• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Sadie Keilitz

POP UPS WONT STOP !! PLEASE HELP !!

12 posts in this topic

Something downloaded onto my computer and now just randomly opens pop ups. I dont even have to be on the computer. I can just come in the room and there are 20 windows open. Here is the list of questions from the FAQ:

1. Do you have popups? If so, where are they from? What do they say? Are they advertising a particular product? Has your browser been hijacked? If so, to what URL?

 

a. Yes, lots of pop ups. They are from several different pages, here is some that popped up while I was righting this http://banners.pennyweb.com, https://www.harborcredit.com/offers,

b. I am not sure if my browser has been hijacked (don’t know much about that stuff)

 

2. Does your antivirus detect an infected file? If so, what file, and what is the infection detected?

a. I ran a virus scan yesterday and it detected something but couldn’t delete it. I am running a new one now.

3. Is your system sluggish? Is there a particular process using a lot of the CPU? If so, what is it? Does your firewall give alerts about a process trying to access the internet? If so, what is it?

a. My system is sluggish.

b. Not sure how to check if a particular process uses a lot of CPU.

c. We haven’t received any alerts from the firewall.

4. Have you already tried certain steps to fix your problem? If so, what have you tried?

a. I have tried running my virus scan (The Shield Antivirus 2006)

b. I downloaded Spybot – Search and Destroy and ran it. It is not able to remove 4 items: 3 from - Smitfraud-C.CoreService, 1 from - Virtumonde

c. I have run Ad-Aware 2007. It found stuff and quarantined them but the problem still persists.

d. I ran HijackThis :

Logfile of HijackThis v1.99.1

Scan saved at 11:13:04 AM, on 6/9/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\arservice.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Compaq_Administrator\My Documents\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [spywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O15 - Trusted Zone: http://*.trymedia.com (HKLM)

O16 - DPF: {0645D7F3-C20E-4E0B-A545-557527497C0B} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1d/www.n...GAPANEL_USA.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab

O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVCDownloadControl) - http://download.games.yahoo.com/games/web_...loadControl.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab

O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...e/gpcontrol.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab

O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://download.games.yahoo.com/games/web_...ameLauncher.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{386D304D-1E29-43C3-8794-F414D239C526}: NameServer = 208.67.222.222,208.67.220.220

O17 - HKLM\System\CS1\Services\Tcpip\..\{386D304D-1E29-43C3-8794-F414D239C526}: NameServer = 208.67.222.222,208.67.220.220

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe

 

5. Please also mention that you have read this FAQ and followed the directions, or else someone is likely to ask you to come back here.

a. I have read the FAQ and still am having the problem after trying the suggestions.

Share this post


Link to post
Share on other sites

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

 

Step #1

 

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java Runtime Environment (JRE) 6 Update 1 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u1...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u1-windows-i586-p.exe to install the newest version.

Step #2

 

Scan again with HijackThis and check the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

After checking these items, close all browser windows except HijackThis and click "Fix checked".

 

Step #3

 

Download: DelDomains.inf

  • Locate DelDomains.inf
  • Right-click and select "Install"

Then reboot your computer.

 

Step #4

 

Download Combofix to your desktop.

Doubleclick combofix.exe

Follow the prompts.

Don't click on the window while the fix is running, because that will cause your system to hang.

 

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post this log in your next reply together with a new hijackthislog.

Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Share this post


Link to post
Share on other sites

Thanks for your help with this. I wouldnt have the slightest clue on how to fix this myself. I realy appreciate your help..........

 

 

Here is the ComboFix -----

 

 

 

 

ComboFix 07-06-11.3 - C:\Documents and Settings\Compaq_Administrator\Desktop\ComboFix.exe

"Compaq_Administrator" - 2007-06-10 20:04:39 - Service Pack 2 NTFS

 

 

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\system32\iwbbgakq.dll

C:\WINDOWS\system32\ndimnpdt.dll

C:\WINDOWS\system32\perwpcxa.dll

C:\WINDOWS\system32\uforcfev.dll

C:\WINDOWS\system32\cbxvsqr.dll

C:\WINDOWS\system32\mpqss.bak1

C:\WINDOWS\system32\mpqss.bak2

C:\WINDOWS\system32\mpqss.ini

C:\WINDOWS\system32\mpqss.ini2

C:\WINDOWS\system32\mpqss.tmp

C:\WINDOWS\system32\mpqss.bak1

C:\WINDOWS\system32\mpqss.bak2

C:\WINDOWS\system32\mpqss.ini

C:\WINDOWS\system32\mpqss.ini2

C:\WINDOWS\system32\mpqss.tmp

C:\WINDOWS\system32\mpqss.bak1

C:\WINDOWS\system32\mpqss.bak2

C:\WINDOWS\system32\mpqss.ini

C:\WINDOWS\system32\mpqss.ini2

C:\WINDOWS\system32\mpqss.tmp

C:\WINDOWS\system32\ssqpm.dll

C:\WINDOWS\system32\mljghhf.dll

 

 

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

 

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\DOCUME~1\COMPAQ~1\APPLIC~1.\macromedia\Flash Player\#SharedObjects\42G3U9NS\www.broadcaster.com

C:\DOCUME~1\COMPAQ~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com

C:\DOCUME~1\COMPAQ~1\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol

C:\Program Files\WindowsUpdate\projywuine.html

C:\Temp\0b9

C:\Temp\0b9\tmpTF.log

C:\Temp\tn3

C:\WINDOWS\cfg32a.exe

C:\WINDOWS\cs_cache.ini

C:\WINDOWS\dls0523pmw.exe

C:\WINDOWS\fnts~1

C:\WINDOWS\rau001978.exe

C:\WINDOWS\retadpu1000106.exe

C:\WINDOWS\retadpu2000219.exe

C:\WINDOWS\system32\drivers\core.cache.dsk

C:\WINDOWS\system32\drivers\core.sys

C:\WINDOWS\system32\pog

C:\WINDOWS\system32\T3

C:\WINDOWS\system32\T3\am67.exe

C:\WINDOWS\system32\T4

C:\WINDOWS\system32\T4\amst5.exe

 

 

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

-------\LEGACY_CORE

-------\LEGACY_NET_AGENT

-------\core

-------\Net Agent

 

 

((((((((((((((((((((((((( Files Created from 2007-05-11 to 2007-06-11 )))))))))))))))))))))))))))))))

 

 

2007-06-10 20:04 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-09 08:08 <DIR> d-------- C:\Program Files\Lavasoft

2007-06-09 08:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft

2007-06-09 08:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-06-08 22:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy

2007-06-08 21:04 <DIR> d-------- C:\Program Files\Windows Defender

2007-06-08 20:50 <DIR> d--h----- C:\WINDOWS\msdownld.tmp

2007-06-08 20:08 <DIR> d-------- C:\Program Files\Enigma Software Group

2007-06-08 17:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion

2007-06-08 15:31 <DIR> d-------- C:\Program Files\Common Files\Scanner

2007-06-07 20:53 172,544 --a------ C:\WINDOWS\system32\bjwccgn.dll

2007-06-07 20:53 1,221,920 -r-hs---- C:\WINDOWS\qxsjykuA.exe

2007-06-07 20:53 <DIR> d-------- C:\WINDOWS\system32\TQ0

2007-06-07 20:53 <DIR> d-------- C:\WINDOWS\system32\T7

2007-06-07 20:53 <DIR> d-------- C:\WINDOWS\system32\T6

2007-06-07 20:53 <DIR> d-------- C:\WINDOWS\system32\T1QaSQ

2007-06-07 20:53 <DIR> d-------- C:\temp\x2b

2007-06-06 15:37 192,512 --a------ C:\WINDOWS\sosi42.exe

2007-06-06 15:25 53,248 --a------ C:\WINDOWS\112uninst.exe

2007-06-06 15:22 53,248 --a------ C:\WINDOWS\uni_eh42.exe

2007-06-04 15:18 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys

2007-06-04 15:17 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys

2007-06-04 15:14 6,272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys

2007-05-31 22:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP

2007-05-31 17:22 <DIR> d-------- C:\Program Files\AIM6

2007-05-29 11:53 <DIR> d-------- C:\Program Files\QuickTime

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-11 02:07:06 -------- d--h--w C:\Program Files\WindowsUpdate

2007-06-09 01:34:57 -------- d-----w C:\Program Files\Common Files\Symantec Shared

2007-06-09 01:22:48 -------- d-----w C:\Program Files\Norton Security Scan

2007-06-09 00:51:17 -------- d-----w C:\Program Files\Yahoo!

2007-06-08 23:35:49 -------- d--h--r C:\DOCUME~1\COMPAQ~1\APPLIC~1\yahoo!

2007-06-08 22:15:15 -------- d-----w C:\Program Files\Sonic

2007-06-08 17:09:26 3,567,520 ----a-w C:\WINDOWS\system32\drivers\vrcore.sys

2007-06-07 00:33:06 -------- d-----w C:\Program Files\Warcraft III

2007-05-09 13:25:43 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2

2007-04-28 23:55:07 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-18 02:24:20 -------- d-----w C:\Program Files\My Kazaa Gold

2007-04-17 04:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-17 04:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-17 04:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-17 04:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-17 04:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-17 04:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-17 04:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-17 04:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

2007-04-17 04:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll

2007-04-17 04:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll

2007-04-14 14:47:48 -------- d-----w C:\DOCUME~1\COMPAQ~1\APPLIC~1\Lavasoft

2007-04-14 03:41:53 -------- d-----w C:\DOCUME~1\COMPAQ~1\APPLIC~1\MSNInstaller

2007-04-14 03:41:20 -------- d-----w C:\Program Files\Common Files\AOL

2007-04-14 00:20:31 -------- d-----w C:\Program Files\Google

2007-04-13 21:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe

2007-04-12 00:09:07 -------- d-----w C:\Program Files\Common Files\xing shared

2007-04-12 00:09:01 -------- d-----w C:\Program Files\Common Files\Real

2007-04-11 23:11:40 -------- d-----w C:\DOCUME~1\COMPAQ~1\APPLIC~1\Google

2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

2007-03-15 18:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll

2007-03-15 18:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll

2006-04-15 23:42:01 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{02478D38-C3F9-4efb-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2007-05-30 15:18]

{42ed587c-c3a5-488c-8719-80bd7f70f37f}=C:\WINDOWS\system32\bjwccgn.dll [2007-06-07 20:53]

{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" []

"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

Source= C:\Program Files\WindowsUpdate\projywuine.html

FriendlyName=

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk

backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk

backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk

backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]

C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]

ARPWRMSG.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApachInc]

rundll32.exe "C:\WINDOWS\system32\ogxlllnf.dll",realset

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]

"C:\Program Files\Ares\Ares.exe" -h

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]

C:\Program Files\DISC\DISCover.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager]

C:\Program Files\DISC\DiscUpdateMgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dwStart]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

C:\WINDOWS\ehome\ehtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C64 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

C:\Program Files\Common Files\AOL\1151354013\ee\AOLSoftware.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]

"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]

C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

"C:\Program Files\iTunes\iTunesHelper.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]

C:\HP\KBD\KBD.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]

C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

"C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

"C:\Program Files\Messenger\msmsgs.exe" /background

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Kazaa Gold]

C:\Program Files\My Kazaa Gold\MyGoldKazaa.exe /hide

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UWA7P_0001_N91M0809]

"C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\WinAntiVirusPro2007FreeInstall.exe" -nag

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nzh]

C:\WINDOWS\F?nts\n?tepad.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"C:\Program Files\QuickTime\qttask.exe" -atboottime

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qxsjykuA]

C:\WINDOWS\qxsjykuA.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Scbu]

"C:\DOCUME~1\COMPAQ~1\MYDOCU~1\RACLE~1\logonui.exe" -vt yazb

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]

"C:\Program Files\Spyware Doctor\SDTrayApp.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sosi42]

C:\WINDOWS\sosi42

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spywarebot]

C:\Program Files\SpywareBot\SpywareBot.exe -boot

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

"C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vrmon]

C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VrProxyc]

C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyc.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VrProxyd]

C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VrSchedule]

C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]

C:\Program Files\Web Buying\v1.7.4\webbuying.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]

C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{ZN}]

C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\TICHD003.exe CHD003

 

 

Contents of the 'Scheduled Tasks' folder

2007-05-29 12:28:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

2007-06-11 02:02:44 C:\WINDOWS\tasks\MP Scheduled Scan.job

2007-06-02 00:34:31 C:\WINDOWS\tasks\Norton Security Scan.job

 

**************************************************************************

 

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-10 20:10:51

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-06-10 20:12:36 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-06-10 20:12

 

--- E O F ---

 

 

Here is the HijackThis --------

 

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 8:15:02 PM, on 6/10/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\arservice.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\notepad.exe

C:\Documents and Settings\Compaq_Administrator\My Documents\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {42ed587c-c3a5-488c-8719-80bd7f70f37f} - C:\WINDOWS\system32\bjwccgn.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [spywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {0645D7F3-C20E-4E0B-A545-557527497C0B} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1d/www.n...GAPANEL_USA.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab

O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVCDownloadControl) - http://download.games.yahoo.com/games/web_...loadControl.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab

O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...e/gpcontrol.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab

O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://download.games.yahoo.com/games/web_...ameLauncher.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{386D304D-1E29-43C3-8794-F414D239C526}: NameServer = 208.67.222.222,208.67.220.220

O17 - HKLM\System\CS1\Services\Tcpip\..\{386D304D-1E29-43C3-8794-F414D239C526}: NameServer = 208.67.222.222,208.67.220.220

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe

 

 

 

 

 

I also wanted to mention that I have been getting this error since this whole thing started:

 

dls0523pmw.exe has encountered a problem and needs to close. We are sorry for the inconvenience.

 

Thank you

Sadie Keilitz

Share this post


Link to post
Share on other sites

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

 

Step #1

 

Please click: Start--> Control Panel--> Add or Remove Programs--> Uninstall (if found) any instances of:

SpywareBot

 

This is rogueware (or known to be rogueware in the past) and we highly recommend that you uninstall it. Rogue/Suspect means that this product is of unknown, questionable, or dubious value as anti-spyware protection.

 

If your willing to definatly uninstall:

 

Kazza (Gold)

 

Then reboot your computer.

 

Step #2

 

Please download VundoFix.exe to your desktop.

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.

Step #3

 

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

 

File::
C:\WINDOWS\msdownld.tmp
C:\WINDOWS\system32\bjwccgn.dll
C:\WINDOWS\qxsjykuA.exe
C:\WINDOWS\sosi42.exe
C:\WINDOWS\112uninst.exe
C:\WINDOWS\uni_eh42.exe
C:\Program Files\WindowsUpdate\projywuine.html
C:\WINDOWS\dls0523pmw.exe

Folder::
C:\WINDOWS\sosi42
C:\WINDOWS\system32\TQ0
C:\WINDOWS\system32\T7
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\T1QaSQ
C:\temp\x2b
C:\Program Files\SpywareBot
C:\Program Files\Web Buying

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{42ed587c-c3a5-488c-8719-80bd7f70f37f}=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NI.UWA7P_0001_N91M0809]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nzh]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qxsjykuA]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sosi42]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spywarebot]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]

 

 

Save this as ComboFix-Do.txt and change the "Save as type" to "All Files" and place it on your desktop.

 

 

Combo-Do.gif

 

 

 

Referring to the screenshot above, drag ComboFix-Do.txt into ComboFix.exe.

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

 

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

 

Step #4

 

Jotti File Submission:

Step #5

 

Please post the log from the ComboFix scan located at C:\ComboFix.txt, the contents of C:\vundofix.txt, the Jotti results and a new HiJackThis log.

Share this post


Link to post
Share on other sites

Please also (before you continue if possible):

 

Go to start > controlpanel > software > add/remove programs and uninstall next if present:

 

Ipwindows / ipwins

Oin

Yazzle by Oin

YazzleActiveX By OIN

Purityscan by Oin

MediaTickets by OIN

Snowballwars by Oin

Cowabanga by OIN

or anything similar with Oin in it.

 

If OIN not listed, download and run this uninstaller.

 

Reboot when done! Really important!

 

Then continue!

Share this post


Link to post
Share on other sites

DIDOM,

 

I uninstalled spywarebot before I downloaded spybot search and destroy. Also, I uninstalled Kazza Gold about 3-6 months ago because it was making our computer run so slow. I checked now and do not see either of these programs in the add and remove programs. What else should i do to get rid of these programs? I did everything that you said to do and here are all the results.

 

Here is Jotti results:

 

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

 

File to upload & scan:

Service

Service load: 0% 100%

 

File: lsdelete.exe

Status: OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)

MD5 33b97c883430c332c6dfae5d074bd755

Packers detected: -

 

Scanner results

Scan taken on 11 Jun 2007 23:06:29 (GMT)

A-Squared Found nothing

AntiVir Found nothing

ArcaVir Found nothing

Avast Found nothing

AVG Antivirus Found nothing

BitDefender Found nothing

ClamAV Found nothing

Dr.Web Found nothing

F-Prot Antivirus Found nothing

F-Secure Anti-Virus Found nothing

Fortinet Found nothing

Kaspersky Anti-Virus Found nothing

NOD32 Found nothing

Norman Virus Control Found nothing

Panda Antivirus Found nothing

Rising Antivirus Found nothing

VirusBuster Found nothing

VBA32 Found nothing

 

Statistics

Last file scanned at least one scanner reported something about: SpongeBob_Tampon_V3.zip (MD5: 4a0b6ab13b695e949dd2e4069bd883ca, size: 135102 bytes), detected by:

 

Scanner Malware name

A-Squared X

AntiVir X

ArcaVir X

Avast X

AVG Antivirus Flooder.AQH

BitDefender X

ClamAV X

Dr.Web X

F-Prot Antivirus X

F-Secure Anti-Virus X

Fortinet X

Kaspersky Anti-Virus X

NOD32 a variant of Win32/Flooder.IM.VB.D

Norman Virus Control X

Panda Antivirus X

Rising Antivirus X

VirusBuster X

VBA32 X

 

 

 

Here is ComboFix results:

 

ComboFix 07-06-11.3 - C:\Documents and Settings\Compaq_Administrator\Desktop\ComboFix.exe

"Compaq_Administrator" - 2007-06-11 16:59:24 - Service Pack 2 NTFS

Command switches used :: C:\Documents and Settings\Compaq_Administrator\Desktop\ComboFix-Do.txt

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\temp\x2b

C:\temp\x2b\tmpZTF.log

C:\WINDOWS\112uninst.exe

C:\WINDOWS\qxsjykuA.exe

C:\WINDOWS\sosi42.exe

C:\WINDOWS\system32\bjwccgn.dll

C:\WINDOWS\system32\T1QaSQ

C:\WINDOWS\system32\T1QaSQ\T1QaSQ1065.exe

C:\WINDOWS\system32\T6

C:\WINDOWS\system32\T7

C:\WINDOWS\system32\TQ0

C:\WINDOWS\system32\TQ0\am52.exe

C:\WINDOWS\uni_eh42.exe

 

 

((((((((((((((((((((((((( Files Created from 2007-05-11 to 2007-06-11 )))))))))))))))))))))))))))))))

 

 

2007-06-11 16:52 <DIR> d-------- C:\VundoFix Backups

2007-06-10 20:04 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-09 08:08 <DIR> d-------- C:\Program Files\Lavasoft

2007-06-09 08:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft

2007-06-09 08:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-06-08 22:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy

2007-06-08 21:04 <DIR> d-------- C:\Program Files\Windows Defender

2007-06-08 20:50 <DIR> d--h----- C:\WINDOWS\msdownld.tmp

2007-06-08 20:08 <DIR> d-------- C:\Program Files\Enigma Software Group

2007-06-08 17:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion

2007-06-08 15:31 <DIR> d-------- C:\Program Files\Common Files\Scanner

2007-06-04 15:18 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys

2007-06-04 15:17 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys

2007-06-04 15:14 6,272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys

2007-05-31 22:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP

2007-05-31 17:22 <DIR> d-------- C:\Program Files\AIM6

2007-05-29 11:53 <DIR> d-------- C:\Program Files\QuickTime

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-11 02:07:06 -------- d--h--w C:\Program Files\WindowsUpdate

2007-06-09 01:34:57 -------- d-----w C:\Program Files\Common Files\Symantec Shared

2007-06-09 01:22:48 -------- d-----w C:\Program Files\Norton Security Scan

2007-06-09 00:51:17 -------- d-----w C:\Program Files\Yahoo!

2007-06-08 23:35:49 -------- d--h--r C:\DOCUME~1\COMPAQ~1\APPLIC~1\yahoo!

2007-06-08 22:15:15 -------- d-----w C:\Program Files\Sonic

2007-06-08 17:09:26 3,567,520 ----a-w C:\WINDOWS\system32\drivers\vrcore.sys

2007-06-07 00:33:06 -------- d-----w C:\Program Files\Warcraft III

2007-05-09 13:25:43 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2

2007-04-28 23:55:07 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-18 02:24:20 -------- d-----w C:\Program Files\My Kazaa Gold

2007-04-17 04:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-17 04:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-17 04:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-17 04:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-17 04:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-17 04:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-17 04:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-17 04:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

2007-04-17 04:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll

2007-04-17 04:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll

2007-04-14 14:47:48 -------- d-----w C:\DOCUME~1\COMPAQ~1\APPLIC~1\Lavasoft

2007-04-14 03:41:53 -------- d-----w C:\DOCUME~1\COMPAQ~1\APPLIC~1\MSNInstaller

2007-04-14 03:41:20 -------- d-----w C:\Program Files\Common Files\AOL

2007-04-14 00:20:31 -------- d-----w C:\Program Files\Google

2007-04-13 21:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe

2007-04-12 00:09:07 -------- d-----w C:\Program Files\Common Files\xing shared

2007-04-12 00:09:01 -------- d-----w C:\Program Files\Common Files\Real

2007-04-11 23:11:40 -------- d-----w C:\DOCUME~1\COMPAQ~1\APPLIC~1\Google

2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

2007-03-15 18:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll

2007-03-15 18:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll

2006-04-15 23:42:01 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{02478D38-C3F9-4efb-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2007-05-30 15:18]

{42ed587c-c3a5-488c-8719-80bd7f70f37f}=C:\WINDOWS\system32\bjwccgn.dll []

{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" []

"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

Source= C:\Program Files\WindowsUpdate\projywuine.html

FriendlyName=

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk

backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk

backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk

backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]

C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]

ARPWRMSG.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApachInc]

rundll32.exe "C:\WINDOWS\system32\ogxlllnf.dll",realset

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]

"C:\Program Files\Ares\Ares.exe" -h

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]

C:\Program Files\DISC\DISCover.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager]

C:\Program Files\DISC\DiscUpdateMgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dwStart]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

C:\WINDOWS\ehome\ehtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C64 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

C:\Program Files\Common Files\AOL\1151354013\ee\AOLSoftware.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]

"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]

C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

"C:\Program Files\iTunes\iTunesHelper.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]

C:\HP\KBD\KBD.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]

C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

"C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

"C:\Program Files\Messenger\msmsgs.exe" /background

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Kazaa Gold]

C:\Program Files\My Kazaa Gold\MyGoldKazaa.exe /hide

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"C:\Program Files\QuickTime\qttask.exe" -atboottime

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Scbu]

"C:\DOCUME~1\COMPAQ~1\MYDOCU~1\RACLE~1\logonui.exe" -vt yazb

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]

"C:\Program Files\Spyware Doctor\SDTrayApp.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

"C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vrmon]

C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VrProxyc]

C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyc.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VrProxyd]

C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VrSchedule]

C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]

C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{ZN}]

C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\TICHD003.exe CHD003

 

 

Contents of the 'Scheduled Tasks' folder

2007-05-29 12:28:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

2007-06-11 21:31:35 C:\WINDOWS\tasks\MP Scheduled Scan.job

2007-06-02 00:34:31 C:\WINDOWS\tasks\Norton Security Scan.job

 

**************************************************************************

 

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-11 17:01:21

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-06-11 17:01:48

C:\ComboFix-quarantined-files.txt ... 2007-06-11 17:01

C:\ComboFix2.txt ... 2007-06-10 20:12

 

--- E O F ---

 

Here is HijackThis results:

 

Logfile of HijackThis v1.99.1

Scan saved at 5:14:43 PM, on 6/11/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\arservice.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe

C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe

C:\WINDOWS\TEMP\Del19.tmp

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\COMPAQ~1\My Documents\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {42ed587c-c3a5-488c-8719-80bd7f70f37f} - C:\WINDOWS\system32\bjwccgn.dll (file missing)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [spywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {0645D7F3-C20E-4E0B-A545-557527497C0B} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1d/www.n...GAPANEL_USA.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab

O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVCDownloadControl) - http://download.games.yahoo.com/games/web_...loadControl.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab

O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...e/gpcontrol.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab

O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://download.games.yahoo.com/games/web_...ameLauncher.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{386D304D-1E29-43C3-8794-F414D239C526}: NameServer = 208.67.222.222,208.67.220.220

O17 - HKLM\System\CS1\Services\Tcpip\..\{386D304D-1E29-43C3-8794-F414D239C526}: NameServer = 208.67.222.222,208.67.220.220

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe

 

Here is Vundofix results:

 

VundoFix V6.5.0

 

Checking Java version...

 

Java version is 1.5.0.5

Old versions of java are exploitable and should be removed.

 

Java version is 1.5.0.6

Old versions of java are exploitable and should be removed.

 

Java version is 1.5.0.11

 

Scan started at 4:52:35 PM 6/11/2007

 

Listing files found while scanning....

 

No infected files were found.

Share this post


Link to post
Share on other sites

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java. (ALL except for 1.6.0_01)

  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

 

Step #1

 

Scan again with HijackThis and check the following items:

O2 - BHO: (no name) - {42ed587c-c3a5-488c-8719-80bd7f70f37f} - C:\WINDOWS\system32\bjwccgn.dll (file missing)

 

O4 - HKLM\..\Run: [spywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

After checking these items, close all browser windows except HijackThis and click "Fix checked".

 

Step #2

 

Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab > uncheck and delete everything you find in there. (except for "My current home page")

 

Step #3

 

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

 

Folder::
C:\Program Files\My Kazaa Gold

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Kazaa Gold]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ApachInc]

 

 

Save this as ComboFix-Do.txt and change the "Save as type" to "All Files" and place it on your desktop.

 

 

Combo-Do.gif

 

 

 

Referring to the screenshot above, drag ComboFix-Do.txt into ComboFix.exe.

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

 

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

 

Please post the log from the ComboFix scan located at C:\ComboFix.txt.

Share this post


Link to post
Share on other sites

Didom,

 

As you previously told me I had already removed all of the java versions and downloaded the newest version. I am not sure there is a different way to get ride of them or not?

 

OK, I followed the instructions you gave me and here is the log from ComboFix:

 

ComboFix 07-06-11.3 - C:\Documents and Settings\Compaq_Administrator\Desktop\ComboFix.exe

"Compaq_Administrator" - 2007-06-12 16:07:08 - Service Pack 2 NTFS

Command switches used :: C:\Documents and Settings\Compaq_Administrator\Desktop\ComboFix-Do.txt

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\Program Files\My Kazaa Gold

C:\Program Files\My Kazaa Gold\giFT\incoming\B56B00089350003F3880.Notorious B.I.G feat. Too Short - Big Booty Hoes.mp3.state

C:\Program Files\My Kazaa Gold\giFT\incoming\B5AE00048440008E67D8.Notorious B.I.G. ft Diddy, Nelly %26 Jagged Edge - Nasty Girl.mp3.state

C:\Program Files\My Kazaa Gold\update.conf

 

 

((((((((((((((((((((((((( Files Created from 2007-05-12 to 2007-06-12 )))))))))))))))))))))))))))))))

 

 

2007-06-12 14:19 <DIR> d-------- C:\WINDOWS\LastGood

2007-06-11 16:52 <DIR> d-------- C:\VundoFix Backups

2007-06-10 20:04 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-09 08:08 <DIR> d-------- C:\Program Files\Lavasoft

2007-06-09 08:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft

2007-06-09 08:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-06-08 22:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy

2007-06-08 21:04 <DIR> d-------- C:\Program Files\Windows Defender

2007-06-08 20:50 <DIR> d--h----- C:\WINDOWS\msdownld.tmp

2007-06-08 20:08 <DIR> d-------- C:\Program Files\Enigma Software Group

2007-06-08 17:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion

2007-06-08 15:31 <DIR> d-------- C:\Program Files\Common Files\Scanner

2007-06-04 15:18 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys

2007-06-04 15:17 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys

2007-06-04 15:14 6,272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys

2007-05-31 22:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP

2007-05-31 17:22 <DIR> d-------- C:\Program Files\AIM6

2007-05-29 11:53 <DIR> d-------- C:\Program Files\QuickTime

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-11 02:07:06 -------- d--h--w C:\Program Files\WindowsUpdate

2007-06-09 01:34:57 -------- d-----w C:\Program Files\Common Files\Symantec Shared

2007-06-09 01:22:48 -------- d-----w C:\Program Files\Norton Security Scan

2007-06-09 00:51:17 -------- d-----w C:\Program Files\Yahoo!

2007-06-08 23:35:49 -------- d--h--r C:\DOCUME~1\COMPAQ~1\APPLIC~1\yahoo!

2007-06-08 22:15:15 -------- d-----w C:\Program Files\Sonic

2007-06-08 17:09:26 3,567,520 ----a-w C:\WINDOWS\system32\drivers\vrcore.sys

2007-06-07 00:33:06 -------- d-----w C:\Program Files\Warcraft III

2007-05-09 13:25:43 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2

2007-04-28 23:55:07 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-17 04:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-17 04:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-17 04:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-17 04:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-17 04:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-17 04:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-17 04:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-17 04:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

2007-04-17 04:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll

2007-04-17 04:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll

2007-04-14 14:47:48 -------- d-----w C:\DOCUME~1\COMPAQ~1\APPLIC~1\Lavasoft

2007-04-14 03:41:53 -------- d-----w C:\DOCUME~1\COMPAQ~1\APPLIC~1\MSNInstaller

2007-04-14 03:41:20 -------- d-----w C:\Program Files\Common Files\AOL

2007-04-14 00:20:31 -------- d-----w C:\Program Files\Google

2007-04-13 21:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe

2007-04-12 00:09:07 -------- d-----w C:\Program Files\Common Files\xing shared

2007-04-12 00:09:01 -------- d-----w C:\Program Files\Common Files\Real

2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

2007-03-15 18:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll

2007-03-15 18:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll

2006-04-15 23:42:01 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{02478D38-C3F9-4efb-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2007-05-30 15:18]

{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles

"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk

backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Compaq Connections.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk

backup=C:\WINDOWS\pss\Compaq Connections.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk

backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]

C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]

ARPWRMSG.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]

"C:\Program Files\Ares\Ares.exe" -h

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]

C:\Program Files\DISC\DISCover.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager]

C:\Program Files\DISC\DiscUpdateMgr.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dwStart]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]

C:\WINDOWS\ehome\ehtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C64 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]

C:\Program Files\Common Files\AOL\1151354013\ee\AOLSoftware.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]

"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]

C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

"C:\Program Files\iTunes\iTunesHelper.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]

C:\HP\KBD\KBD.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]

C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]

"C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

"C:\Program Files\Messenger\msmsgs.exe" /background

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"C:\Program Files\QuickTime\qttask.exe" -atboottime

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Scbu]

"C:\DOCUME~1\COMPAQ~1\MYDOCU~1\RACLE~1\logonui.exe" -vt yazb

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]

"C:\Program Files\Spyware Doctor\SDTrayApp.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

"C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vrmon]

C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VrProxyc]

C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyc.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VrProxyd]

C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VrSchedule]

C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]

C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{ZN}]

C:\DOCUME~1\COMPAQ~1\LOCALS~1\Temp\TICHD003.exe CHD003

 

*Newly Created Service* - VRFIL

 

Contents of the 'Scheduled Tasks' folder

2007-06-12 12:28:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

2007-06-11 23:22:22 C:\WINDOWS\tasks\MP Scheduled Scan.job

2007-06-02 00:34:31 C:\WINDOWS\tasks\Norton Security Scan.job

 

**************************************************************************

 

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-12 16:08:48

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-06-12 16:09:27

C:\ComboFix-quarantined-files.txt ... 2007-06-12 16:09

C:\ComboFix2.txt ... 2007-06-11 17:01

C:\ComboFix3.txt ... 2007-06-10 20:12

 

--- E O F ---

 

 

Even though you didnt ask I have also given you a new HijackThis:

 

Logfile of HijackThis v1.99.1

Scan saved at 4:14:49 PM, on 6/12/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16441)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\arservice.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\TEMP\Del112.tmp

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Compaq_Administrator\My Documents\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {0645D7F3-C20E-4E0B-A545-557527497C0B} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1d/www.n...GAPANEL_USA.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab

O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVCDownloadControl) - http://download.games.yahoo.com/games/web_...loadControl.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab

O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...e/gpcontrol.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab

O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://download.games.yahoo.com/games/web_...ameLauncher.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{386D304D-1E29-43C3-8794-F414D239C526}: NameServer = 208.67.222.222,208.67.220.220

O17 - HKLM\System\CS1\Services\Tcpip\..\{386D304D-1E29-43C3-8794-F414D239C526}: NameServer = 208.67.222.222,208.67.220.220

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe

 

 

Thanks for your help,

Sadie Keilitz

Share this post


Link to post
Share on other sites

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

 

Step #1

 

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

 

File::
C:\WINDOWS\TEMP\Del112.tmp

 

 

Save this as ComboFix-Do.txt and change the "Save as type" to "All Files" and place it on your desktop.

 

 

Combo-Do.gif

 

 

 

Referring to the screenshot above, drag ComboFix-Do.txt into ComboFix.exe.

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

 

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

 

Step #2

 

Download CCleaner and install it.

 

Start Ccleaner. click "Options", click the "Advanced" tab

Uncheck: "Only delete files older than 48 hrs.", click Ok

Click "Cleaner" and click Run Cleaner (bottom right).

 

Step #3

 

Reboot your system. Post a fresh HijackThis log and tell me how your system is running now!

Share this post


Link to post
Share on other sites

Didom,

 

Here is the HijackThis log: My computer is running amazingly well now. I want to thank you sooo much for your help. I would like to pay you or something. Please let me know how if i can give you a tip or pay you or something!

 

Could you tell me what i need to do to keep this from happening again? What programs should i have running to protect my computer and how often do i clean my computer and what with?

 

Again THANK YOU SO MUCH!!!

 

Sadie Keilitz

 

 

Logfile of HijackThis v1.99.1

Scan saved at 6:42:47 PM, on 6/13/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16473)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\arservice.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\Compaq_Administrator\My Documents\hijackthis\HijackThis.exe

C:\WINDOWS\system32\wuauclt.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {0645D7F3-C20E-4E0B-A545-557527497C0B} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1d/www.n...GAPANEL_USA.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab

O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVCDownloadControl) - http://download.games.yahoo.com/games/web_...loadControl.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab

O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...e/gpcontrol.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab

O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://download.games.yahoo.com/games/web_...ameLauncher.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{386D304D-1E29-43C3-8794-F414D239C526}: NameServer = 208.67.222.222,208.67.220.220

O17 - HKLM\System\CS1\Services\Tcpip\..\{386D304D-1E29-43C3-8794-F414D239C526}: NameServer = 208.67.222.222,208.67.220.220

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe

Share this post


Link to post
Share on other sites

This log looks clean!

  • Don't forget to re-hide all files and folders. To re-hide all files and folders:
    • Open My Computer.
    • Select the Tools menu and click Folder Options.
    • Select the View Tab.
    • Under the Hidden files and folders heading deselect "Show hidden files and folders".
    • Check the Hide protected operating system files (recommended) option.
    • Click Yes to confirm.
    • Click OK.

    To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

    1. Turn off System Restore.
      • On the Desktop, right-click My Computer.
      • Click Properties.
      • Click the System Restore tab.
      • Check "Turn off System Restore".
      • Click Apply, and then click OK.

    [*]Reboot your computer.

    [*]Turn ON System Restore.

    • On the Desktop, right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • UN-Check "Turn off System Restore".
    • Click Apply, and then click OK.

[*]This is a good time to set up protection against further attacks. Read the article behind this link "How did I get infected". If you don't already have them, you need an antivirus that is updated, a good firewall for example Kerio Personal Firewall or ZoneLabs Zone Alarm, a spyware blocker like SpywareBlaster and also IE-Spyads and spyware detection (Ad-aware SE and SpyBot S+D). All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

 

Instead of Internet Explorer, use a different browser like Opera, Mozilla or Firefox.

 

Last, but not least, you need to keep Windows and Internet Explorer up to date by getting all the latest security patches that protects your computer.

 

This can be accessed by going to http://windowsupdate.microsoft.com and following the prompts. If you are running Windows XP make sure you get updated to SP-2!!

 

Please post back if you are still having any problems....

 

MWC-2.gif

Edited by didom

Share this post


Link to post
Share on other sites

Glad we could help. :)

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0