.180.42.100 208.180.42.68

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=208.180.42.100 208.180.42.68

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=208.180.42.100 208.180.42.68

HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=208.180.42.100 208.180.42.68

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

Share this post


Link to post
Share on other sites

I do not see evidence of smitfraud in that log, so for now there is now reason to run the fix part of that tool, but I do see something else I do not like.

 

[*]Please temporarily disable TeaTimer by doing the following (It tends to interfere with our fixes you can re-enable it when you are clean):

  • Run Spybot-S&D
  • Go to the Mode menu, and make sure "Advanced Mode" is selected
  • On the left hand side, choose Tools -> Resident
  • Uncheck "Resident TeaTimer" and OK any prompts

 

 

[*]Please download OTMoveIt by OldTimer to your desktop.

 

[*] Download Dr.Web CureIt to the desktop. Do not use the scan yet

 

[*]Open notepad and copy and paste the all the text inside the following code box into it:

 

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"mssms"=-

  • Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files".
  • Then please go to the desktop and double-click on fix.reg, click Yes to merge it with the registry.

[*] Please double-click OTMoveIt.exe to run it.

  • Copy and paste the following file paths in red into the window where it says: "Paste List of Files/Folders to be Moved"
    • C:\windows\system32\jkklihh.dll
      C:\WINDOWS\mssms.dll

    [*] Then click the red Moveit! button below.

    [*]Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.. Then it will reboot your computer, if it does not ask, please reboot your computer manually. A log file will be created at the following location: C:\OTMoveIt\MovedFiles and search for the log: ********_******.log (the * stands for date and time)

 

[*]Doubleclick the drweb-cureit.exe, Click "Start" and Allow to run the express scan.

  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • It could be possible it displays a popup to buy it in between, to buy or 50% discount. Just close that popup again.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.

[*]Please run HijackThis.

  • Choose Open the Misc Tools section.
  • Choose Open Uninstall Manager....
  • Choose Save list.., save it to a convenient place.

[*]Please run option 1 search of Smitfraudfix again and save the log.

 

[*]In your next reply please post the following logs:

  • The log from OTMoveIt
    The log from drweb-cureit
    The Uninstall list created by HijackThis
    The Search log from Smitfraud fix
    and finally a fresh HijackThis log

Share this post


Link to post
Share on other sites

mssms.dll started running while I was starting DR Web cureit.

I got a couple IE pop ups while scanning also

 

<<<In your next reply please post the following logs:

The log from OTMoveIt

The log from drweb-cureit

The Uninstall list created by HijackThis

The Search log from Smitfraud fix

and finally a fresh HijackThis log>>>

 

OTMoveIT (there was an error from Winbdows so i did this twice)

 

DllUnregisterServer procedure not found in C:\windows\system32\jkklihh.dll

C:\windows\system32\jkklihh.dll NOT unregistered.

File move failed. C:\windows\system32\jkklihh.dll scheduled to be moved on reboot.

DllUnregisterServer procedure not found in C:\WINDOWS\mssms.dll

C:\WINDOWS\mssms.dll NOT unregistered.

C:\WINDOWS\mssms.dll moved successfully.

 

Created on 06/16/2007 14:47:58

---

DllUnregisterServer procedure not found in C:\windows\system32\jkklihh.dll

C:\windows\system32\jkklihh.dll NOT unregistered.

File move failed. C:\windows\system32\jkklihh.dll scheduled to be moved on reboot.

File/Folder C:\WINDOWS\mssms.dll not found.

 

Created on 06/16/2007 14:48:30

 

 

----------------

Dr Web log (is this the right one?)

 

versioncuetray.exe;c:\program files\adobe\adobe version cue\controlpanel;Trojan.DownLoader.19442;Deleted.;

aim.exe;c:\program files\aim95;Trojan.DownLoader.19442;Deleted.;

googletoolbarnotifier.exe;c:\program files\google\googletoolbarnotifier\1.2.1128.5462;Trojan.DownLoader.19442;Deleted.;

ituneshelper.exe;c:\program files\itunes;Trojan.DownLoader.19442;Deleted.;

jusched.exe;c:\program files\java\j2re1.4.2_07\bin;Trojan.DownLoader.19442;Deleted.;

navapw32.exe;c:\program files\norton antivirus;Trojan.DownLoader.19442;Will be cured after reboot.;

qttask.exe;c:\program files\quicktime;Trojan.DownLoader.19442;Deleted.;

sndmon.exe;c:\program files\symnetdrv;Trojan.DownLoader.19442;Deleted.;

RegUBP2b-Owner.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots;Trojan.StartPage.1505;Deleted.;

tmpE.tmp.exe;C:\Documents and Settings\Owner\Application Data;Trojan.Packed.49;Deleted.;

Process.exe;C:\Documents and Settings\Owner\Desktop\SmitfraudFix;Tool.Prockill;Incurable.Moved.;

 

 

Ad-Aware SE Personal

Adobe Acrobat - Reader 6.0.2 Update

Adobe Atmosphere Player for Acrobat and Adobe Reader

Adobe Creative Suite

Adobe Download Manager 1.2 (Remove Only)

Adobe Flash Player 9 ActiveX

Adobe Photoshop Album 2.0 Starter Edition

Adobe Reader 6.0.1

Adobe SVG Viewer 3.0

AIM 6

AIM Toolbar

American Idol

AOL Instant Messenger

ArcSoft ShowBiz

ArcSoft Software Suite

Atomic Pop

AVG Anti-Spyware 7.5

Betty Bad

BitTorrent 3.4.2 (Neurox SecureBT 1.32)

Blasterball Wild

Dark Orbit

DC++ (remove only)

Detto IntelliMover Demo

DivX

DivX Player

Easy Internet Sign-up

Family Tree Maker 2005

Freedom Security && Privacy Suite

GemMaster 2

Google Toolbar for Internet Explorer

GymQuest 4.1.3 Data Update

HijackThis 1.99.1

hp center

hp deskjet 940c series

HP DLA

HP Instant Support

HP Memories Disc

HP Photo Printing Software

HP RecordNow

Inactive HP Printer Drivers (Remove only)

Intel® Extreme Graphics Driver

InterVideo WinDVD

iTunes

Java 2 Runtime Environment, SE v1.4.2_07

KBD

Kublox

Level 7 and 8 Rules, Deductions and Quizzes

LiveReg (Symantec Corporation)

LiveUpdate 1.80 (Symantec Corporation)

Macromedia Dreamweaver MX 2004

Macromedia Extension Manager

Macromedia Fireworks MX 2004

Macromedia Flash MX 2004

Macromedia FreeHand MXa

Macromedia Shockwave Player

MarketBrowser

Men In Black II Crossfire

Microsoft .NET Framework 1.1

Microsoft Data Access Components KB870669

Microsoft Money 2002

Microsoft Money 2002 System Pack

Microsoft Office XP Professional with FrontPage

Microsoft Works 6.0

Microsoft Works and Money 2002 Setup Launcher

Mozilla Firefox (2.0.0.4)

MUSICMATCH Jukebox

Network Play System (Patching)

Norton AntiVirus 2002

Norton WMI Update

NVIDIA Windows 2000/XP Display Drivers

PC-Doctor for Windows

PigPen

PS2

Python 1.5 combined Win32 extensions

Python 1.5.2 (final)

Quicken Financial Center

QuickTime

RealPlayer

SabreWing 2

Secure Delivery

Security Update for Step By Step Interactive Training (KB923723)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows Media Player 9 (KB917734)

Security Update for Windows XP (KB893756)

Security Update for Windows XP (KB896358)

Security Update for Windows XP (KB896423)

Security Update for Windows XP (KB896424)

Security Update for Windows XP (KB896428)

Security Update for Windows XP (KB899587)

Security Update for Windows XP (KB899591)

Security Update for Windows XP (KB900725)

Security Update for Windows XP (KB901017)

Security Update for Windows XP (KB901214)

Security Update for Windows XP (KB902400)

Security Update for Windows XP (KB904706)

Security Update for Windows XP (KB905414)

Security Update for Windows XP (KB905749)

Security Update for Windows XP (KB908519)

Security Update for Windows XP (KB911562)

Security Update for Windows XP (KB911927)

Security Update for Windows XP (KB912919)

Security Update for Windows XP (KB913580)

Security Update for Windows XP (KB914388)

Security Update for Windows XP (KB914389)

Security Update for Windows XP (KB917344)

Security Update for Windows XP (KB917422)

Security Update for Windows XP (KB917953)

Security Update for Windows XP (KB918118)

Security Update for Windows XP (KB918439)

Security Update for Windows XP (KB919007)

Security Update for Windows XP (KB920213)

Security Update for Windows XP (KB920670)

Security Update for Windows XP (KB920683)

Security Update for Windows XP (KB920685)

Security Update for Windows XP (KB922819)

Security Update for Windows XP (KB923191)

Security Update for Windows XP (KB923414)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB923980)

Security Update for Windows XP (KB924191)

Security Update for Windows XP (KB924270)

Security Update for Windows XP (KB924496)

Security Update for Windows XP (KB924667)

Security Update for Windows XP (KB925902)

Security Update for Windows XP (KB926255)

Security Update for Windows XP (KB926436)

Security Update for Windows XP (KB927779)

Security Update for Windows XP (KB927802)

Security Update for Windows XP (KB928090)

Security Update for Windows XP (KB928255)

Security Update for Windows XP (KB928843)

Security Update for Windows XP (KB929969)

Security Update for Windows XP (KB930178)

Security Update for Windows XP (KB931261)

Security Update for Windows XP (KB931768)

Security Update for Windows XP (KB931784)

Security Update for Windows XP (KB932168)

Security Update for Windows XP (KB933566)

Security Update for Windows XP (KB935839)

Security Update for Windows XP (KB935840)

Shockwave

Sonic Foundry Super Duper Music Looper XPress

SoundMAX

Space Rocks

Speedway

Spybot - Search & Destroy 1.4

SpywareBlaster v3.5.1

SSH Secure Shell

Tcl 8.0.5 for Windows

The Sims 2

The Sims 2 Body Shop

The Sims 2 Nightlife

The Sims 2 Open For Business

The Sims 2 Pets

The Sims 2 University

The Sims Hot Date Object Organizer 1.0

The Sims Make A Date

The Sims Make-A-Celebrity

The Sims Makin' Magic

Update for Windows XP (KB894391)

Update for Windows XP (KB898461)

Update for Windows XP (KB900485)

Update for Windows XP (KB908531)

Update for Windows XP (KB910437)

Update for Windows XP (KB911280)

Update for Windows XP (KB916595)

Update for Windows XP (KB920872)

Update for Windows XP (KB922582)

Update for Windows XP (KB927891)

Update for Windows XP (KB929338)

Update for Windows XP (KB930916)

Update for Windows XP (KB931836)

VERITAS StorageGuard

Viewpoint Manager (Remove Only)

Viewpoint Media Player

Virtual Warfare

WavePad Uninstall

WeatherBug

WildTangent GameChannel (remove only)

Windows Installer 3.1 (KB893803)

Windows Installer 3.1 (KB893803)

Windows XP Hotfix - KB834707

Windows XP Hotfix - KB867282

Windows XP Hotfix - KB873333

Windows XP Hotfix - KB873339

Windows XP Hotfix - KB885250

Windows XP Hotfix - KB885835

Windows XP Hotfix - KB885836

Windows XP Hotfix - KB885884

Windows XP Hotfix - KB886185

Windows XP Hotfix - KB887472

Windows XP Hotfix - KB887742

Windows XP Hotfix - KB888113

Windows XP Hotfix - KB888302

Windows XP Hotfix - KB890047

Windows XP Hotfix - KB890175

Windows XP Hotfix - KB890859

Windows XP Hotfix - KB890923

Windows XP Hotfix - KB891781

Windows XP Hotfix - KB893066

Windows XP Hotfix - KB893086

Windows XP Service Pack 2

WordPerfect Office 2002 Try Before You Buy

WordPerfect Office 2002 Try Before You Buy

XviD Video Codec 24.2.2003-11:00 (uManiac's build)

Yahoo! extras

Yahoo! Install Manager

Yahoo! Messenger

Yahoo! Toolbar

You Know What 2 - Arts and Entertainment

You Know What 2 - History and Geography

You Know What 2 - Potpourri

You Know What 2 - Science and Nature

You Know What 2 - Sports and Games

 

------------

 

SmitFraudFix v2.195

 

Scan done at 18:17:24.85, Sat 06/16/2007

Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode

 

»»»»»»»»»»»»»»»»»»»»»»»» Process

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\S3apphk.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\cmd.exe

 

»»»»»»»»»»»»»»»»»»»»»»»» hosts

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

 

 

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

 

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="My Current Home Page"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"="c:\\windows\\system32\\jkklihh.dll"

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

 

 

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS

 

Description: MAC Bridge Miniport - Packet Scheduler Miniport

DNS Server Search Order: 208.180.42.100

DNS Server Search Order: 208.180.42.68

 

HKLM\SYSTEM\CCS\Services\Tcpip\..\{48054A6A-526C-4752-B305-EE0BBF1D8477}: DhcpNameServer=208.180.42.100 208.180.42.68

HKLM\SYSTEM\CS1\Services\Tcpip\..\{48054A6A-526C-4752-B305-EE0BBF1D8477}: DhcpNameServer=208.180.42.100 208.180.42.68

HKLM\SYSTEM\CS2\Services\Tcpip\..\{48054A6A-526C-4752-B305-EE0BBF1D8477}: DhcpNameServer=208.180.42.100 208.180.42.68

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=208.180.42.100 208.180.42.68

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=208.180.42.100 208.180.42.68

HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=208.180.42.100 208.180.42.68

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

------------

 

Logfile of HijackThis v1.99.1

Scan saved at 6:11:28 PM, on 6/16/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\S3apphk.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Xtra\Programs\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: MSVPS System - {2724E072-19D0-486d-A819-9D914191AE92} - C:\WINDOWS\ietools.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll

O2 - BHO: (no name) - {9b97325e-f311-46c1-89c5-3a3489b26287} - C:\WINDOWS\system32\comeng.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [s3apphk] S3apphk.exe

O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\comeng.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\comeng.dll

O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\comeng.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe (file missing)

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\system32\comeng.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.safeway.com

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095139851093

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

O20 - AppInit_DLLs: c:\windows\system32\jkklihh.dll

O20 - Winlogon Notify: comeng - C:\WINDOWS\SYSTEM32\comeng.dll

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O21 - SSODL: mssms - {B35978BA-4450-41E6-A2C4-74DA7CEE2952} - C:\WINDOWS\mssms.dll

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Share this post


Link to post
Share on other sites

This script was written specifically for this user, and should not be duplicated on any other system or damage may occur to the system.

 

Download The Avenger by Swandog46, and save it to your Desktop.

Extract avenger.exe from the Zip file and save it to your desktop

Run avenger.exe by double-clicking on it.

Check the 'Input script manually' box.

Click on the magnifying glass icon.

Copy everything in the code box below, and paste it in the box that opens:

 

Files to delete:
C:\WINDOWS\ietools.dll
C:\WINDOWS\system32\comeng.dll
c:\windows\system32\jkklihh.dll
C:\WINDOWS\mssms.dll

Registry values to replace with dummy:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs

Now click the 'Done' button.

Click on the traffic light icon and OK the prompt.

You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it.

 

A log file from Avenger will be produced at C:\avenger.txt, please post that log here, along with a new HijackThis log.

Share this post


Link to post
Share on other sites

Avenger and HJT logs:

 

 

Logfile of The Avenger version 1, by Swandog46

Running from registry key:

\Registry\Machine\System\CurrentControlSet\Services\jsyfwbci

 

*******************

 

Script file located at: \??\C:\dcsbcxrl.txt

Script file opened successfully.

 

Script file read successfully

 

Backups directory opened successfully at C:\Avenger

 

*******************

 

Beginning to process script file:

 

File C:\WINDOWS\ietools.dll deleted successfully.

File C:\WINDOWS\system32\comeng.dll deleted successfully.

 

 

File c:\windows\system32\jkklihh.dll not found!

Deletion of file c:\windows\system32\jkklihh.dll failed!

 

Could not process line:

c:\windows\system32\jkklihh.dll

Status: 0xc0000034

 

File C:\WINDOWS\mssms.dll deleted successfully.

Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows|AppInit_DLLs replaced with dummy successfully.

 

Completed script processing.

 

*******************

 

Finished! Terminate.

-------------------------------------------------------------------------

 

Logfile of HijackThis v1.99.1

Scan saved at 9:46:29 PM, on 6/16/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\S3apphk.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

C:\Program Files\AIM6\aim6.exe

C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Xtra\Programs\hijackthis\HijackThis.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: MSVPS System - {2724E072-19D0-486d-A819-9D914191AE92} - C:\WINDOWS\ietools.dll (file missing)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll

O2 - BHO: (no name) - {9b97325e-f311-46c1-89c5-3a3489b26287} - C:\WINDOWS\system32\comeng.dll (file missing)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [s3apphk] S3apphk.exe

O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\comeng.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\comeng.dll (file missing)

O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\comeng.dll (file missing)

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe (file missing)

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\system32\comeng.dll (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://www.safeway.com

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095139851093

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

O20 - Winlogon Notify: comeng - comeng.dll (file missing)

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O21 - SSODL: mssms - {B35978BA-4450-41E6-A2C4-74DA7CEE2952} - C:\WINDOWS\mssms.dll (file missing)

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Share this post


Link to post
Share on other sites

Good,

 

I will have more instructions for you in the morning.

 

In the meantime can you tell me if your Norton subscription is current?

 

Also are you still having the popup problem?

Share this post


Link to post
Share on other sites

No, Norton is not up to date. I haven't paid the subscription, so i can scan but no new updates.

I haven't had new updates since Sept. 2005.

 

 

No pop ups so far since the last fix i did. *crosses fingers*

Share this post


Link to post
Share on other sites

I believe we have removed most of the infection. But this infection has damaged some of your programs and changed some settings. We will need to correct these items so you do not have problems in the future. After we clean up a few things we will remove Norton and replace it with a Anti-Virus program that is free for home use.

 

[*]Run HijackThis, Choose "Do a system scan only" and checkmark the box next to the following entries.

  • O2 - BHO: MSVPS System - {2724E072-19D0-486d-A819-9D914191AE92} - C:\WINDOWS\ietools.dll (file missing)
    O2 - BHO: (no name) - {9b97325e-f311-46c1-89c5-3a3489b26287} - C:\WINDOWS\system32\comeng.dll (file missing)
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\comeng.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\comeng.dll (file missing)
    O20 - Winlogon Notify: comeng - comeng.dll (file missing)
    O21 - SSODL: mssms - {B35978BA-4450-41E6-A2C4-74DA7CEE2952} - C:\WINDOWS\mssms.dll (file missing)

[*]Close all other windows and browsers, then click "Fix Checked".

 

 

[*]Please Download FindAWF by noahdfear.

  • Save the file to the desktop and run.
  • It will save a log to your desktop called awf that you will post later.

[*]Download DelDomains.inf to your desktop.

  • The right click on the file and select: Install

This will remove all entries from your trusted and restricted zones these entries are frequently changed by the infection you had. If you use protection programs like spybot or spywareblaster you should re-immunize or re-enable protection after taking this step.

 

[*]Please download ResetProtocolDefaults by WinHelp2002 and save it to your desktop:

  • Locate ResetProtocolDefaults.reg which should be on your desktop.
  • Right-click and select Merge.
  • OK the prompt.

Please reboot your computer and post a fresh HijackThis log as well as the log from awf.

Share this post


Link to post
Share on other sites

Thanks for your help! I can tell my computer is better! I have a second login/user is Windows XP. Do i need to do anything with this? Here's the requested logs:

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 2:52:17 PM, on 6/17/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\S3apphk.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Xtra\Programs\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [s3apphk] S3apphk.exe

O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\comeng.dll (file missing)

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe (file missing)

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\system32\comeng.dll (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095139851093

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

 

-----------------------------

 

Find AWF report by noahdfear ©2006

 

 

bak folders found

~~~~~~~~~~~

 

 

Directory of C:\PROGRA~1\AIM95\BAK

 

09/01/2004 09:26 AM 66,672 aim.exe

1 File(s) 66,672 bytes

 

Directory of C:\PROGRA~1\ITUNES\BAK

 

12/18/2004 01:20 AM 278,528 iTunesHelper.exe

1 File(s) 278,528 bytes

 

Directory of C:\PROGRA~1\MICROS~3\BAK

 

0 File(s) 0 bytes

 

Directory of C:\PROGRA~1\NORTON~1\BAK

 

02/27/2002 06:27 PM 75,384 navapw32.exe

1 File(s) 75,384 bytes

 

Directory of C:\PROGRA~1\QUICKT~1\BAK

 

02/25/2005 03:02 PM 98,304 qttask.exe

1 File(s) 98,304 bytes

 

Directory of C:\PROGRA~1\SPYBOT~1\BAK

 

05/12/2004 01:03 AM 1,038,336 TeaTimer.exe

1 File(s) 1,038,336 bytes

 

Directory of C:\PROGRA~1\SYMNET~1\BAK

 

09/07/2006 11:26 PM 100,056 SNDMon.exe

1 File(s) 100,056 bytes

 

Directory of C:\WINDOWS\SMINST\BAK

 

12/18/2001 11:39 PM 212,992 RECGUARD.EXE

1 File(s) 212,992 bytes

 

Directory of C:\WINDOWS\SYSTEM\BAK

 

05/07/1998 04:04 PM 52,736 hpsysdrv.exe

1 File(s) 52,736 bytes

 

Directory of C:\WINDOWS\SYSTEM32\BAK

 

08/20/2004 04:51 PM 118,784 hkcmd.exe

08/20/2004 04:55 PM 155,648 igfxtray.exe

07/03/2001 08:13 PM 81,920 ps2.exe

3 File(s) 356,352 bytes

 

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

 

0 File(s) 0 bytes

 

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

 

03/14/2002 10:25 AM 102,455 tfswctrl.exe

1 File(s) 102,455 bytes

 

Directory of C:\PROGRA~1\ADOBE\ADOBEV~1\CONTRO~1\BAK

 

03/25/2004 11:35 AM 1,732,608 VersionCueTray.exe

1 File(s) 1,732,608 bytes

 

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\BAK

 

01/27/2007 03:50 PM 171,448 GoogleToolbarNotifier.exe

1 File(s) 171,448 bytes

 

Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

 

01/15/2005 01:24 PM 32,881 jusched.exe

1 File(s) 32,881 bytes

 

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

 

10/25/2001 09:55 PM 196,608 hpztsb04.exe

1 File(s) 196,608 bytes

 

 

Duplicate files of bak directory contents

~~~~~~~~~~~~~~~~~~~~~~~

 

66672 Sep 1 2004 "C:\Program Files\AIM95\bak\aim.exe"

278528 Dec 18 2004 "C:\Program Files\iTunes\bak\iTunesHelper.exe"

75384 Feb 27 2002 "C:\Program Files\Norton AntiVirus\bak\navapw32.exe"

98304 Feb 25 2005 "C:\Program Files\QuickTime\bak\qttask.exe"

1415824 May 31 2005 "C:\Program Files\SpybotSearchDestroy\TeaTimer.exe"

1038336 May 12 2004 "C:\Program Files\SpybotSearchDestroy\bak\TeaTimer.exe"

100056 Sep 7 2006 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"

212992 Dec 18 2001 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"

52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"

90112 Aug 7 2001 "C:\hp\drivers\video\HKCMD.EXE"

118784 Aug 20 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"

106496 Mar 12 2002 "C:\hp\drivers\video\845\hkcmd.exe"

118784 Feb 10 2004 "C:\WINDOWS\Drivers\Intel\Graphics\win2000\hkcmd.exe"

106496 Mar 12 2002 "C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\hkcmd.exe"

118784 Feb 10 2004 "C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\hkcmd.exe"

143360 Aug 8 2001 "C:\hp\drivers\video\IGFXTRAY.EXE"

155648 Aug 20 2004 "C:\WINDOWS\system32\bak\igfxtray.exe"

155648 Mar 12 2002 "C:\hp\drivers\video\845\igfxtray.exe"

155648 Feb 10 2004 "C:\WINDOWS\Drivers\Intel\Graphics\win2000\igfxtray.exe"

155648 Mar 12 2002 "C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\igfxtray.exe"

155648 Feb 10 2004 "C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\igfxtray.exe"

81920 Jul 3 2001 "C:\hp\drivers\keyboard\PS2.EXE"

81920 Jul 3 2001 "C:\WINDOWS\system32\bak\ps2.exe"

102455 Mar 14 2002 "C:\Program Files\HP DLA\install\tfswctrl.exe"

102455 Mar 14 2002 "C:\WINDOWS\system32\dla\bak\tfswctrl.exe"

61440 Mar 25 2004 "C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe"

1732608 Mar 25 2004 "C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\bak\VersionCueTray.exe"

52272 Jan 27 2007 "C:\Program Files\Google\googletoolbar3user.exe"

138168 Jan 27 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"

171448 Jan 27 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"

32881 Jan 15 2005 "C:\Program Files\Java\j2re1.4.2_07\bin\bak\jusched.exe"

196608 Oct 25 2001 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb04.exe"

 

 

end of report

Share this post


Link to post
Share on other sites

Just before we are finished remind me a we will look at a quick log for the other user to make sure it is clean too.

 

In the meantime more cleaning....

 

Please open Notepad, and copy and paste the text present inside the code box below:

 

if exist "C:\Program Files\AIM95\aim.exe" del /q "C:\Program Files\AIM95\aim.exe"	  
copy /y "C:\Program Files\AIM95\bak\aim.exe" "C:\Program Files\AIM95\aim.exe"	  
if exist "C:\Program Files\iTunes\iTunesHelper.exe" del /q "C:\Program Files\iTunes\iTunesHelper.exe"	  
copy /y "C:\Program Files\iTunes\bak\iTunesHelper.exe" "C:\Program Files\iTunes\iTunesHelper.exe"	  
if exist "C:\Program Files\Norton AntiVirus\navapw32.exe" del /q "C:\Program Files\Norton AntiVirus\navapw32.exe"	  
copy /y "C:\Program Files\Norton AntiVirus\bak\navapw32.exe" "C:\Program Files\Norton AntiVirus\navapw32.exe"	  
if exist "C:\Program Files\QuickTime\qttask.exe" del /q "C:\Program Files\QuickTime\qttask.exe"	  
copy /y "C:\Program Files\QuickTime\bak\qttask.exe" "C:\Program Files\QuickTime\qttask.exe"	  
if exist "C:\Program Files\SpybotSearchDestroy\TeaTimer.exe" del /q "C:\Program Files\SpybotSearchDestroy\TeaTimer.exe"	  
copy /y "C:\Program Files\SpybotSearchDestroy\bak\TeaTimer.exe" "C:\Program Files\SpybotSearchDestroy\TeaTimer.exe"	  
if exist "C:\Program Files\SymNetDrv\SNDMon.exe" del /q "C:\Program Files\SymNetDrv\SNDMon.exe"	  
copy /y "C:\Program Files\SymNetDrv\bak\SNDMon.exe" "C:\Program Files\SymNetDrv\SNDMon.exe"	  
if exist "C:\WINDOWS\SMINST\RECGUARD.EXE" del /q "C:\WINDOWS\SMINST\RECGUARD.EXE"	  
copy /y "C:\WINDOWS\SMINST\bak\RECGUARD.EXE" "C:\WINDOWS\SMINST\RECGUARD.EXE"	  
if exist "C:\WINDOWS\system\sysdrv.exe" del /q "C:\WINDOWS\system\sysdrv.exe"	  
copy /y "C:\WINDOWS\system\bak\sysdrv.exe" "C:\WINDOWS\system\sysdrv.exe"	  
if exist "C:\WINDOWS\system32\hkcmd.exe" del /q "C:\WINDOWS\system32\hkcmd.exe"	  
copy /y "C:\WINDOWS\system32\bak\hkcmd.exe" "C:\WINDOWS\system32\hkcmd.exe"	  
if exist "C:\WINDOWS\system32\igfxtray.exe" del /q "C:\WINDOWS\system32\igfxtray.exe"	  
copy /y "C:\WINDOWS\system32\bak\igfxtray.exe" "C:\WINDOWS\system32\igfxtray.exe"	  
if exist "C:\WINDOWS\system32\ps2.exe" del /q "C:\WINDOWS\system32\ps2.exe"	  
copy /y "C:\WINDOWS\system32\bak\ps2.exe" "C:\WINDOWS\system32\ps2.exe"	  
if exist "C:\WINDOWS\system32\dla\tfswctrl.exe" del /q "C:\WINDOWS\system32\dla\tfswctrl.exe"	  
copy /y "C:\WINDOWS\system32\dla\bak\tfswctrl.exe" "C:\WINDOWS\system32\dla\tfswctrl.exe"	  
if exist "C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" del /q "C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe"	  
copy /y "C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\bak\VersionCueTray.exe" "C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe"	  
if exist "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" del /q "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"	  
copy /y "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe" "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"	  
if exist "C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe" del /q "C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe"	  
copy /y "C:\Program Files\Java\j2re1.4.2_07\bin\bak\jusched.exe" "C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe"	  
if exist "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" del /q "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe"	  
copy /y "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb04.exe" "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe"	  

 

Save this as restore.bat. Choose to save as "All files" and place it on your desktop.

 

It should look like this: bat.gif

 

Double-click on restore.bat and allow it to run.

 

In case you still are unsure on how to create a BAT file, please take a look HERE with screenshots.

 

 

NEXT:

 

Please REBOOT your computer and post these logs in your next reply:

  1. A new FindAWF log.
  2. A new HijackThis log.

Share this post


Link to post
Share on other sites

Find AWF report by noahdfear ©2006

 

 

bak folders found

~~~~~~~~~~~

 

 

Directory of C:\PROGRA~1\AIM95\BAK

 

09/01/2004 09:26 AM 66,672 aim.exe

1 File(s) 66,672 bytes

 

Directory of C:\PROGRA~1\ITUNES\BAK

 

12/18/2004 01:20 AM 278,528 iTunesHelper.exe

1 File(s) 278,528 bytes

 

Directory of C:\PROGRA~1\MICROS~3\BAK

 

0 File(s) 0 bytes

 

Directory of C:\PROGRA~1\NORTON~1\BAK

 

02/27/2002 06:27 PM 75,384 navapw32.exe

1 File(s) 75,384 bytes

 

Directory of C:\PROGRA~1\QUICKT~1\BAK

 

02/25/2005 03:02 PM 98,304 qttask.exe

1 File(s) 98,304 bytes

 

Directory of C:\PROGRA~1\SPYBOT~1\BAK

 

05/12/2004 01:03 AM 1,038,336 TeaTimer.exe

1 File(s) 1,038,336 bytes

 

Directory of C:\PROGRA~1\SYMNET~1\BAK

 

09/07/2006 11:26 PM 100,056 SNDMon.exe

1 File(s) 100,056 bytes

 

Directory of C:\WINDOWS\SMINST\BAK

 

12/18/2001 11:39 PM 212,992 RECGUARD.EXE

1 File(s) 212,992 bytes

 

Directory of C:\WINDOWS\SYSTEM\BAK

 

05/07/1998 04:04 PM 52,736 hpsysdrv.exe

1 File(s) 52,736 bytes

 

Directory of C:\WINDOWS\SYSTEM32\BAK

 

08/20/2004 04:51 PM 118,784 hkcmd.exe

08/20/2004 04:55 PM 155,648 igfxtray.exe

07/03/2001 08:13 PM 81,920 ps2.exe

3 File(s) 356,352 bytes

 

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

 

0 File(s) 0 bytes

 

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

 

03/14/2002 10:25 AM 102,455 tfswctrl.exe

1 File(s) 102,455 bytes

 

Directory of C:\PROGRA~1\ADOBE\ADOBEV~1\CONTRO~1\BAK

 

03/25/2004 11:35 AM 1,732,608 VersionCueTray.exe

1 File(s) 1,732,608 bytes

 

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\BAK

 

01/27/2007 03:50 PM 171,448 GoogleToolbarNotifier.exe

1 File(s) 171,448 bytes

 

Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

 

01/15/2005 01:24 PM 32,881 jusched.exe

1 File(s) 32,881 bytes

 

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

 

10/25/2001 09:55 PM 196,608 hpztsb04.exe

1 File(s) 196,608 bytes

 

 

Duplicate files of bak directory contents

~~~~~~~~~~~~~~~~~~~~~~~

 

66672 Sep 1 2004 "C:\Program Files\AIM95\aim.exe"

66672 Sep 1 2004 "C:\Program Files\AIM95\bak\aim.exe"

278528 Dec 18 2004 "C:\Program Files\iTunes\iTunesHelper.exe"

278528 Dec 18 2004 "C:\Program Files\iTunes\bak\iTunesHelper.exe"

75384 Feb 27 2002 "C:\Program Files\Norton AntiVirus\navapw32.exe"

75384 Feb 27 2002 "C:\Program Files\Norton AntiVirus\bak\navapw32.exe"

98304 Feb 25 2005 "C:\Program Files\QuickTime\qttask.exe"

98304 Feb 25 2005 "C:\Program Files\QuickTime\bak\qttask.exe"

1038336 May 12 2004 "C:\Program Files\SpybotSearchDestroy\TeaTimer.exe"

1038336 May 12 2004 "C:\Program Files\SpybotSearchDestroy\bak\TeaTimer.exe"

100056 Sep 7 2006 "C:\Program Files\SymNetDrv\SNDMon.exe"

100056 Sep 7 2006 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"

212992 Dec 18 2001 "C:\WINDOWS\SMINST\RECGUARD.EXE"

212992 Dec 18 2001 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"

52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"

118784 Aug 20 2004 "C:\WINDOWS\system32\hkcmd.exe"

90112 Aug 7 2001 "C:\hp\drivers\video\HKCMD.EXE"

118784 Aug 20 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"

106496 Mar 12 2002 "C:\hp\drivers\video\845\hkcmd.exe"

118784 Feb 10 2004 "C:\WINDOWS\Drivers\Intel\Graphics\win2000\hkcmd.exe"

106496 Mar 12 2002 "C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\hkcmd.exe"

118784 Feb 10 2004 "C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\hkcmd.exe"

155648 Aug 20 2004 "C:\WINDOWS\system32\igfxtray.exe"

143360 Aug 8 2001 "C:\hp\drivers\video\IGFXTRAY.EXE"

155648 Aug 20 2004 "C:\WINDOWS\system32\bak\igfxtray.exe"

155648 Mar 12 2002 "C:\hp\drivers\video\845\igfxtray.exe"

155648 Feb 10 2004 "C:\WINDOWS\Drivers\Intel\Graphics\win2000\igfxtray.exe"

155648 Mar 12 2002 "C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\igfxtray.exe"

155648 Feb 10 2004 "C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\igfxtray.exe"

81920 Jul 3 2001 "C:\WINDOWS\system32\ps2.exe"

81920 Jul 3 2001 "C:\hp\drivers\keyboard\PS2.EXE"

81920 Jul 3 2001 "C:\WINDOWS\system32\bak\ps2.exe"

102455 Mar 14 2002 "C:\Program Files\HP DLA\install\tfswctrl.exe"

102455 Mar 14 2002 "C:\WINDOWS\system32\dla\tfswctrl.exe"

102455 Mar 14 2002 "C:\WINDOWS\system32\dla\bak\tfswctrl.exe"

1732608 Mar 25 2004 "C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe"

61440 Mar 25 2004 "C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe"

1732608 Mar 25 2004 "C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\bak\VersionCueTray.exe"

52272 Jan 27 2007 "C:\Program Files\Google\googletoolbar3user.exe"

138168 Jan 27 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"

171448 Jan 27 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"

171448 Jan 27 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"

32881 Jan 15 2005 "C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe"

32881 Jan 15 2005 "C:\Program Files\Java\j2re1.4.2_07\bin\bak\jusched.exe"

196608 Oct 25 2001 "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe"

196608 Oct 25 2001 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb04.exe"

 

 

end of report

---------------------------------------------

 

Logfile of HijackThis v1.99.1

Scan saved at 7:38:05 PM, on 6/17/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\S3apphk.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe

C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\j2re1.4.2_07\bin\jucheck.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Xtra\Programs\hijackthis\HijackThis.exe

C:\Program Files\Mozilla Firefox\firefox.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll

O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [s3apphk] S3apphk.exe

O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\comeng.dll (file missing)

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\system32\comeng.dll (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095139851093

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Share this post


Link to post
Share on other sites

Thats better, now as to the two highlighted items I know about those and we have three real choices if you do not use the programs (yahoo and MS Money)we can check them and then uninstall the programs. If you use the programs we can check them, then uninstall and reinstall the programs, or I can try to write a registry fix to fix the file paths. I will leave it up to you how you want to proceed, just let me know.

Share this post


Link to post
Share on other sites

I use Yahoo messenger and yahoo search, but don't really use the extra browser features. This wouldn't be too hard for me to reinstall.

 

I don't use MS Money. I don't even know what it is.

Share this post


Link to post
Share on other sites

Ok good.

 

[*]Run HijackThis, Choose "Do a system scan only" and checkmark the box next to the following entries.

  • O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\comeng.dll (file missing)
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINDOWS\system32\comeng.dll (file missing)

[*]Close all other windows and browsers, then click "Fix Checked".

 

Then if you decide you want the extra buttons you can uninstall and reinstall yahoo.

 

Now we need to do something about your outdated Java and Norton.

 

Please go to Start->Control Panel->Add or Remove Programs and uninstall the following.

  • Java 2 Runtime Environment, SE v1.4.2_07 <-outdated version makes you more susceptible to one of the infections you had.
    Norton AntiVirus 2002 <-Will probably require a reboot after the reboot you can uninstall the next three items if still present.
    Norton WMI Update
    LiveReg (Symantec Corporation)
    LiveUpdate 1.80 (Symantec Corporation)
    MarketBrowser <-if you do not use this I suggest you uninstall it, it has a questionable reputation.
    Microsoft Money 2002 <- This is a checkbook program if you do not use it you can uninstall this and the next entry.
    Microsoft Money 2002 System Pack
    WeatherBug<- If you do not use this I suggest you uninstall it, it has a questionable reputation.

Next, download and install the newest version of Java: Java Runtime Environment (JRE) 6 Update 1

 

 

Download , Install, and run a full scan with 1 of the following Antivirus programs.

avast! makes an excellent free antivirus client, as do AVG and AntiVir.

 

Then please post a log from the other user and let me know if you are having any further problems.

Share this post


Link to post
Share on other sites

Ok I installed all the programs except Norton. I had major problems when i uninstalled MacAfee's antivirus program, so I don't want to go through with anything like that again. I might want to update it and keep it.

 

This is the HJT log for my other windows user:

 

Logfile of HijackThis v1.99.1

Scan saved at 9:33:25 PM, on 6/17/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\S3apphk.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\Program Files\AIM95\aim.exe

C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Xtra\Programs\hijackthis\HijackThis.exe

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [s3apphk] S3apphk.exe

O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\comeng.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\comeng.dll (file missing)

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095139851093

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Share this post


Link to post
Share on other sites

on the 2nd user

 

[*]Run HijackThis, Choose "Do a system scan only" and checkmark the box next to the following entries.

  • O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\comeng.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\comeng.dll (file missing)

[*]Close all other windows and browsers, then click "Fix Checked".

 

Please reboot and post a fresh HijackThis log from this user.

 

It is your decision on whether to remove Norton or not. But If you are going to renew your subscription please do so soon, I would hate to see you get infected again right away :blink: If you decide to uninstall it I can help there are a few force uninstaller utilities that usually need to be run to remove it besides the Add or Remove programs uninstaller, same goes for Mcafee.

 

Once you have submitted the samples.

 

Log back in to the user account we used for all the cleanup.

 

* Open OTMoveIt and click the CleanUp! button on top.

In the left pane, it will display a list of tools and other related files which you may have downloaded/used during our cleanup + backup folders that were created with the bad files present. They are not needed anymore, so OtMoveIt will delete them.

Do not edit anything in that Window!

Don't worry if it displays some tools you didn't download/use.

Click Yes when it asks to Begin cleanup process.

Then reboot your computer.

 

This will remove most of the utilities we ran during this fix, and the infected backups with them. You will have to manually delete the regfix and batch file we created.

Share this post


Link to post
Share on other sites

It looks like my version of Norton Anti virus is out of date that subscription service and updates are not available. So there's no point of keeping it. I'll look at the programs you recommended.

 

 

2nd user HJT log

 

Logfile of HijackThis v1.99.1

Scan saved at 8:44:24 PM, on 6/18/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

c:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\S3apphk.exe

C:\PROGRA~1\NORTON~1\navapw32.exe

C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Xtra\Programs\hijackthis\HijackThis.exe

 

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [s3apphk] S3apphk.exe

O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095139851093

O16 - DPF: {CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA} -

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Share this post


Link to post
Share on other sites

Looks like there are still a few orphans.

 

[*]Run HijackThis, Choose "Do a system scan only" and checkmark the box next to the following entries.

  • O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O16 - DPF: {CAFEEFAC-0014-0002-0007-ABCDEFFEDCBA} -

[*]Close all other windows and browsers, then click "Fix Checked".

 

Assuming your system is running fine please complete the following instructions to purge infected restore points.

 

[*]Set a clean restore point as followed:

  • Click on "Start"->"All Programs"->"Accessories"->"System Tools"->"System Restore"
  • Select "Create a restore point", choose "Next"
  • Give your restore point a name, and click "Create"
  • When it finishes, click "Close".

[*]Follow these instructions to delete the old infected restore points.

  • Click on "Start"->"All Programs"->"Accessories"->"System Tools"->"Disk Cleanup"
  • Click on the "More Options" tab at the top.
  • Under System Restore at the bottom, select "Clean up"
  • When prompted to confirm, select "Yes"

Be sure to uninstall Norton before installing a different Anti-virus, they tend to fight and make the system very unstable.

 

If there are any problems with the Norton uninstall let me know. I just checked and because of the age of the product Symatec has removed the uninstall utility from their website, but if you need it I may be able to find it.

Share this post


Link to post
Share on other sites

I'm not sure what I did to cause this, but i'm having more problems.

My computer is extremely slow and the CPU is at 100%.

EDIT: after tons of trial and error, the 100% CPU usage was due to a windows TC/IP component installed.

 

I did uninstall a couple programs i don't use. I thought i unstalled some windows components, but the directions were confusing, so i don't know what i ended up doing.

EDIT: i was tring to get rid of programs i don't use. i figured it out (at least to some extent)

 

And i installed avast's antivirus program while norton was still installed. Now both are uninstalled.

EDIT: reinstalling avast!

 

this is very frustrating.

EDIT: my internet connection got screwed up. i somehow figured it out.

 

FINAL note:

thanks for all your help. anything else i need to do?

 

new HJT log looks clean:

Logfile of HijackThis v1.99.1

Scan saved at 1:51:17 AM, on 6/20/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\System32\snmp.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\S3apphk.exe

C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\AIM6\aim6.exe

C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Xtra\Programs\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll

O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [s3apphk] S3apphk.exe

O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095139851093

O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Edited by lilpixi

Share this post


Link to post
Share on other sites

I don't know but it is possible that having multiple Anti-Virus programs at one time caused that issue. That causes all kind of weird problems.

 

Your last log looks good to me.

 

If you are not having any other problems then I think you are ready to go.

 

I will leave this thread open for a week or so in case you have problems with the Avast re-install.

Share this post


Link to post
Share on other sites

Glad we could help. :)

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0