• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
symbiote28

Help with several problems ..

21 posts in this topic

hey all .. im new here and i wish i could get all the help needed .. my computer is forever giving me problems and it's time that i ask for guidance and help to fix my computer in any way possible .. one thing that's been bothering me is my internet connection .. i know it sounds strange but my internet will keep disconnecting every 1 hour and 2 minutes .. it's baffles me as to why this happens .. i'll have to disable my Local Area Connection under Network Connections and then re-enable it after every 1 hour and 2 minutes .. i hope it's not a hardware problem but rather an internal virus/malicious tool that is causing this limit .. i beg to anyone of you to help me and inform me of anything that isn't suppose to be on my computer .. thank you ..

 

below is the logfile of HijackThis

 

-------------------------------------------------------------------------------------

 

Logfile of HijackThis v1.99.1

Scan saved at 11:40:40 PM, on 6/12/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Winamp\winampa.exe

C:\WINDOWS\System32\WScript.exe

C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Download Manager\IDMan.exe

c:\progra~1\intern~1\iexplore.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe

C:\WINDOWS\system32\sistray.exe

C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe

C:\WINDOWS\system32\CTPdeSrv.exe

C:\Program Files\Winamp\winamp.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Last.fm\LastFM.exe

C:\Program Files\uTorrent\utorrent.exe

C:\PROGRA~1\DrWeb\spidernt.exe

C:\Program Files\DrWeb\spiderml.exe

C:\WINDOWS\system32\wscript.exe

C:\WINDOWS\system32\wscript.exe

C:\Program Files\Opera\Opera.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\wscript.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\achi.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Achitasin&MindMap

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\jrtib.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,tmallcg.exe

O1 - Hosts: 127.255.255.255 www.getright.com

O1 - Hosts: 127.255.255.255 pro.getright.com

O1 - Hosts: 127.255.255.255 www.headlightinc.com

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Protection Bar - {0D045BAA-4BD3-4C94-BE8B-21536BD6BD9F} - C:\Program Files\Video ActiveX Object\iesplugin.dll (file missing)

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TESTBATBAGSLICENSE] C:\Documents and Settings\All Users\Application Data\FunkRealTestBat\nurb idle.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [spywareremover] C:\Documents and Settings\Home PC\Application Data\SpywareRemover\SpywareRemover.exe -boot

O4 - HKLM\..\Run: [spIDerNT] C:\PROGRA~1\DrWeb\spidernt.exe /agent

O4 - HKLM\..\Run: [spIDerMail] "C:\Program Files\DrWeb\spiderml.exe"

O4 - HKLM\..\Run: [MS32DLL] C:\WINDOWS\achi.dll.vbs

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

O4 - HKCU\..\Run: [software intra] C:\DOCUME~1\HOMEPC~1\APPLIC~1\TRANSF~1\rulebindsurf.exe

O4 - HKCU\..\Run: [iDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm

O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm

O9 - Extra button: (no name) - {8DAE90AD-4583-4977-9DD4-4360F7A45C74} - (no file)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: SpIDer Guard for Windows NT (spidernt) - Doctor Web, Ltd. - C:\PROGRA~1\DrWeb\SpiderNT.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Edited by symbiote28

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hi and welcome

 

 

Your system shows you are running Norton antivirus and DrWeb antivirus.

This causes system clashes and instabilty, and the possiblty of false reports with a huge waste of system resources. And in many cases it actually lowers your protection instead of adding.

You can keep both programs, but you must disable the real-time component of one AntiVirus, keeping it as an on-demand scanner, while the other AV will provide a real-time protection.

The alternative is to uninstall one AV and keep the other.

You make the call and if you need help uninstalling one please let me know.

Here are two articles where it is explained in detail.

Symantec

Microsoft

 

 

 

 

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:

1) Run Spybot-S&D

2) Go to the Mode menu, and make sure "Advanced Mode" is selected

3) On the left hand side, choose Tools -> Resident

4) Uncheck "Resident TeaTimer" and OK any prompts

You can reenable TeaTimer once your system is clean.

 

 

 

 

 

Do you have Netpumper or Bitgrabber or BitRoll installed? If so, uninstall them via Start -> Control Panel -> Software -> Add or Remove Programs.

 

Also, please check to see if the following are present in Add or Remove Programs and uninstall them if found:

 

CiD Manager

CiD Help

Download Plugin for Internet Explorer

Messenger Plus

Messenger Plus 2

Messenger Plus 3

Zone Media

Torrent101

 

 

If during uninstall, you are asked for uninstall Verification, please enter the numbers that will appear in the window.

 

Then reboot. <-- Important!

 

 

 

Please download NoLop to the Desktop

Link 1

Link 2

 

*Close any programs you have running since a reboot is required

*Double click NoLop.exe to run it

*Next, click the button labeled: Search and Destroy

<<your computer will now be scanned for infected files>>

*When the scan finishes, if infected, you are prompted to reboot

Click OK

Now click: REBOOT

A Message should popup from NoLop. If not, double click the program again and it will finish.

Please Post the contents of C:\NoLop.log along with a new HijackThis log

 

If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program.

 

 

 

 

 

 

Please download SmitfraudFix (by S!Ri)

Extract the content (a folder named SmitfraudFix) to your Desktop.

 

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

 

Please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

 

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

 

The report can also be found at the root of the system drive, usually at C:\rapport.txt

 

Warning : running option #2 on a non infected computer will remove your Desktop background.

 

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer and quit any instances of Windows Explorer.

Click Start, click Control Panel, and then double click Internet Options.

On the General tab, click Delete files under Temporary Internet Files.

In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK

On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK

Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK

Click OK

 

 

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/proc...processutil.htm

 

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

 

 

Open the SmitfraudFix folder and double-click smitfraudfix.cmd

Select option #3 - Delete Trusted zone by typing 3 and press Enter

 

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the Programme and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

 

 

 

 

In your next reply post:

C:\NoLop.log

Smitfruad-C:\rapport.txt

New HJT log

Comments on how your computer is running now

Share this post


Link to post
Share on other sites

thanks for the reply .. i've been feeling my computer is abit faster now .. thank you .. here are the following logs u've asked for .. hope u can further improve my computer! thanks! and one more thing: i can't remove DrWeb for some reason .. i tried uninstalling it but i get a error message displaying all sorts of numbers and letters ..

 

C:\NoLop.log

 

NoLop! Log by Skate_Punk_21

 

Fix running from: C:\Documents and Settings\Home PC\Desktop

[6/20/2007]

[11:05:56 AM]

 

---Infection Files Found/Removed---

C:\WINDOWS\tasks\A7F61E2B91859B4F.job

 

Beginning Removal...

Rebooting...

Removing Lop's Leftover Files/Folders...

Editing Registry...

**Fix Complete!**

 

---Listing AppData sub directories---

 

C:\Documents and Settings\Administrator\Application Data\Microsoft

C:\Documents and Settings\All Users\Application Data\Apple Computer

C:\Documents and Settings\All Users\Application Data\Avg7

C:\Documents and Settings\All Users\Application Data\Creative

C:\Documents and Settings\All Users\Application Data\Funkrealtestbat

C:\Documents and Settings\All Users\Application Data\Google

C:\Documents and Settings\All Users\Application Data\Grisoft

C:\Documents and Settings\All Users\Application Data\Installshield

C:\Documents and Settings\All Users\Application Data\Macromedia

C:\Documents and Settings\All Users\Application Data\Microsoft

C:\Documents and Settings\All Users\Application Data\Popcap

C:\Documents and Settings\All Users\Application Data\Sbt

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

C:\Documents and Settings\All Users\Application Data\Symantec

C:\Documents and Settings\All Users\Application Data\Trymedia

C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage

C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar

C:\Documents and Settings\Default User\Application Data\Microsoft

C:\Documents and Settings\Home Pc\Application Data\123 Free Puzzle -- EMPTY Directory

C:\Documents and Settings\Home Pc\Application Data\Adobe

C:\Documents and Settings\Home Pc\Application Data\Albumart

C:\Documents and Settings\Home Pc\Application Data\Apple Computer

C:\Documents and Settings\Home Pc\Application Data\Avg7

C:\Documents and Settings\Home Pc\Application Data\Azureus

C:\Documents and Settings\Home Pc\Application Data\Bittorrent

C:\Documents and Settings\Home Pc\Application Data\Creative

C:\Documents and Settings\Home Pc\Application Data\Dmcache

C:\Documents and Settings\Home Pc\Application Data\Download Master

C:\Documents and Settings\Home Pc\Application Data\Getrighttogo

C:\Documents and Settings\Home Pc\Application Data\Google

C:\Documents and Settings\Home Pc\Application Data\Help -- EMPTY Directory

C:\Documents and Settings\Home Pc\Application Data\Identities

C:\Documents and Settings\Home Pc\Application Data\Idm

C:\Documents and Settings\Home Pc\Application Data\Intertrust

C:\Documents and Settings\Home Pc\Application Data\Jasc Software Inc

C:\Documents and Settings\Home Pc\Application Data\Lavasoft

C:\Documents and Settings\Home Pc\Application Data\Macromedia

C:\Documents and Settings\Home Pc\Application Data\Megauploadtoolbar

C:\Documents and Settings\Home Pc\Application Data\Microsoft

C:\Documents and Settings\Home Pc\Application Data\Microsoft Web Folders -- EMPTY Directory

C:\Documents and Settings\Home Pc\Application Data\Mozilla

C:\Documents and Settings\Home Pc\Application Data\Msninstaller

C:\Documents and Settings\Home Pc\Application Data\Opera

C:\Documents and Settings\Home Pc\Application Data\Orbit

C:\Documents and Settings\Home Pc\Application Data\Playfirst

C:\Documents and Settings\Home Pc\Application Data\Real

C:\Documents and Settings\Home Pc\Application Data\Share-to-web Upload Folder -- EMPTY Directory

C:\Documents and Settings\Home Pc\Application Data\Spywareremover

C:\Documents and Settings\Home Pc\Application Data\Sun

C:\Documents and Settings\Home Pc\Application Data\Symantec

C:\Documents and Settings\Home Pc\Application Data\Teleca

C:\Documents and Settings\Home Pc\Application Data\Transfork

C:\Documents and Settings\Home Pc\Application Data\Utorrent

C:\Documents and Settings\Home Pc\Application Data\Vlc

C:\Documents and Settings\Localservice\Application Data\Avg7 -- EMPTY Directory

C:\Documents and Settings\Localservice\Application Data\Macromedia

C:\Documents and Settings\Localservice\Application Data\Megauploadtoolbar

C:\Documents and Settings\Localservice\Application Data\Microsoft

C:\Documents and Settings\Localservice\Application Data\Symantec

C:\Documents and Settings\Networkservice\Application Data\Microsoft

 

----------------------------------------------------------------------------------------------------------------------------

 

Smitfruad-C:\rapport.txt

 

SmitFraudFix v2.195

 

Scan done at 11:26:00.68, Wed 06/20/2007

Run from C:\Documents and Settings\Home PC\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

 

 

»»»»»»»»»»»»»»»»»»»»»»»» hosts

 

127.0.0.1 localhost

127.0.0.1 bin.errorprotector.com ## added by CiD

127.0.0.1 br.errorsafe.com ## added by CiD

127.0.0.1 br.winantivirus.com ## added by CiD

127.0.0.1 br.winfixer.com ## added by CiD

127.0.0.1 cdn.drivecleaner.com ## added by CiD

127.0.0.1 cdn.errorsafe.com ## added by CiD

127.0.0.1 cdn.winsoftware.com ## added by CiD

127.0.0.1 de.errorsafe.com ## added by CiD

127.0.0.1 de.winantivirus.com ## added by CiD

127.0.0.1 download.cdn.drivecleaner.com ## added by CiD

127.0.0.1 download.cdn.errorsafe.com ## added by CiD

127.0.0.1 download.cdn.winsoftware.com ## added by CiD

127.0.0.1 download.errorsafe.com ## added by CiD

127.0.0.1 download.systemdoctor.com ## added by CiD

127.0.0.1 download.winantispyware.com ## added by CiD

127.0.0.1 download.windrivecleaner.com ## added by CiD

127.0.0.1 download.winfixer.com ## added by CiD

127.0.0.1 drivecleaner.com ## added by CiD

127.0.0.1 dynamique.drivecleaner.com ## added by CiD

127.0.0.1 errorprotector.com ## added by CiD

127.0.0.1 errorsafe.com ## added by CiD

127.0.0.1 es.winantivirus.com ## added by CiD

127.0.0.1 fr.winantivirus.com ## added by CiD

127.0.0.1 fr.winfixer.com ## added by CiD

127.0.0.1 go.drivecleaner.com ## added by CiD

127.0.0.1 go.errorsafe.com ## added by CiD

127.0.0.1 go.winantispyware.com ## added by CiD

127.0.0.1 go.winantivirus.com ## added by CiD

127.0.0.1 hk.winantivirus.com ## added by CiD

127.0.0.1 instlog.errorsafe.com ## added by CiD

127.0.0.1 instlog.winantivirus.com ## added by CiD

127.0.0.1 instlog.winfixer.com ## added by CiD

127.0.0.1 jsp.drivecleaner.com ## added by CiD

127.0.0.1 kb.errorsafe.com ## added by CiD

127.0.0.1 kb.winantivirus.com ## added by CiD

127.0.0.1 nl.errorsafe.com ## added by CiD

127.0.0.1 se.errorsafe.com ## added by CiD

127.0.0.1 secure.drivecleaner.com ## added by CiD

127.0.0.1 secure.errorsafe.com ## added by CiD

127.0.0.1 secure.winantispam.com ## added by CiD

127.0.0.1 secure.winantispy.com ## added by CiD

127.0.0.1 secure.winantivirus.com ## added by CiD

127.0.0.1 support.winantivirus.com ## added by CiD

127.0.0.1 trial.updates.winsoftware.com ## added by CiD

127.0.0.1 ulog.winantivirus.com ## added by CiD

127.0.0.1 utils.errorsafe.com ## added by CiD

127.0.0.1 utils.winantivirus.com ## added by CiD

127.0.0.1 utils.winfixer.com ## added by CiD

127.0.0.1 winantispyware.com ## added by CiD

127.0.0.1 winantivirus.com ## added by CiD

127.0.0.1 winfixer.com ## added by CiD

127.0.0.1 winfixer2006.com ## added by CiD

127.0.0.1 winsoftware.com ## added by CiD

127.0.0.1 www.drivecleaner.com ## added by CiD

127.0.0.1 www.errorprotector.com ## added by CiD

127.0.0.1 www.errorsafe.com ## added by CiD

127.0.0.1 www.systemdoctor.com ## added by CiD

127.0.0.1 www.utils.winfixer.com ## added by CiD

127.0.0.1 www.win-anti-virus-pro.com ## added by CiD

127.0.0.1 www.win-virus-pro.com ## added by CiD

127.0.0.1 www.winantispam.com ## added by CiD

127.0.0.1 www.winantispy.com ## added by CiD

127.0.0.1 www.winantispyware.com ## added by CiD

127.0.0.1 www.winantivirus.com ## added by CiD

127.0.0.1 www.winantiviruspro.com ## added by CiD

127.0.0.1 www.windrivecleaner.com ## added by CiD

127.0.0.1 www.windrivesafe.com ## added by CiD

127.0.0.1 www.winfixer.com ## added by CiD

127.0.0.1 www.winfixer2006.com ## added by CiD

127.0.0.1 www.winsoftware.com ## added by CiD

127.255.255.255 www.getright.com

127.255.255.255 pro.getright.com

127.255.255.255 www.headlightinc.com

 

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

 

GenericRenosFix by S!Ri

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

 

C:\WINDOWS\Tasks\At?.job Deleted

 

»»»»»»»»»»»»»»»»»»»»»»»» DNS

 

HKLM\SYSTEM\CCS\Services\Tcpip\..\{F93BA93D-DF37-41EC-8920-55D0E5450D46}: DhcpNameServer=202.156.1.78 202.156.1.68 218.186.1.88

HKLM\SYSTEM\CS1\Services\Tcpip\..\{F93BA93D-DF37-41EC-8920-55D0E5450D46}: DhcpNameServer=202.156.1.78 202.156.1.68 218.186.1.58

HKLM\SYSTEM\CS2\Services\Tcpip\..\{F93BA93D-DF37-41EC-8920-55D0E5450D46}: DhcpNameServer=202.156.1.78 202.156.1.68 218.186.1.88

HKLM\SYSTEM\CS3\Services\Tcpip\..\{F93BA93D-DF37-41EC-8920-55D0E5450D46}: DhcpNameServer=202.156.1.78 202.156.1.68 218.186.1.88

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=202.156.1.78 202.156.1.68 218.186.1.88

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=202.156.1.78 202.156.1.68 218.186.1.58

HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=202.156.1.78 202.156.1.68 218.186.1.88

HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=202.156.1.78 202.156.1.68 218.186.1.88

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System

!!!Attention, following keys are not inevitably infected!!!

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"System"=""

 

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

 

Registry Cleaning done.

 

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix

!!!Attention, following keys are not inevitably infected!!!

 

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

 

 

»»»»»»»»»»»»»»»»»»»»»»»» End

 

----------------------------------------------------------------------------------------------------------------------------

 

Latest HijackThis! Log

 

Logfile of HijackThis v1.99.1

Scan saved at 11:39:40 AM, on 6/20/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Winamp\winampa.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

C:\Program Files\Internet Download Manager\IDMan.exe

C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\WINDOWS\system32\sistray.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe

C:\WINDOWS\system32\CTPdeSrv.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Opera\Opera.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Achitasin&MindMap

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,tmallcg.exe

O1 - Hosts: 127.255.255.255 www.getright.com

O1 - Hosts: 127.255.255.255 pro.getright.com

O1 - Hosts: 127.255.255.255 www.headlightinc.com

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\HOMEPC~1\LOCALS~1\Temp\{E4F04258-9F60-437E-A026-BF80A37B5CCB}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

O4 - HKCU\..\Run: [iDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot

O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm

O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm

O9 - Extra button: (no name) - {8DAE90AD-4583-4977-9DD4-4360F7A45C74} - (no file)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccApp.exe" /h ccCommon (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccApp.exe" /h ccCommon (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: COM Host (comHost) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe (file missing)

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Unknown owner - C:\Program Files\Norton Internet Security\isPwdSvc.exe (file missing)

O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)

O23 - Service: Symantec AppCore Service (SymAppCore) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe (file missing)

Share this post


Link to post
Share on other sites

Welcome back

i've been feeling my computer is abit faster now .. thank you

Your very welcome but, we have more work to do here.

 

I see two Antivirus programs here....AVG7 and Symantec--Nortons.

This causes system clashes and instabilty, and the possiblty of false reports with a huge waste of system resources. And in many cases it actually reduces your protection instead of adding more.

You can keep both programs, but you must disable the real-time component of one AntiVirus, keeping it as an on-demand scanner, while the other AV will provide a real-time protection.

The alternative is to uninstall one AV and keep the other.

 

You make the call and if you need help uninstalling one please let me know.

Here are two articles where it is explained in detail.

Symantec

Microsoft

 

 

 

Please go to Start -> Control Panel -> Software -> Add or Remove Programs and remove any of the following that are listed:

 

Bitdownload

Bitgrabber

Bitroll

CiD Manager

CiD Help

Download Plugin for Internet Explorer

Messenger Plus!

Messenger Plus! 2

Messenger Plus! 3

Messenger Plus! Live

Messenger Plus! Live & Sponsor

Netpumper

Zone Media

WinZix

 

I see you have the MegaUpload Toolbar installed. I do NOT recommend this one since it has a questionnable reputation, so I rather want you to uninstall it.

 

If any of the above items were found, uninstall then reboot. If it will only uninstall a few at a time do as many as you can till all are done this is important.

 

 

 

 

Download the HostsXpert ...from Here and unzip it to your desktop.

Next, open the HostsXpert

  • Make sure that the "make hosts writable?" button in the upper right corner is checked
  • Now, click on 'back up Host files'
  • then click on 'Restore orginal host files'
  • Finally, close the hoster

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,tmallcg.exe

O1 - Hosts: 127.255.255.255 www.getright.com

O1 - Hosts: 127.255.255.255 pro.getright.com

O1 - Hosts: 127.255.255.255 www.headlightinc.com

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\HOMEPC~1\LOCALS~1\Temp\{E4F04258-9F60-437E-A026-BF80A37B5CCB}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"

O9 - Extra button: (no name) - {8DAE90AD-4583-4977-9DD4-4360F7A45C74} - (no file)

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab

 

 

 

Please download OTMoveIt by OldTimer:

  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose "Copy"):
     
    C:\WINDOWS\system32\tmallcg.exe
     
     
  • Return to OTMoveIt, right-click on the "Paste List of Files/Folders to be Moved" window and choose "Paste".
  • Click the red "MoveIt!" button.
  • Close OTMoveIt.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose "Yes".

 

Please post the log from OTMoveIt, located here:

 

C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

 

Where mmddyyyy_hhmmss is the date of the tool run.

 

 

 

 

 

Download ComboFix from Here or Here

IMPORTANT !!! Place it on your Desktop.

  • Double click combofix.exe and follow the prompts.
  • When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.

Post this log in your next reply together with a new hijackthislog.

Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

 

 

 

In your next reply post:

OTMoveIt log

ComboFix.txt

New HJT log

Comments on how your computer is running now

 

 

For the DrWeb issue, have you tried going into safe mode to uninstall?

 

Please reboot your computer in Safe Mode by doing the following:

1) Restart your computer

2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

3) Instead of Windows loading as normal, a menu should appear

4) Use the up arrow key to highlight Safe Mode and press Enter.

5) Login with your usual account. Make sure to close any open browsers

 

Try this next if safe mode does not work.

 

Please download Ccleaner and save it to your desktop.

Tutorial for CCleaner

During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it, Do not run it yet.

 

From Safe Mode run Ccleaner

 

Click on: Run Cleaner

Click on: Tools

Select: Dr.Web

Click on: Delete Entry

 

Next, Click on Options,

Select Advanced

Now UNCHECK "Only delete files in Windows Temp folders older than 48 hours"

Make sure the Cleaner block on the left is selected.

Do not use the "Issues" block . It's meant for professionals.

Choose the Windows tab.

Check everything EXCEPT Advanced part of the Menu.

Click on "Analyze". This process could take a while.

If you don't want to loose your login passwords to certain sites, click on Options

Select cookies and move the ones you want to keep to the "cookies to keep" section, by highlighting and using the arrows in the middle.

Choose Run Cleaner.

When CCleaner shows how much has been removed, cleaning is finished. Click Exit.

If you have more than one users, run Ccleaner for every user.

 

NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure ..... http://kellys-korner-xp.com/regs_edits/xp_whichcpu.exe

Edited by Juliet

Share this post


Link to post
Share on other sites

im currently stuck at the steps for the OTMoveIt. my computer gave me an error box saying that it cannot create file C:\_OTMoveIt\MovedFiles\06212007_194321.log and that the results indicate that File/Folder C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log not found. not found.

 

what should i do? :blush:

Share this post


Link to post
Share on other sites

I saw that you have this trojan invaded in your computer.Just been looking at this tell me so...

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Achitasin&MindMap

 

That means everytime you log in to your internet explorer, it will refer this achitasin&MindMap as your homepage, even if u change your homepage to another website , after a while it will still return back to achitasin&MindMap. I think the risk of this trojan should be high...

Am i right?

Share this post


Link to post
Share on other sites

Welcome back symbiote28

 

For right now we'll continue.

If you had HJT fix those entries I indicated, do this next

 

Please reboot your computer in Safe Mode by doing the following:

1) Restart your computer

2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

3) Instead of Windows loading as normal, a menu should appear

4) Use the up arrow key to highlight Safe Mode and press Enter.

5) Login with your usual account. Make sure to close any open browsers.

 

 

Using windows explorer search for and delete this file in bold

 

C:\WINDOWS\system32\tmallcg.exe

 

 

Then continue with the rest of the instructions and post the logs please.

 

In your next reply post:

ComboFix.txt

New HJT log

Comments on how your computer is running now

 

 

 

Note to Claude, if your having a problem with spyware or malware I must ask that you start your own thread. thank you

Share this post


Link to post
Share on other sites

i'm just happen to see his log contain some of the trojans that i discover and wish to inform him about it. I'm sorry if you think that way. Trying to help and yet misunderstanding happen.

 

Oh well..good luck..

Edited by ClaudeX

Share this post


Link to post
Share on other sites

I saw that you have this trojan invaded in your computer.Just been looking at this tell me so...

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Achitasin&MindMap

 

That means everytime you log in to your internet explorer, it will refer this achitasin&MindMap as your homepage, even if u change your homepage to another website , after a while it will still return back to achitasin&MindMap. I think the risk of this trojan should be high...

Am i right?

 

yes! that's right .. i got this trojan from a computer in my school and many of my friends have it too .. any idea how to remove it? this trojan is irritating as hell as i cannot open my drives by double clicking it .. instead, i have to right click and select explore ..

 

EDIT: i've tried searching for C:\WINDOWS\system32\tmallcg.exe in safe mode but there was no such file found .. what should i do? should i just skip the step and run the combofix.exe? i think i better not do anything until i hear from you again .. :rolleyes:

 

ps. uninstalling Dr. Web from safe mode is unsuccessfull too so i guess i've to follow the ccleaner steps ..

Edited by symbiote28

Share this post


Link to post
Share on other sites

Welcome back

 

I think OTMoveIt worked and did remove the bad file...

 

Please run ComboFix and the other instructions I gave, post the logs please.

 

 

I need a ComboFix log.....New HJT log

Share this post


Link to post
Share on other sites

here are the logs u've asked for ..

 

ComboFix.txt

 

ComboFix 07-06-18.2 - C:\Documents and Settings\Home PC\Desktop\ComboFix.exe

"Home PC" - 2007-06-23 14:14:02 - Service Pack 2 NTFS

 

Rootkit driver pe386 is present. ... attempting disinfection

pe386 ...... driver unloaded successfully.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

c:\autorun.inf

C:\DOCUME~1\LOCALS~1\APPLIC~1\Install.dat

C:\Program Files\Common Files\{64F9D~1

C:\Program Files\Common Files\misc002

C:\WINDOWS\system32\crunner

C:\WINDOWS\system32\crunner\cproc.exe.config

C:\WINDOWS\system32\crunner\cupdater.exe.config

C:\WINDOWS\system32\crunner\ICSharpCode.SharpZipLib.dll

C:\WINDOWS\system32\crunner\Version.txt

C:\WINDOWS\system32\lzx32.sys

C:\WINDOWS\system32\msxml3a.dll

d:\autorun.inf

e:\autorun.inf

l:\autorun.inf

 

 

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

-------\LEGACY_CMDSERVICE

-------\LEGACY_NETWORK_MONITOR

 

 

((((((((((((((((((((((((( Files Created from 2007-05-23 to 2007-06-23 )))))))))))))))))))))))))))))))

 

 

2007-06-23 14:10 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-22 15:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion

2007-06-20 17:33 <DIR> d-------- C:\Program Files\nokcvtr

2007-06-20 11:26 1,704 --a------ C:\WINDOWS\system32\tmp.reg

2007-06-20 11:16 <DIR> d-------- C:\NoLopBackups

2007-06-19 09:56 <DIR> d-------- C:\Program Files\RegCure

2007-06-19 09:24 <DIR> d-------- C:\Program Files\Panda Software

2007-06-18 20:32 <DIR> d-------- C:\Program Files\Norton Internet Security

2007-06-12 23:57 <DIR> d-------- C:\Program Files\XoftSpySE

2007-06-12 23:09 <DIR> d-------- C:\DOCUME~1\HOMEPC~1\DoctorWeb

2007-06-12 22:00 9,728 --a----t- C:\WINDOWS\system32\DRWEBSP.DLL

2007-06-12 22:00 5,856 --a------ C:\WINDOWS\system32\drivers\drwebnet.sys

2007-06-12 20:47 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat

2007-06-12 20:46 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll

2007-06-12 20:45 <DIR> d-------- C:\WINDOWS\Internet Logs

2007-06-09 20:48 720,896 --a------ C:\WINDOWS\iun6002ev.exe

2007-06-09 20:48 <DIR> d-------- C:\Program Files\Bejeweled 2 Deluxe

2007-06-09 19:53 <DIR> d-------- C:\Program Files\GameHouse

2007-06-08 22:08 14 --a------ C:\WINDOWS\popcinfot.dat

2007-06-08 22:08 0 --a------ C:\WINDOWS\popcreg.dat

2007-06-08 21:42 <DIR> d-------- C:\Program Files\Five+

2007-06-03 16:23 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll

2007-06-03 16:23 <DIR> d-------- C:\Program Files\Xvid

2007-06-02 14:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PopCap

2007-05-29 20:04 31,232 -r-hs---- C:\WINDOWS\system32\msfDX.dll

2007-05-29 20:04 163,328 -r-hs---- C:\WINDOWS\system32\flvDX.dll

2007-05-28 20:55 <DIR> d-------- C:\Program Files\Internet Download Manager

2007-05-28 20:55 <DIR> d-------- C:\DOCUME~1\HOMEPC~1\APPLIC~1\IDM

2007-05-28 20:55 <DIR> d-------- C:\DOCUME~1\HOMEPC~1\APPLIC~1\DMCache

2007-05-26 15:21 <DIR> d-------- C:\Program Files\GetRight

2007-05-26 15:02 <DIR> d-------- C:\Program Files\Download Master

2007-05-26 15:02 <DIR> d-------- C:\DOCUME~1\HOMEPC~1\APPLIC~1\Download Master

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-22 13:06:20 -------- d-----w C:\DOCUME~1\HOMEPC~1\APPLIC~1\uTorrent

2007-06-22 12:50:12 56 ----a-w C:\WINDOWS\popcinfo.dat

2007-06-19 11:16:50 -------- d-----w C:\Program Files\Oberon Media

2007-06-19 01:26:48 -------- d-----w C:\Program Files\Common Files\Symantec Shared

2007-06-13 03:24:32 -------- d-----w C:\DOCUME~1\HOMEPC~1\APPLIC~1\TransFork

2007-06-12 17:05:49 292 ----a-w C:\WINDOWS\rdjkr.dll

2007-06-12 16:26:57 -------- d-----w C:\Program Files\Norton AntiVirus

2007-06-12 14:00:10 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-06-10 12:01:34 -------- d-----w C:\Program Files\Opera

2007-06-10 11:52:11 -------- d-----w C:\DOCUME~1\HOMEPC~1\APPLIC~1\Opera

2007-06-08 14:08:47 -------- d-----w C:\Program Files\PopCap Games

2007-06-08 11:03:24 -------- d-----w C:\Program Files\uTorrent

2007-06-02 07:11:33 -------- d-----w C:\Program Files\Atlantis Sky Patrol

2007-05-27 02:29:58 -------- d-----w C:\Program Files\Messenger

2007-05-19 10:24:08 -------- d-----w C:\Program Files\Arcade Lines

2007-05-19 07:37:01 -------- d-----w C:\Program Files\Mahjong Towers II

2007-05-19 07:17:40 -------- d-----w C:\Program Files\LimeWire

2007-05-13 03:27:01 -------- d-----w C:\Program Files\Last.fm

2007-05-12 10:58:40 -------- d-----w C:\Program Files\ReflexiveArcade

2007-04-16 14:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-16 14:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-16 14:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-16 14:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-16 14:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-16 14:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-16 14:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-16 14:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

2007-04-16 14:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll

2007-04-16 14:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll

2007-04-08 04:55:37 1,604,164 ----a-w C:\WinRMSetup.exe

2001-08-23 20:00:00 94,784 --sh--w C:\WINDOWS\twain.dll

2004-08-04 00:56:48 50,688 --sh--w C:\WINDOWS\twain_32.dll

2004-08-04 00:56:44 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll

2004-08-04 00:56:44 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll

2004-08-04 00:56:44 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll

2004-08-04 00:56:44 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll

2004-08-04 00:56:46 553,472 --sh--w C:\WINDOWS\system32\oleaut32.dll

2004-08-04 00:56:46 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll

2004-08-04 00:56:56 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{0055C089-8582-441B-A0BF-17B458C2A3A8}=C:\Program Files\Internet Download Manager\IDMIECC.dll [2006-08-29 16:28]

{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2006-10-26 10:28]

{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}=C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL [2006-10-31 14:55]

{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 20:33]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-02-14 02:29]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-13 09:05]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 14:32]

"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2007-05-28 20:58]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 17:06]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpIDerMail]

"C:\Program Files\DrWeb\spiderml.exe"

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe achi.dll.vbs

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe achi.dll.vbs

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe achi.dll.vbs

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2fe5e870-81e2-11db-9ccc-000000000000}]

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe achi.dll.vbs

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3264eba2-9b3f-11db-9d33-000000000000}]

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe achi.dll.vbs

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a89eb8ae-b8f7-11db-9db1-000000000000}]

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe achi.dll.vbs

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c638f844-ffcd-11db-9ef6-000000000000}]

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe achi.dll.vbs

 

*Newly Created Service* - COMHOST

 

Contents of the 'Scheduled Tasks' folder

2007-06-23 06:22:06 C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job

2007-06-23 06:23:25 C:\WINDOWS\tasks\RegCure Program Check.job

2007-06-19 01:57:01 C:\WINDOWS\tasks\RegCure.job

2007-06-12 15:57:23 C:\WINDOWS\tasks\XoftSpySE.job

 

**************************************************************************

 

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-23 14:23:35

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-06-23 14:26:24 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-06-23 14:26

 

--- E O F ---

 

---------------------------------------------------------------------------------------------------------------------------

 

Latest HJT Log

 

Logfile of HijackThis v1.99.1

Scan saved at 2:30:15 PM, on 6/23/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\Program Files\Winamp\winampa.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

C:\Program Files\Internet Download Manager\IDMan.exe

C:\Program Files\Messenger\msmsgs.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\sistray.exe

C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe

C:\WINDOWS\system32\CTPdeSrv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Opera\Opera.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

O4 - HKCU\..\Run: [iDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm

O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccApp.exe" /h ccCommon (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccApp.exe" /h ccCommon (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: COM Host (comHost) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe (file missing)

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Unknown owner - C:\Program Files\Norton Internet Security\isPwdSvc.exe (file missing)

O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)

O23 - Service: Symantec AppCore Service (SymAppCore) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe (file missing)

Share this post


Link to post
Share on other sites

Welcome back

ComboFix did a very good job, just a little bit more work to do now.

 

I see Grisoft\AVG7 and several files related to Norton AntiVirus but many say file missing.

Did you previously have Nortons and try to uninstall?

 

If this is the case and you want to fully remove all files related to Norton Antivirus-

 

To fully remove Norton AntiVirus, you should go here before uninstalling and download the files and print the instructions for removal, and follow them after uninstalling NAV:

How to uninstall Norton AntiVirus 2004/2005/2006

(note: this removes ALL Norton 2004/2005/2006 products from your computer, and also uninstalls Norton Ghost 10.0/9.0/2003)

How to uninstall Norton AntiVirus 2003 or Norton AntiVirus 2003 Professional Edition

How to uninstall Norton AntiVirus 2000/2001/2002

 

You can also add this article/tutorial in the removal instructions in case there are additional problems after/during removing Norton:

http://basconotw.mvps.org/SymRem.htm

uninstalling Symantec applications

 

 

I see you installed Megaupload Toolbar. This one has a questionable reputation. That's why I also suggest you uninstall it.

From the Megaupload Toolbar Eula:

 

"This toolbar integrates certain services from alexa internet,inc. ("Alexa"). The toolbar may exchange data with Alexa in order to provide: (a) information to you about the web pages you view (ranking information, for example) and basic information to alexa on your use of the toolbar, including the ip address of your computer, the url of the web pages you visit and, because the toolbar communicates via http, data typical of normal http communications such as user agent and operating system, will be communicated."

 

Go to Start > Settings > Control Panel > Add/Remove Programs and remove it.

 

 

I didn't detect any active process of a firewall on your system.

 

Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.

You should not rely on just the Windows XP firewall when there are firewalls that are free for personal use that are better, the Windows XP firewall only checks incoming data.

If you decide to download and install another Firewall....please disable Windows Firewall.

Start menu->>Control Panel->>Security Center->>Windows Firewall and disable Windows Firewall.

Sygate free firewall

ZoneAlarm free firewall

Outpost free Firewall

Comodo

Kerio Personal Firewall

Jetico Personal Firewall

 

The above are known good free Firewalls available for personal use. If one conflicts with your system, try another.

For a tutorial on Firewalls and a listing of some available ones see the link below

http://www.bleepingcomputer.com/tutorials/tutorial60.html

 

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

 

 

 

 

Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:

Folder::

C:\NoLopBackups

 

Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2fe5e870-81e2-11db-9ccc-000000000000}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3264eba2-9b3f-11db-9d33-000000000000}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a89eb8ae-b8f7-11db-9db1-000000000000}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c638f844-ffcd-11db-9ef6-000000000000}]

Save this as ComboFix-Do.txt and change the "Save as type" to "All Files" and place it on your desktop.

Combo-Do.gif

 

Referring to the screenshot above, drag ComboFix-Do.txt into ComboFix.exe.

 

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

 

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

 

 

 

Download Dr.Web CureIt to the desktop:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Next, please reboot your computer in Safe Mode by doing the following:

1) Restart your computer

2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

3) Instead of Windows loading as normal, a menu should appear

4) Select the first option, to run Windows in Safe Mode.

 

For additional help in booting into Safe Mode, see the following site:

http://www.pchell.com/support/safemode.shtml

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

 

In your next reply post:

ComboFix-Do.txt log

DrWeb.csv log

New HJT log

I need comments on how your computer is running now

Share this post


Link to post
Share on other sites

im very wary of uninstalling any Norton programs because i realise that after uninstalling it, i hardly can run my computer .. it give me a blue screen saying something of a hardware failure ..

Share this post


Link to post
Share on other sites

Welcome back

 

If you want to continue using Norton AntiVirus thats fine, you need to disable or uninstall AVG7.

I have to say, I have not heard anyone mention uninstalling Nortons giving hardware errors before, but theres always that first time I suppose.

 

Also you need an on board Firewall. I supplied you with a list of good known free programs that do the job well.

 

In your next reply post:

ComboFix-Do.txt log

DrWeb.csv log

New HJT log

I need comments on how your computer is running now

Share this post


Link to post
Share on other sites

hey there .. i've been busy with exams lately and finally i had some time to reply .. here are the logs u've asked for ..

 

ps: i see that the DrWeb.csv log identifies one of my video converter programs as a threat but im hoping i dont have to delete the program as it has been really useful to me ..

 

ComboFix-Do.txt log

 

Folder::

C:\NoLopBackups

 

Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2fe5e870-81e2-11db-9ccc-000000000000}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3264eba2-9b3f-11db-9d33-000000000000}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a89eb8ae-b8f7-11db-9db1-000000000000}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c638f844-ffcd-11db-9ef6-000000000000}]

 

-----------------------------------------------------------------------------------------------------------------------------

 

DrWeb.csv log

 

SUPER.exe;C:\Program Files\eRightSoft\SUPER;Probably DLOADER.Trojan;;

Process.exe;C:\Program Files\Roguescanfix;Tool.Prockill;Incurable.Moved.;

 

-----------------------------------------------------------------------------------------------------------------------------

 

Latest HJT Log

 

Logfile of HijackThis v1.99.1

Scan saved at 12:18:38 PM, on 6/28/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Winamp\winampa.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

C:\Program Files\Internet Download Manager\IDMan.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe

C:\WINDOWS\system32\sistray.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe

C:\WINDOWS\system32\CTPdeSrv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Opera\Opera.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

O4 - HKCU\..\Run: [iDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm

O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24.hotmail.msn.com/resources/MsnPUpld.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccApp.exe" /h ccCommon (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccApp.exe" /h ccCommon (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: COM Host (comHost) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe (file missing)

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Unknown owner - C:\Program Files\Norton Internet Security\isPwdSvc.exe (file missing)

O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)

O23 - Service: Symantec AppCore Service (SymAppCore) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe (file missing)

 

-----------------------------------------------------------------------------------------------------------------------------

Share this post


Link to post
Share on other sites

Welcome back

 

ComboFix.txt <- is the log I needed, you copied the contents of the ComboFix-Do.txt I had posted for you to run.

ps: i see that the DrWeb.csv log identifies one of my video converter programs as a threat but im hoping i dont have to delete the program as it has been really useful to me

I think it would be a safe program to keep since you know it's safe.

 

 

Did you run the Nortons removal tool?

 

I'll list below the remaining files to be deleted.

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

 

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccApp.exe" /h ccCommon (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccApp.exe" /h ccCommon (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: COM Host (comHost) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe (file missing)

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Unknown owner - C:\Program Files\Norton Internet Security\isPwdSvc.exe (file missing)

O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)

O23 - Service: Symantec AppCore Service (SymAppCore) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe (file missing)

 

 

 

Using Windows Explorer, locate the following files/folders shown bold and delete them, if still present:

 

If you have trouble finding any of those files, then configure Windows Explorer to show hidden files and folders and go after them again.(Remember to Hide files and folders once done.

 

To enable viewing of hidden files as follows:

1) Go to My Computer, and click on the "Tools" menu

2) Click "Folder options"

3) Select the "View" tab

4) Make sure "Show hidden files and folders" is selected

5) Make sure "Hide extensions for known file types" is unchecked

6) Make sure "Hide protected operating system files (recommended)" is unchecked.

 

 

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

C:\Program Files\Norton Internet Security\isPwdSvc.exe

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

 

 

Reboot your computer when done.

 

In your next post I need

 

ComboFix.txt

New HJT log

Comments on how your computer is running now

 

 

 

Removing Norton Internet Security will leave you with no Firewall.

 

Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.

You should not rely on just the Windows XP firewall when there are firewalls that are free for personal use that are better, the Windows XP firewall only checks incoming data.

If you decide to download and install another Firewall....please disable Windows Firewall.

Start menu->>Control Panel->>Security Center->>Windows Firewall and disable Windows Firewall.

Sygate free firewall

ZoneAlarm free firewall

Outpost free Firewall

Comodo

Kerio Personal Firewall

Jetico Personal Firewall

 

The above are known good free Firewalls available for personal use. If one conflicts with your system, try another.

For a tutorial on Firewalls and a listing of some available ones see the link below

http://www.bleepingcomputer.com/tutorials/tutorial60.html

Share this post


Link to post
Share on other sites

hey there .. i've been getting new System Alerts for the trojan Trojan-Spy.Win32@mx .. how do i remove this? it suddenly appeared this morning ..

 

below are the logs u've asked for ..

 

HJT Log

 

Logfile of HijackThis v1.99.1

Scan saved at 7:37:15 PM, on 6/29/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Video ActiveX Access\iesmn.exe

C:\Program Files\Video ActiveX Access\imsmain.exe

C:\Program Files\Winamp\winampa.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

C:\Program Files\Internet Download Manager\IDMan.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Video ActiveX Access\imsmn.exe

C:\Program Files\Video ActiveX Access\iesmin.exe

C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe

C:\WINDOWS\system32\sistray.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe

C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe

C:\WINDOWS\system32\CTPdeSrv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Opera\Opera.exe

C:\Program Files\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll

O2 - BHO: (no name) - {184746EC-9E9D-4C7D-B9E7-9039EBD801A9} - C:\Program Files\Video ActiveX Access\iesplg.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: Protection Bar - {29C5A3B6-9A8D-4FA0-B5AD-3E20F4AA5C00} - C:\Program Files\Video ActiveX Access\iesbpl.dll

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

O4 - HKCU\..\Run: [iDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe

O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm

O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccApp.exe" /h ccCommon (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccApp.exe" /h ccCommon (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: COM Host (comHost) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe (file missing)

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Unknown owner - C:\Program Files\Norton Internet Security\isPwdSvc.exe (file missing)

O23 - Service: Symantec AppCore Service (SymAppCore) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe (file missing)

 

----------------------------------------------------------------------------------------------------------------------------

 

ComboFix.txt Log

 

ComboFix 07-06-18.2 - C:\Documents and Settings\Home PC\Desktop\ComboFix.exe

"Home PC" - 2007-06-24 10:27:08 - Service Pack 2 NTFS

Command switches used :: C:\Documents and Settings\Home PC\Desktop\ComboFix-Do.txt

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\NoLopBackups

C:\NoLopBackups\A7F61E2B91859B4F.job.01.infected

 

 

((((((((((((((((((((((((( Files Created from 2007-05-24 to 2007-06-24 )))))))))))))))))))))))))))))))

 

 

2007-06-23 14:10 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-22 15:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion

2007-06-20 17:33 <DIR> d-------- C:\Program Files\nokcvtr

2007-06-20 11:26 1,704 --a------ C:\WINDOWS\system32\tmp.reg

2007-06-19 09:56 <DIR> d-------- C:\Program Files\RegCure

2007-06-19 09:24 <DIR> d-------- C:\Program Files\Panda Software

2007-06-18 20:32 <DIR> d-------- C:\Program Files\Norton Internet Security

2007-06-12 23:57 <DIR> d-------- C:\Program Files\XoftSpySE

2007-06-12 23:09 <DIR> d-------- C:\DOCUME~1\HOMEPC~1\DoctorWeb

2007-06-12 22:00 9,728 --a----t- C:\WINDOWS\system32\DRWEBSP.DLL

2007-06-12 22:00 5,856 --a------ C:\WINDOWS\system32\drivers\drwebnet.sys

2007-06-12 20:47 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat

2007-06-12 20:46 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll

2007-06-12 20:45 <DIR> d-------- C:\WINDOWS\Internet Logs

2007-06-09 20:48 720,896 --a------ C:\WINDOWS\iun6002ev.exe

2007-06-09 20:48 <DIR> d-------- C:\Program Files\Bejeweled 2 Deluxe

2007-06-09 19:53 <DIR> d-------- C:\Program Files\GameHouse

2007-06-08 22:08 14 --a------ C:\WINDOWS\popcinfot.dat

2007-06-08 22:08 0 --a------ C:\WINDOWS\popcreg.dat

2007-06-08 21:42 <DIR> d-------- C:\Program Files\Five+

2007-06-03 16:23 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll

2007-06-03 16:23 <DIR> d-------- C:\Program Files\Xvid

2007-06-02 14:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PopCap

2007-05-29 20:04 31,232 -r-hs---- C:\WINDOWS\system32\msfDX.dll

2007-05-29 20:04 163,328 -r-hs---- C:\WINDOWS\system32\flvDX.dll

2007-05-28 20:55 <DIR> d-------- C:\Program Files\Internet Download Manager

2007-05-28 20:55 <DIR> d-------- C:\DOCUME~1\HOMEPC~1\APPLIC~1\IDM

2007-05-28 20:55 <DIR> d-------- C:\DOCUME~1\HOMEPC~1\APPLIC~1\DMCache

2007-05-26 15:21 <DIR> d-------- C:\Program Files\GetRight

2007-05-26 15:02 <DIR> d-------- C:\Program Files\Download Master

2007-05-26 15:02 <DIR> d-------- C:\DOCUME~1\HOMEPC~1\APPLIC~1\Download Master

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-23 14:29:18 56 ----a-w C:\WINDOWS\popcinfo.dat

2007-06-22 13:06:20 -------- d-----w C:\DOCUME~1\HOMEPC~1\APPLIC~1\uTorrent

2007-06-19 11:16:50 -------- d-----w C:\Program Files\Oberon Media

2007-06-19 01:26:48 -------- d-----w C:\Program Files\Common Files\Symantec Shared

2007-06-13 03:24:32 -------- d-----w C:\DOCUME~1\HOMEPC~1\APPLIC~1\TransFork

2007-06-12 17:05:49 292 ----a-w C:\WINDOWS\rdjkr.dll

2007-06-12 16:26:57 -------- d-----w C:\Program Files\Norton AntiVirus

2007-06-12 14:00:10 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-06-10 12:01:34 -------- d-----w C:\Program Files\Opera

2007-06-10 11:52:11 -------- d-----w C:\DOCUME~1\HOMEPC~1\APPLIC~1\Opera

2007-06-08 14:08:47 -------- d-----w C:\Program Files\PopCap Games

2007-06-08 11:03:24 -------- d-----w C:\Program Files\uTorrent

2007-06-02 07:11:33 -------- d-----w C:\Program Files\Atlantis Sky Patrol

2007-05-27 02:29:58 -------- d-----w C:\Program Files\Messenger

2007-05-19 10:24:08 -------- d-----w C:\Program Files\Arcade Lines

2007-05-19 07:37:01 -------- d-----w C:\Program Files\Mahjong Towers II

2007-05-19 07:17:40 -------- d-----w C:\Program Files\LimeWire

2007-05-13 03:27:01 -------- d-----w C:\Program Files\Last.fm

2007-05-12 10:58:40 -------- d-----w C:\Program Files\ReflexiveArcade

2007-04-16 14:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll

2007-04-16 14:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll

2007-04-16 14:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll

2007-04-16 14:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll

2007-04-16 14:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll

2007-04-16 14:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll

2007-04-16 14:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe

2007-04-16 14:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll

2007-04-16 14:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll

2007-04-16 14:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll

2007-04-08 04:55:37 1,604,164 ----a-w C:\WinRMSetup.exe

2001-08-23 20:00:00 94,784 --sh--w C:\WINDOWS\twain.dll

2004-08-04 00:56:48 50,688 --sh--w C:\WINDOWS\twain_32.dll

2004-08-04 00:56:44 1,028,096 --sh--w C:\WINDOWS\system32\mfc42.dll

2004-08-04 00:56:44 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll

2004-08-04 00:56:44 413,696 --sh--w C:\WINDOWS\system32\msvcp60.dll

2004-08-04 00:56:44 343,040 --sh--w C:\WINDOWS\system32\msvcrt.dll

2004-08-04 00:56:46 553,472 --sh--w C:\WINDOWS\system32\oleaut32.dll

2004-08-04 00:56:46 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll

2004-08-04 00:56:56 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{0055C089-8582-441B-A0BF-17B458C2A3A8}=C:\Program Files\Internet Download Manager\IDMIECC.dll [2006-08-29 16:28]

{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2006-10-26 10:28]

{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 20:33]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-02-14 02:29]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-13 09:05]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 14:32]

"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2007-05-28 20:58]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 17:06]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]

"megauploadtoolbar"=C:\DOCUME~1\HOMEPC~1\LOCALS~1\Temp\tbuninstall.exe -df "C:\Program Files\MegauploadToolbar\"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpIDerMail]

"C:\Program Files\DrWeb\spiderml.exe"

 

*Newly Created Service* - COMHOST

 

Contents of the 'Scheduled Tasks' folder

2007-06-24 02:22:00 C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job

2007-06-24 02:11:31 C:\WINDOWS\tasks\RegCure Program Check.job

2007-06-19 01:57:01 C:\WINDOWS\tasks\RegCure.job

2007-06-12 15:57:23 C:\WINDOWS\tasks\XoftSpySE.job

 

**************************************************************************

 

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-24 10:32:50

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-06-24 10:33:38

C:\ComboFix-quarantined-files.txt ... 2007-06-24 10:33

C:\ComboFix2.txt ... 2007-06-23 14:26

 

--- E O F ---

Share this post


Link to post
Share on other sites

Welcome back

 

Tell me about this folder/program. Is this something you installed?

C:\Program Files\nokcvtr

 

If you do not have any information on this folder/program we need to have it checked.

Please go to at least two of the below sites to scan the following files:

jotti.org

or

virustotal

or

http://www.kaspersky.com/scanforvirus.html

 

click on Browse, and upload the following file for analysis:

C:\Program Files\nokcvtr

 

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

 

 

 

Did you run the Nortons removal tool? Or try to remove any of the remaining Nortons files I had outlined in my previous reply?

 

 

 

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {184746EC-9E9D-4C7D-B9E7-9039EBD801A9} - C:\Program Files\Video ActiveX Access\iesplg.dll

O3 - Toolbar: Protection Bar - {29C5A3B6-9A8D-4FA0-B5AD-3E20F4AA5C00} - C:\Program Files\Video ActiveX Access\iesbpl.dll

 

 

 

Please download SmitfraudFix (by S!Ri)

Extract the content (a folder named SmitfraudFix) to your Desktop.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/proc...processutil.htm

 

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

 

Please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
     
    Using windows explorer search for and delete this file
    C:\WINDOWS\rdjkr.dll

Open the SmitfraudFix folder again and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

 

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

 

The report can also be found at the root of the system drive, usually at C:\rapport.txt

 

Warning : running option #2 on a non infected computer will remove your Desktop background.

 

 

 

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer and quit any instances of Windows Explorer.

Click Start, click Control Panel, and then double click Internet Options.

On the General tab, click Delete files under Temporary Internet Files.

In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK

On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK

Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK

Click OK

 

 

 

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

 

Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

 

Open the SmitfraudFix folder and double-click smitfraudfix.cmd

Select option #3 - Delete Trusted zone by typing 3 and press Enter

 

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the Programme and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

 

 

 

Please do an online scan with Kaspersky Online Scanner

  • Click on Kaspersky Online Scanner.
  • You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded click on Next.
  • Now click on Scan Settings.
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended
    • Scan Options:
      Scan Archives
      Scan Mail Bases

    [*]Click OK.

    [*]Now under select a target to scan:

    • Select My Computer.

    [*]This program will start and scan your system.

    [*]The scan will take a while so be patient and let it run.

    [*]Once the scan is complete it will display if your system has been infected.

    • Now click on the Save Report As button.
    • In the File name: field, type kavscan.
    • In the Save as type: field, select Text file (*.txt).

    [*]Save the file to your desktop.

    [*]Copy and paste that information in your next post.

NEXT:

 

Please reboot your computer normally into Windows, and then please post the log from the Kaspersky scan and a new HijackThis log.

Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

 

In your next reply post:

Scanned file results

Smitfraud C:\rapport.txt

kavscan log.

New HJT log

comments on how your computer is running now

Share this post


Link to post
Share on other sites

Due to the lack of feedback this Topic is closed.

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0