Jump to content


Photo

UDefender


  • This topic is locked This topic is locked
8 replies to this topic

#1 evi1st3wi3

evi1st3wi3

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 21 July 2007 - 08:59 PM

hello, i have recently been infected with the ultimate defender trojan(i think). it has taken over my homepageso tht every time i open IE an ultimate cleaner page comes up. even when i change my homepage it goes back to tht. also there are a bunch of popups saying someone is trying to attack my internet and once i close tht page it redirects me to a udefender page. i have tried other using spy doctor and spyhunter but spyhunter never worked and i was going to have to pay for spydoctor. i have already done everything the faq said i needed too. if there is anything else you need, just tell me. thnx.

i ran two scans with the ewido/AVG anti-spyware. this was my first one.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:50:35 PM 7/21/2007

+ Scan result:



C:\Documents and Settings\Andrew\Cookies\andrew@aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Andrew\Cookies\andrew@arn.aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Andrew\Cookies\andrew@mrsupergames.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Andrew\Cookies\andrew@ads.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Andrew\Cookies\andrew@admarketplace[1].txt -> TrackingCookie.Admarketplace : Cleaned.
C:\Documents and Settings\Andrew\Cookies\andrew@www.adobe[1].txt -> TrackingCookie.Adobe : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Andrew\Cookies\andrew@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned.
C:\Documents and Settings\Andrew\Cookies\andrew@connextra[2].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\Andrew\Local Settings\Temp\Cookies\andrew@connextra[1].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\Andrew\Cookies\andrew@105-bmp.googleadservices[2].txt -> TrackingCookie.Googleadservices : Cleaned.
C:\Documents and Settings\Andrew\Cookies\andrew@hypertracker[2].txt -> TrackingCookie.Hypertracker : Cleaned.
C:\Documents and Settings\Andrew\Cookies\andrew@search.live[2].txt -> TrackingCookie.Live : Cleaned.
C:\Documents and Settings\Andrew\Cookies\andrew@search.msn[2].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Andrew\Cookies\andrew@ssl-hints.netflame[2].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Andrew\Cookies\andrew@ssl-hints.netflame[3].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Andrew\Cookies\andrew@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Andrew\Cookies\andrew@guide.real[2].txt -> TrackingCookie.Real : Cleaned.
C:\Documents and Settings\Andrew\Cookies\andrew@realguide.real[2].txt -> TrackingCookie.Real : Cleaned.
C:\Documents and Settings\Andrew\Cookies\andrew@site.skype[2].txt -> TrackingCookie.Skype : Cleaned.
C:\Documents and Settings\Andrew\Cookies\andrew@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\Andrew\Cookies\andrew@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Andrew\Cookies\andrew@anat.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Andrew\My Documents\Stuff\WavePad 3.01.zip/FILE.VBS -> Worm.Gedza : Cleaned.
C:\Documents and Settings\Andrew\My Documents\Stuff\WavePad 3.01.zip/Setup.exe -> Worm.VB.dw : Cleaned.


::Report end
__________________
this was my second

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:28:56 PM 7/21/2007

+ Scan result:



Nothing found.



::Report end
____________________
here is my hijackthis report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:44:14 PM, on 7/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Airlink101\AWLH4030\WLService.exe
C:\Program Files\Airlink101\AWLH4030\WLanCfgAG.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\KMaestro\KMaestro.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\Panasonic\Palmcorder\CARD LINK (for USB)\regcnt09.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Andrew\Desktop\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: IeMonitorBho Class - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [BtcMaestro] "C:\Program Files\KMaestro\KMaestro.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PSPVideo9] E:\pspvideo9\pspVideo9.exe -t
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: .protected
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Andrew\Local Settings\Temp\{31EFA5F6-46CD-411E-8D29-7A3DE06F3B39}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Global Startup: .protected
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: CARD Monitor.lnk = C:\Program Files\Panasonic\Palmcorder\CARD LINK (for USB)\regcnt09.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1152077380500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1152077371828
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O21 - SSODL: xvideo - {01198189-69E2-47C9-A49C-2995C9B3278F} - C:\WINDOWS\xvideo.dll
O21 - SSODL: sounddrv - {1739FF04-FF58-487B-BC96-C1AC8C1A327F} - C:\WINDOWS\sounddrv.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Super G Wireless Cardbus Adapter Service (Super G Wireless Cardbus Service) - Unknown owner - C:\Program Files\Airlink101\AWLH4030\WLService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11388 bytes

please help. thank you.

#2 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 26 July 2007 - 04:32 AM

Hello,

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.co...cle.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Then, * Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), combofix will open again to gather the necessary information for the log. This may take a bit. When done, Combofix will close and a log should open, combofix.txt.
Post the contents of this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#3 evi1st3wi3

evi1st3wi3

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 26 July 2007 - 12:40 PM

Here is my ComboFix report.

"Andrew" - 2007-07-26 12:17:53 [GMT -5:00] - ComboFix 07-07-24.5 - Service Pack 2 NTFS
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\.protected
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup.\.protected
C:\DOCUME~1\Andrew\FAVORI~1.\Error Cleaner.url
C:\DOCUME~1\Andrew\FAVORI~1.\Privacy Protector.url
C:\DOCUME~1\Andrew\FAVORI~1.\Spyware&Malware Protection.url
C:\DOCUME~1\Andrew\STARTM~1\Programs\Startup.\.protected
C:\WINDOWS\.protected
C:\WINDOWS\main_uninstaller.exe
C:\WINDOWS\sounddrv.dll
C:\WINDOWS\system32\drivers\etc\.protected
C:\WINDOWS\xvideo.dll


((((((((((((((((((((((((( Files Created from 2007-06-26 to 2007-07-26 )))))))))))))))))))))))))))))))


2007-07-26 12:17 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-21 21:43 <DIR> d-------- C:\HJT
2007-07-21 20:39 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-21 18:59 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-07-21 18:09 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-07-21 16:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-21 12:00 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-07-21 11:09 3,432 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-21 11:08 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-07-21 11:08 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-07-21 11:08 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-07-21 10:27 <DIR> d-------- C:\Program Files\NoAdware5.0
2007-07-21 10:18 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-07-21 00:22 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2007-07-20 23:11 <DIR> d-------- C:\Program Files\PowerISO
2007-07-19 15:51 12,928 --a------ C:\WINDOWS\system32\drivers\filedisk.sys
2007-07-01 19:49 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2007-07-01 19:49 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2007-07-01 19:49 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2007-07-01 19:49 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2007-07-01 19:49 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2007-07-01 19:49 5,632 --a------ C:\WINDOWS\system32\kbd103.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-26 17:14:00 -------- d-----w C:\Program Files\Viewpoint
2007-07-26 17:09:47 -------- d-----w C:\Program Files\Plaxo
2007-07-26 02:18:07 -------- d-----w C:\DOCUME~1\Andrew\APPLIC~1\BitTorrent
2007-07-20 15:58:05 -------- d-----w C:\Program Files\NCH Swift Sound
2007-07-20 15:58:04 -------- d-----w C:\DOCUME~1\Andrew\APPLIC~1\NCH Swift Sound
2007-07-05 17:49:51 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-06-22 03:07:51 -------- d-----w C:\Program Files\Veoh Networks
2007-06-19 03:26:14 -------- d-----w C:\Program Files\3ivx
2007-06-16 17:12:37 -------- d-----w C:\Program Files\DivX
2007-06-16 03:22:30 -------- d-----w C:\Program Files\BitTorrent
2007-06-11 23:14:48 -------- d-----w C:\Program Files\RM Converter
2007-06-11 23:11:20 -------- d-----w C:\Program Files\ImTOO
2007-06-06 16:07:44 25,576 ----a-w C:\WINDOWS\system32\DivXVfWCodec.dll
2007-06-06 16:07:34 25,576 ----a-w C:\WINDOWS\system32\SamsungVfWCodec.dll
2007-06-06 16:06:54 443,368 ----a-w C:\WINDOWS\system32\OpenQuicktimeLib.dll
2007-06-06 16:06:40 66,536 ----a-w C:\WINDOWS\system32\libfaac.dll
2007-06-06 16:06:30 324,584 ----a-w C:\WINDOWS\system32\3ivxVfWCodec.dll
2007-06-06 16:06:22 1,135,664 ----a-w C:\WINDOWS\system32\3ivx.dll
2007-06-01 18:02:26 -------- d-----w C:\Program Files\Easy Video to Audio Converter
2007-06-01 17:48:40 -------- d-----w C:\Program Files\Blaze Media Pro
2007-06-01 17:31:49 -------- d-----w C:\Program Files\Google
2007-05-31 06:45:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-05-31 06:44:55 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-05-31 06:44:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-05-31 06:44:54 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-05-31 06:44:54 740,442 ----a-w C:\WINDOWS\system32\DivX.dll
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BtcMaestro"="C:\Program Files\KMaestro\KMaestro.exe" [2005-09-01 14:09]
"nwiz"="nwiz.exe" [2006-10-22 13:22 C:\WINDOWS\system32\nwiz.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-11 21:48]
"PSPVideo9"="E:\pspvideo9\pspVideo9.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48]
"Windows Media Connect 2"="C:\Program Files\Windows Media Connect 2\WMCCFG.exe" [2006-10-18 22:58]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-14 21:49]
"SoundMan"="SOUNDMAN.EXE" [2006-08-03 05:12 C:\WINDOWS\soundman.exe]
"LiveMonitor"="C:\Program Files\MSI\Live Update 3\LMonitor.exe" [2007-01-17 17:01]
"XboxStat"="c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-02-12 17:21]
"@"="" []
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-04-09 07:23]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PlaxoUpdate"="C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe" [2006-11-16 13:42]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe" [2005-02-25 19:28]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"Aim6"="" []
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 05:40]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-03-01 18:11]
"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2007-05-03 17:43]
"@"="" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

R0 BTHidMgr;Bluetooth HID Manager Service;C:\WINDOWS\system32\Drivers\BTHidMgr.sys
R0 NaiFsRec;NaiFsRec;C:\WINDOWS\system32\drivers\NaiFsRec.sys
R1 AmdK8;AMD Processor Driver;C:\WINDOWS\system32\DRIVERS\AmdK8.sys
R1 FileDisk;FileDisk;C:\WINDOWS\system32\drivers\FileDisk.sys
R1 NetBT;NetBios over Tcpip;C:\WINDOWS\system32\DRIVERS\netbt.sys
R1 SCDEmu;SCDEmu;C:\WINDOWS\system32\drivers\SCDEmu.sys
R2 AvSynMgr;AVSync Manager;"C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe"
R2 BlueSoleil Hid Service;BlueSoleil Hid Service;C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
R2 btwdins;Bluetooth Service;C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
R2 hmonitor;hmonitor;\??\C:\WINDOWS\system32\drivers\hmonitor.sys
R2 InCDsrvR;InCD Helper (read only);C:\Program Files\Ahead\InCD\InCDsrv.exe -r
R2 Super G Wireless Cardbus Service;Super G Wireless Cardbus Adapter Service;C:\Program Files\Airlink101\AWLH4030\WLService.exe
R3 BlueletAudio;Bluetooth Audio Service;C:\WINDOWS\system32\DRIVERS\blueletaudio.sys
R3 BlueletSCOAudio;Bluetooth SCO Audio Service;C:\WINDOWS\system32\DRIVERS\BlueletSCOAudio.sys
R3 BT;Bluetooth PAN Network Adapter;C:\WINDOWS\system32\DRIVERS\btnetdrv.sys
R3 btaudio;Bluetooth Audio Device;C:\WINDOWS\system32\drivers\btaudio.sys
R3 BTHidEnum;Bluetooth HID Enumerator;C:\WINDOWS\system32\DRIVERS\vbtenum.sys
R3 BTKRNL;Bluetooth Bus Enumerator;C:\WINDOWS\system32\DRIVERS\btkrnl.sys
R3 hidusb;Microsoft HID Class Driver;C:\WINDOWS\system32\DRIVERS\hidusb.sys
R3 NaiFiltr;NaiFiltr;\??\C:\Program Files\Common Files\Network Associates\McShield\NaiFiltr.sys
R3 PCAlertDriver;PCAlertDriver;\??\C:\Program Files\MSI\PC Alert 4\NTGLM7X.sys
R3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINDOWS\system32\Drivers\RootMdm.sys
R3 usbccgp;Microsoft USB Generic Parent Driver;C:\WINDOWS\system32\DRIVERS\usbccgp.sys
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbehci.sys
R3 usbhub;USB2 Enabled Hub;C:\WINDOWS\system32\DRIVERS\usbhub.sys
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbohci.sys
R3 VComm;Virtual Serial port driver;C:\WINDOWS\system32\DRIVERS\VComm.sys
R3 VcommMgr;Bluetooth VComm Manager Service;C:\WINDOWS\system32\Drivers\VcommMgr.sys
S2 MKEMUSB;Panasonic Digital Palmcorder;C:\WINDOWS\system32\Drivers\MkemUsb.sys
S3 BTDriver;Bluetooth Virtual Communications Driver;C:\WINDOWS\system32\DRIVERS\btport.sys
S3 BTWDNDIS;Bluetooth LAN Access Server;C:\WINDOWS\system32\DRIVERS\btwdndis.sys
S3 btwhid;btwhid;C:\WINDOWS\system32\DRIVERS\btwhid.sys
S3 BTWUSB;WIDCOMM USB Bluetooth Driver;C:\WINDOWS\system32\Drivers\btwusb.sys
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0;c:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
S3 GMSIPCI;GMSIPCI;\??\D:\INSTALL\GMSIPCI.SYS
S3 idsvc;Windows CardSpace;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
S3 NABTSFEC;NABTS/FEC VBI Codec;C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
S3 ovt519;D-Link VGA Webcam;C:\WINDOWS\system32\Drivers\ov519vid.sys
S3 usbaudio;USB Audio Driver (WDM);C:\WINDOWS\system32\drivers\usbaudio.sys
S3 USBSTOR;USB Mass Storage Driver;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
S3 w810mdfl;Sony Ericsson W810 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w810mdfl.sys
S3 w810mdm;Sony Ericsson W810 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\w810mdm.sys
S3 w810mgmt;Sony Ericsson W810 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\w810mgmt.sys
S3 w810obex;Sony Ericsson W810 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\w810obex.sys
S3 Wdf01000;Wdf01000;C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
S3 xusb21;Xbox 360 Wireless Receiver Driver Service 21;C:\WINDOWS\system32\DRIVERS\xusb21.sys
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service;"C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"

*Newly Created Service* - GTNDIS5
*Newly Created Service* - PCALERTDRIVER

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-26 12:31:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-07-26 12:33:47
C:\ComboFix-quarantined-files.txt ... 2007-07-26 12:33

--- E O F ---



This is my new HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:38:13 PM, on 7/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Airlink101\AWLH4030\WLService.exe
C:\Program Files\Airlink101\AWLH4030\WLanCfgAG.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\KMaestro\KMaestro.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\Panasonic\Palmcorder\CARD LINK (for USB)\regcnt09.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Megaupload\Mega Manager\MegaManager.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: IeMonitorBho Class - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [BtcMaestro] "C:\Program Files\KMaestro\KMaestro.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PSPVideo9] E:\pspvideo9\pspVideo9.exe -t
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Andrew\Local Settings\Temp\{31EFA5F6-46CD-411E-8D29-7A3DE06F3B39}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: CARD Monitor.lnk = C:\Program Files\Panasonic\Palmcorder\CARD LINK (for USB)\regcnt09.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1152077380500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1152077371828
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Super G Wireless Cardbus Adapter Service (Super G Wireless Cardbus Service) - Unknown owner - C:\Program Files\Airlink101\AWLH4030\WLService.exe

--
End of file - 10532 bytes

#4 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 26 July 2007 - 01:43 PM

Hello,

Some remarks first...
I see you have NoAdware5 installed. There are better Antispyware scanners. Noadaware has a questionable reputation, so I suggest you uninstall it.

I also see you have Megaupload installed in combination with the MegaUpload toolbar. Most probably you didn't read the EULA while you installed it. I don't recommend it either because of this - from the EULA:

MegaUPLoad online storage and file delivery service - from the toolbar eula: "This toolbar integrates certain services from alexa internet,inc. ("Alexa"). The toolbar may exchange data with Alexa in order to provide: (a) information to you about the web pages you view (ranking information, for example) and (b) basic information to alexa on your use of the toolbar, including the ip address of your computer, the url of the web pages you visit and, because the toolbar communicates via http, data typical of normal http communications such as user agent and operating system, will be communicated."


So, that's why I also recommend you uninstall it.

Then,

Delete the C:\Qoobox folder

Then,


* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2 <== check this entry if you didn't set it as your startpage
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
<== check this entry if you uninstalled MegaUpload
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
<== check this entry if you uninstalled MegaUpload
O4 - HKLM\..\Run: [PSPVideo9] E:\pspvideo9\pspVideo9.exe -t <== this program appears to be missing anyway
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized <== it is a bad idea to let p2p programs start up with Windows. Also, BitTorrent has a questionable reputation
O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Andrew\Local Settings\Temp\{31EFA5F6-46CD-411E-8D29-7A3DE06F3B39}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
<== this is a resource hog
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm<== check this entry if you uninstalled MegaUpload

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u2.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u1".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.
Post a new HijackThislog in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#5 evi1st3wi3

evi1st3wi3

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 26 July 2007 - 02:57 PM

Thank you so much for the help. Sorry, but I could not find Noadware in the Add/Remove Programs window. If you dont mind telling me another way to delete it, please explain.

Here is the new HiJackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:53:15 PM, on 7/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Airlink101\AWLH4030\WLService.exe
C:\Program Files\Airlink101\AWLH4030\WLanCfgAG.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\KMaestro\KMaestro.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Belkin\Bluetooth Software\BTTray.exe
C:\Program Files\Panasonic\Palmcorder\CARD LINK (for USB)\regcnt09.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [BtcMaestro] "C:\Program Files\KMaestro\KMaestro.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [XboxStat] "c:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: CARD Monitor.lnk = C:\Program Files\Panasonic\Palmcorder\CARD LINK (for USB)\regcnt09.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1152077380500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1152077371828
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.w...ler/install.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Super G Wireless Cardbus Adapter Service (Super G Wireless Cardbus Service) - Unknown owner - C:\Program Files\Airlink101\AWLH4030\WLService.exe

--
End of file - 9407 bytes

#6 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 26 July 2007 - 03:06 PM

Hi,

but I could not find Noadware in the Add/Remove Programs window. If you dont mind telling me another way to delete it, please explain

Don't worry, most probably it was already removed previously, but the main folder is still present, so delete this folder:

C:\Program Files\NoAdware5.0

Your HijackThislog looks clean again. Let me know in your next reply how things are now..
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#7 evi1st3wi3

evi1st3wi3

    Member

  • Full Member
  • Pip
  • 4 posts

Posted 26 July 2007 - 03:45 PM

Thank you so much. everything is fine again. i dont have any popups and my home page on internet explorer is back to normal. actually, after the combofix step, i stopped getting popups. thnx again for helping.

#8 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 26 July 2007 - 04:24 PM

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#9 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 28 July 2007 - 05:39 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please tell the moderating team by replying here
This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button