• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
tweetiepie

How to remove Tango?

20 posts in this topic

Tango is on my Internet Explorer though I use Firefox and now my Internet Explorer just open up by itself. My computer is also having problems turning on now due to Tango. How do I remove tango?

 

I already ran Malwarebytes' Anti-Malware and it says that there was nothing.

 

Here is my HiJackThis report:

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 1:35:19 PM, on 31/05/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17023)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\Program Files\Hotspot Shield\bin\openvpnas.exe

C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe

C:\WINDOWS\system32\cba\pds.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Documents and Settings\All Users\Application Data\SpaceQuery\spacequery127.exe

C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\svchost.exe

C:\Documents and Settings\Hopper\Application Data\GabPath\gabpath.exe

C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

C:\Documents and Settings\Hopper\Application Data\Microsoft\Windows\jnipmo.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\WINDOWS\system32\ams_ii\hndlrsvc.exe

C:\WINDOWS\system32\cba\casvc.exe

C:\WINDOWS\system32\cba\xfr.exe

C:\Program Files\SpaceQuery\spacequery.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\Windows Live\Contacts\wlcomm.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Hopper\Desktop\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.tangosearch.com/?useie5=1&q=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.tangosearch.com/?useie5=1&q=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

R3 - URLSearchHook: Hotspot Shield Toolbar - {c95a4e8e-816d-4655-8c79-d736da1adb6d} - C:\Program Files\Hotspot_Shield\tbHot1.dll

R3 - URLSearchHook: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\tbVuz1.dll

O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\IPSBHO.DLL

O2 - BHO: Tango - {75043D1D-9EAB-49AB-8754-C5ED61041508} - C:\WINDOWS\system32\f878.dll

O2 - BHO: Video Download Toolbar Helper - {83BD144C-5E53-4E12-8E99-5A7F1BBF3EA0} - C:\Program Files\Video Download Toolbar\v3.3.0.2\Video_Download_Toolbar.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: FoxmarksDLLBHO - {A2A71ABA-3939-43B2-BD8F-8C1767EF9020} - C:\Program Files\Xmarks\IE Extension\foxmarksdll.dll

O2 - BHO: ShpngrdHlpr - {A3ED2449-E049-4ab9-A059-DD0F9BA1BA44} - C:\Program Files\Shoppinguard.com\shpngrd\1.3.61.1\shpngrd.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll

O2 - BHO: Video Download Toolbar IE Browser Helper Object - {B29002A0-87A1-4DC4-AC55-5982034EB61E} - C:\PROGRA~1\VIDEOD~1\V330~1.2\RESOUR~1\VIDEOD~1.DLL

O2 - BHO: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\tbVuz1.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O2 - BHO: Hotspot Shield Toolbar - {c95a4e8e-816d-4655-8c79-d736da1adb6d} - C:\Program Files\Hotspot_Shield\tbHot1.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll

O3 - Toolbar: (no name) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file)

O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll

O3 - Toolbar: Video Download Toolbar - {E52BE12D-A44A-4F51-9DC1-34F37A488CC7} - C:\Program Files\Video Download Toolbar\v3.3.0.2\Video_Download_Toolbar.dll

O3 - Toolbar: Hotspot Shield Toolbar - {c95a4e8e-816d-4655-8c79-d736da1adb6d} - C:\Program Files\Hotspot_Shield\tbHot1.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O3 - Toolbar: (no name) - {B625C93E-51E1-42D1-B428-CBC6C041114C} - (no file)

O3 - Toolbar: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\tbVuz1.dll

O3 - Toolbar: Tango - {75043D1C-9EAB-49AB-8754-C5ED61041508} - C:\WINDOWS\system32\f878.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [GabPath] C:\Documents and Settings\Hopper\Application Data\GabPath\gabpath.exe

O4 - HKCU\..\Run: [sfKg6wIPuSp] C:\Documents and Settings\Hopper\Application Data\Microsoft\Windows\jnipmo.exe

O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\IEXPLORE.EXE http://www.symantec.com/techsupp/servlet/ProductMessages?module=2009&error=0&language=en&product=SymNRT&version=2009.0.5.40&build=Symantec&a=00000082.0000001e.00000059&b=00000082.00000046.000000b5&c=00000082.00000097.000001cd

O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')

O4 - Global Startup: Bluetooth.lnk = ?

O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\Camex MP3 Player\MP3 Player Utilities 4.15\AMVConverter\grab.html

O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\Camex MP3 Player\MP3 Player Utilities 4.15\MediaManager\grab.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\MSNXP~1\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Shoppinguard.com - {B67544A0-D1AC-4c74-8D28-1E3421CFFB77} - C:\Program Files\Shoppinguard.com\shpngrd\1.3.61.1\shpngrd.dll

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: (no name) - {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Program Files\Xmarks\IE Extension\foxmarksdll.dll (HKCU)

O9 - Extra 'Tools' menuitem: Xmarks for IE... - {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Program Files\Xmarks\IE Extension\foxmarksdll.dll (HKCU)

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O15 - Trusted Zone: http://connectphl02.sap.com

O15 - Trusted Zone: *.stumbleupon.com

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - https://connectphl02.sap.com/vdesk/cachecleaner.cab#version=6030,2009,0622,1839

O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://connectphl02.sap.com/vdesk/terminal/InstallerControl.cab#version=6030,2009,0622,1853

O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://connectphl02.sap.com/vdesk/terminal/f5InspectionHost.cab#version=6030,2009,0622,1842

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173335266491

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - https://connectphl02.sap.com/policy/download_binary.php/win32/f5syschk.cab#Version=6030,2009,0622,1850

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: BroadCam Service (BroadCamService) - Unknown owner - C:\Program Files\NCH Software\BroadCam\broadCam.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Eyeline Service (EyelineService) - Unknown owner - C:\Program Files\NCH Software\Eyeline\eyeline.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe

O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe

O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE

O23 - Service: Intel Alert Handler - Intel Corporation - C:\WINDOWS\system32\ams_ii\hndlrsvc.exe

O23 - Service: Intel Certificate Authority - Intel Corporation - C:\WINDOWS\system32\cba\casvc.exe

O23 - Service: Intel File Transfer - Intel Corporation - C:\WINDOWS\system32\cba\xfr.exe

O23 - Service: Intel PDS - Intel Corporation - C:\WINDOWS\system32\cba\pds.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero7.9.6.0\Extracted Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe

O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SpaceQuery Service - Unknown owner - C:\Documents and Settings\All Users\Application Data\SpaceQuery\spacequery127.exe

O23 - Service: StumbleUponUpdateService - stumbleupon.com - C:\Program Files\StumbleUpon\StumbleUponUpdateService.exe

O23 - Service: TabQuery Service - Unknown owner - C:\Documents and Settings\All Users\Application Data\TabQuery\tabquery131.exe

O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

O23 - Service: TMA Distribution - Unknown owner - C:\WINDOWS\system32\cba\lcfinst.exe

O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

 

--

End of file - 15685 bytes

Share this post


Link to post
Share on other sites

Hello and Welcome to the forums. :)

 

I am MoNsTeReNeRgY22 and I will be assisting you with your computer problem today.

 

  • Please read all of my response through at least once before attempting to follow the procedures described. I would recommend printing them out, if you can, as you can check off each step as you complete it. If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
     
  • Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you.

 

Step 1

Please re-open HijackThis and scan. Check the boxes next to all the entries listed below.

 

O2 - BHO: Tango - {75043D1D-9EAB-49AB-8754-C5ED61041508} - C:\WINDOWS\system32\f878.dll

O3 - Toolbar: (no name) - {B625C93E-51E1-42D1-B428-CBC6C041114C} - (no file)

O3 - Toolbar: Tango - {75043D1C-9EAB-49AB-8754-C5ED61041508} - C:\WINDOWS\system32\f878.dll

O4 - HKCU\..\Run: [GabPath] C:\Documents and Settings\Hopper\Application Data\GabPath\gabpath.exe

O4 - HKCU\..\Run: [sfKg6wIPuSp] C:\Documents and Settings\Hopper\Application Data\Microsoft\Windows\jnipmo.exe

O23 - Service: SpaceQuery Service - Unknown owner - C:\Documents and Settings\All Users\Application Data\SpaceQuery\spacequery127.exe

O23 - Service: TabQuery Service - Unknown owner - C:\Documents and Settings\All Users\Application Data\TabQuery\tabquery131.exe

 

Now close all windows other than Hijackthis, then click Fix Checked. Close HijackThis.

 

Please go to Start > Control Panel > Add or Remove Programs and remove the following (if present):

 

SpaceQuery

TabQuery

 

Step 2

Please download OTM

  • Save it to your desktop.
  • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
     
    :Processes
    explorer.exe
    
    :Services
    SpaceQuery Service
    TabQuery Service
    
    :Reg
    
    :Files
    C:\Documents and Settings\All Users\Application Data\SpaceQuery
    C:\Documents and Settings\Hopper\Application Data\GabPath
    C:\Documents and Settings\Hopper\Application Data\Microsoft\Windows\jnipmo.exe
    C:\Program Files\SpaceQuery
    C:\WINDOWS\system32\f878.dll
    
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [EMPTYFLASH]
    [Reboot]
    


     

  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
     
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply along with a fresh HJT log.
  • Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Share this post


Link to post
Share on other sites

Hi MoNsTeReNeRgY22

 

Thanks for your instructions.

 

Here is the OTM report:

 

All processes killed

========== PROCESSES ==========

No active process named explorer.exe was found!

========== SERVICES/DRIVERS ==========

Error: No service named SpaceQuery Service was found to stop!

Service\Driver key SpaceQuery Service not found.

Error: No service named TabQuery Service was found to stop!

Service\Driver key TabQuery Service not found.

========== REGISTRY ==========

========== FILES ==========

File/Folder C:\Documents and Settings\All Users\Application Data\SpaceQuery not found.

C:\Documents and Settings\Hopper\Application Data\GabPath folder moved successfully.

C:\Documents and Settings\Hopper\Application Data\Microsoft\Windows\jnipmo.exe moved successfully.

C:\Program Files\SpaceQuery\SpaceQuery_deleted_ folder moved successfully.

C:\Program Files\SpaceQuery folder moved successfully.

File/Folder C:\WINDOWS\system32\f878.dll not found.

========== COMMANDS ==========

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

 

[EMPTYTEMP]

 

User: All Users

 

User: Guest

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 67 bytes

 

User: Hopper

->Temp folder emptied: 6042512 bytes

->Temporary Internet Files folder emptied: 2260676 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 45654405 bytes

->Google Chrome cache emptied: 0 bytes

->Flash cache emptied: 2042 bytes

 

User: Intel

 

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 10792161 bytes

 

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

 

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 4082924 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes

RecycleBin emptied: 734068736 bytes

 

Total Files Cleaned = 766.00 mb

 

Restore point Set: OTM Restore Point (0)

 

OTM by OldTimer - Version 3.1.12.2 log created on 06032010_184945

 

Files moved on Reboot...

File C:\WINDOWS\temp\JET9526.tmp not found!

File C:\WINDOWS\temp\Perflib_Perfdata_6b0.dat not found!

 

Registry entries deleted on Reboot...

 

 

Here is the new HiJackThis report:

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 6:56:14 PM, on 03/06/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17023)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\OGAEXEC.exe

C:\WINDOWS\system32\WgaTray.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\Program Files\Hotspot Shield\bin\openvpnas.exe

C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe

C:\WINDOWS\system32\cba\pds.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe

C:\WINDOWS\notepad.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

C:\WINDOWS\system32\ams_ii\hndlrsvc.exe

C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\cba\casvc.exe

C:\WINDOWS\system32\cba\xfr.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Documents and Settings\Hopper\Desktop\HiJackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.tangosearch.com/?useie5=1&q=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.tangosearch.com/?useie5=1&q=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

R3 - URLSearchHook: Hotspot Shield Toolbar - {c95a4e8e-816d-4655-8c79-d736da1adb6d} - C:\Program Files\Hotspot_Shield\tbHot1.dll

R3 - URLSearchHook: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\tbVuz1.dll

O1 - Hosts: ÿþ127.0.0.1 localhost

O1 - Hosts: ::1 localhost

O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\IPSBHO.DLL

O2 - BHO: Video Download Toolbar Helper - {83BD144C-5E53-4E12-8E99-5A7F1BBF3EA0} - C:\Program Files\Video Download Toolbar\v3.3.0.2\Video_Download_Toolbar.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: FoxmarksDLLBHO - {A2A71ABA-3939-43B2-BD8F-8C1767EF9020} - C:\Program Files\Xmarks\IE Extension\foxmarksdll.dll

O2 - BHO: ShpngrdHlpr - {A3ED2449-E049-4ab9-A059-DD0F9BA1BA44} - C:\Program Files\Shoppinguard.com\shpngrd\1.3.61.1\shpngrd.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll

O2 - BHO: Video Download Toolbar IE Browser Helper Object - {B29002A0-87A1-4DC4-AC55-5982034EB61E} - C:\PROGRA~1\VIDEOD~1\V330~1.2\RESOUR~1\VIDEOD~1.DLL

O2 - BHO: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\tbVuz1.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O2 - BHO: Hotspot Shield Toolbar - {c95a4e8e-816d-4655-8c79-d736da1adb6d} - C:\Program Files\Hotspot_Shield\tbHot1.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll

O3 - Toolbar: (no name) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file)

O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll

O3 - Toolbar: Video Download Toolbar - {E52BE12D-A44A-4F51-9DC1-34F37A488CC7} - C:\Program Files\Video Download Toolbar\v3.3.0.2\Video_Download_Toolbar.dll

O3 - Toolbar: Hotspot Shield Toolbar - {c95a4e8e-816d-4655-8c79-d736da1adb6d} - C:\Program Files\Hotspot_Shield\tbHot1.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O3 - Toolbar: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\tbVuz1.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\IEXPLORE.EXE http://www.symantec.com/techsupp/servlet/ProductMessages?module=2009&error=0&language=en&product=SymNRT&version=2009.0.5.40&build=Symantec&a=00000082.0000001e.00000059&b=00000082.00000046.000000b5&c=00000082.00000097.000001cd

O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')

O4 - Global Startup: Bluetooth.lnk = ?

O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\Camex MP3 Player\MP3 Player Utilities 4.15\AMVConverter\grab.html

O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\Camex MP3 Player\MP3 Player Utilities 4.15\MediaManager\grab.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\MSNXP~1\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Shoppinguard.com - {B67544A0-D1AC-4c74-8D28-1E3421CFFB77} - C:\Program Files\Shoppinguard.com\shpngrd\1.3.61.1\shpngrd.dll

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: (no name) - {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Program Files\Xmarks\IE Extension\foxmarksdll.dll (HKCU)

O9 - Extra 'Tools' menuitem: Xmarks for IE... - {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Program Files\Xmarks\IE Extension\foxmarksdll.dll (HKCU)

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O15 - Trusted Zone: http://connectphl02.sap.com

O15 - Trusted Zone: *.stumbleupon.com

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - https://connectphl02.sap.com/vdesk/cachecleaner.cab#version=6030,2009,0622,1839

O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://connectphl02.sap.com/vdesk/terminal/InstallerControl.cab#version=6030,2009,0622,1853

O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://connectphl02.sap.com/vdesk/terminal/f5InspectionHost.cab#version=6030,2009,0622,1842

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173335266491

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - https://connectphl02.sap.com/policy/download_binary.php/win32/f5syschk.cab#Version=6030,2009,0622,1850

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: BroadCam Service (BroadCamService) - Unknown owner - C:\Program Files\NCH Software\BroadCam\broadCam.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Eyeline Service (EyelineService) - Unknown owner - C:\Program Files\NCH Software\Eyeline\eyeline.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe

O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe

O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE

O23 - Service: Intel Alert Handler - Intel Corporation - C:\WINDOWS\system32\ams_ii\hndlrsvc.exe

O23 - Service: Intel Certificate Authority - Intel Corporation - C:\WINDOWS\system32\cba\casvc.exe

O23 - Service: Intel File Transfer - Intel Corporation - C:\WINDOWS\system32\cba\xfr.exe

O23 - Service: Intel PDS - Intel Corporation - C:\WINDOWS\system32\cba\pds.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero7.9.6.0\Extracted Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe

O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: StumbleUponUpdateService - stumbleupon.com - C:\Program Files\StumbleUpon\StumbleUponUpdateService.exe

O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

O23 - Service: TMA Distribution - Unknown owner - C:\WINDOWS\system32\cba\lcfinst.exe

O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

 

--

End of file - 14720 bytes

Share this post


Link to post
Share on other sites

Hello again,

 

Step 1

Download Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

Step 2

  • Download DDS by sUBs from one of the following links. Save it to your Desktop.

    NOTE: Before scanning, make sure all other running programs are closed

    There shouldn't be any scheduled antivirus scans running while the scan is being performed.

    Do not use your computer for anything else during the scan.

     

    [*]Double click on the DDS icon, allow it to run.

    [*]A small box will open, with an explanation about the tool. No input is needed, the scan is running.

    [*]Notepad will open with the results.

    [*]Follow the instructions that pop up for posting the results. Make sure to also post the checkup.txt.

    [*]Close the program window, and delete the program from your Desktop.

Share this post


Link to post
Share on other sites

Here is the Security Check report:

 

Results of screen317's Security Check version 0.99.4

Windows XP Service Pack 3

Internet Explorer 7 Out of date!

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Enabled!

Norton AntiVirus

Antivirus up to date! (On Access scanning disabled!)

```````````````````````````````

Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware

TuneUp Utilities 2008

CCleaner (remove only)

Java 6 Update 20

Adobe Flash Player 10.0.32.18

Adobe Reader 9.2

Out of date Adobe Reader installed!

Mozilla Firefox (3.6.3)

````````````````````````````````

Process Check:

objlist.exe by Laurent

Norton ccSvcHst.exe

````````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

 

``````````End of Log````````````

 

 

 

Here is the DDS report:

 

 

DDS (Ver_10-03-17.01) - NTFSx86

Run by Hopper at 19:01:35.81 on 04/06/2010

Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2550.1923 [GMT -7:00]

 

AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

 

============== Running Processes ===============

 

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\Program Files\Hotspot Shield\bin\openvpnas.exe

C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe

C:\WINDOWS\system32\cba\pds.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

C:\WINDOWS\system32\ams_ii\hndlrsvc.exe

C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe

C:\WINDOWS\system32\cba\casvc.exe

C:\WINDOWS\system32\cba\xfr.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\Documents and Settings\Hopper\Desktop\dds.com

 

============== Pseudo HJT Report ===============

 

uStart Page = hxxp://www.google.com/

uSearch Bar = hxxp://www.tangosearch.com/?useie5=1&q=

mSearch Bar = hxxp://www.tangosearch.com/?useie5=1&q=

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

uURLSearchHooks: Hotspot Shield Toolbar: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - c:\program files\hotspot_shield\tbHot1.dll

uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuz1.dll

mWinlogon: UIHost=c:\documents and settings\all users\application data\tuneup software\tuneup utilities\winstyler\tu_logonui.exe

BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 9\SnagItBHO.dll

BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: StumbleUpon Launcher: {145b29f4-a56b-4b90-bbac-45784ebebbb7} - c:\program files\stumbleupon\StumbleUponIEBar.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.8.0.41\IPSBHO.DLL

BHO: Video Download Toolbar Helper: {83bd144c-5e53-4e12-8e99-5a7f1bbf3ea0} - c:\program files\video download toolbar\v3.3.0.2\Video_Download_Toolbar.dll

BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: FoxmarksDLLBHO Class: {a2a71aba-3939-43b2-bd8f-8c1767ef9020} - c:\program files\xmarks\ie extension\foxmarksdll.dll

BHO: CescrtHlpr Object: {a3ed2449-e049-4ab9-a059-dd0f9ba1ba44} - c:\program files\shoppinguard.com\shpngrd\1.3.61.1\shpngrd.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll

BHO: Video Download Toolbar IE Browser Helper Object: {b29002a0-87a1-4dc4-ac55-5982034eb61e} - c:\progra~1\videod~1\v330~1.2\resour~1\VIDEOD~1.DLL

BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuz1.dll

BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll

BHO: Hotspot Shield Toolbar: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - c:\program files\hotspot_shield\tbHot1.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: StumbleUpon Toolbar: {5093eb4c-3e93-40ab-9266-b607ba87bdc8} - c:\program files\stumbleupon\StumbleUponIEBar.dll

TB: {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - No File

TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 9\SnagItIEAddin.dll

TB: Video Download Toolbar: {e52be12d-a44a-4f51-9dc1-34f37a488cc7} - c:\program files\video download toolbar\v3.3.0.2\Video_Download_Toolbar.dll

TB: Hotspot Shield Toolbar: {c95a4e8e-816d-4655-8c79-d736da1adb6d} - c:\program files\hotspot_shield\tbHot1.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuz1.dll

TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File

TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

TB: Tango: {75043d1c-9eab-49ab-8754-c5ed61041508} - c:\windows\system32\f878.dll

EB: GP Bar: {c3538050-face-11de-8a39-0800200c9a66} - %SystemRoot%\system32\shdocvw.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRunOnce: [<NO NAME>] c:\program files\internet explorer\IEXPLORE.EXE http://www.symantec.com/techsupp/servlet/ProductMessages?module=2009&error=0&language=en&product=SymNRT&version=2009.0.5.40&build=Symantec&a=00000082.0000001e.00000059&b=00000082.00000046.000000b5&c=00000082.00000097.000001cd

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe

IE: Add to AMV Converter... - c:\program files\camex mp3 player\mp3 player utilities 4.15\amvconverter\grab.html

IE: Add to Media Manager... - c:\program files\camex mp3 player\mp3 player utilities 4.15\mediamanager\grab.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\msnxp~1\office10\EXCEL.EXE/3000

IE: StumbleUpon PhotoBlog It! - StumbleUponIEBar.dll/blogimage

IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {E59EB121-F339-4851-A3BA-FE49C35617C2} - c:\program files\icq6\ICQ.exe

IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

IE: {B67544A0-D1AC-4c74-8D28-1E3421CFFB77} - {F4E04D31-5659-4150-9A8E-6DDAF86A9A75} - c:\program files\shoppinguard.com\shpngrd\1.3.61.1\shpngrd.dll

Trusted Zone: sap.com\connectphl02

Trusted Zone: stumbleupon.com

DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} - hxxps://connectphl02.sap.com/vdesk/cachecleaner.cab#version=6030,2009,0622,1839

DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - hxxps://connectphl02.sap.com/vdesk/terminal/InstallerControl.cab#version=6030,2009,0622,1853

DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} - hxxps://connectphl02.sap.com/vdesk/terminal/f5InspectionHost.cab#version=6030,2009,0622,1842

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173335266491

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} - hxxps://connectphl02.sap.com/policy/download_binary.php/win32/f5syschk.cab#Version=6030,2009,0622,1850

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Authentication Packages = msv1_0 nwprovau

 

================= FIREFOX ===================

 

FF - ProfilePath - c:\docume~1\hopper\applic~1\mozilla\firefox\profiles\r0rld9iz.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=

FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll

FF - component: c:\documents and settings\hopper\application data\mozilla\firefox\profiles\r0rld9iz.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\FFExternalAlert.dll

FF - component: c:\documents and settings\hopper\application data\mozilla\firefox\profiles\r0rld9iz.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCore.dll

FF - component: c:\documents and settings\hopper\application data\mozilla\firefox\profiles\r0rld9iz.default\extensions\{c95a4e8e-816d-4655-8c79-d736da1adb6d}\components\FFExternalAlert.dll

FF - component: c:\documents and settings\hopper\application data\mozilla\firefox\profiles\r0rld9iz.default\extensions\{c95a4e8e-816d-4655-8c79-d736da1adb6d}\components\RadioWMPCore.dll

FF - component: c:\program files\mozilla firefox\extensions\shpngrdextnsn@shoppinguard.com\components\FFHst.dll

FF - plugin: c:\documents and settings\hopper\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npitunes.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

 

---- FIREFOX POLICIES ----

FF - user.js: network.http.max-persistent-connections-per-server - 4

FF - user.js: content.max.tokenizing.time - 200000

FF - user.js: content.notify.interval - 100000

FF - user.js: content.switch.threshold - 650000

FF - user.js: nglayout.initialpaint.delay - 300

FF - user.js: yahoo.homepage.dontask - true

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

 

============= SERVICES / DRIVERS ===============

 

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [2008-7-31 21512]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1008000.029\SymEFA.sys [2010-2-2 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1008000.029\BHDrvx86.sys [2010-2-2 259632]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1008000.029\cchpx86.sys [2010-2-2 482432]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100528.003\IDSXpx86.sys [2010-5-28 331640]

R2 Intel Certificate Authority;Intel Certificate Authority;c:\windows\system32\cba\CASVC.EXE [2006-10-17 14336]

R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\engine\16.8.0.41\ccSvcHst.exe [2010-2-2 117640]

R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100604.025\NAVENG.SYS [2010-6-4 85552]

R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100604.025\NAVEX15.SYS [2010-6-4 1347504]

R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2006-10-1 26624]

S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\drivers\ntcdrdrv.sys --> c:\windows\system32\drivers\ntcdrdrv.sys [?]

S3 BroadCamService;BroadCam Service;c:\program files\nch software\broadcam\broadCam.exe [2009-1-25 368644]

S3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [2008-12-7 30088]

S3 EyelineService;Eyeline Service;c:\program files\nch software\eyeline\eyeline.exe [2009-1-25 425988]

S3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [2008-7-2 26248]

S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-6-17 12648]

S3 StumbleUponUpdateService;StumbleUponUpdateService;c:\program files\stumbleupon\StumbleUponUpdateService.exe [2009-6-3 120168]

S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

 

=============== Created Last 30 ================

 

2010-06-04 01:49:45 0 d-----w- C:\_OTM

2010-05-30 06:23:18 0 d-----w- c:\program files\RapidSolution

2010-05-30 06:23:18 0 d-----w- c:\docume~1\alluse~1\applic~1\RapidSolution

2010-05-22 05:03:06 0 d-----w- c:\docume~1\hopper\applic~1\shoppinguard.com

2010-05-22 04:53:34 0 d-----w- c:\program files\Shoppinguard.com

2010-05-22 04:53:27 2229 ----a-w- c:\windows\system32\f878.vbs

 

==================== Find3M ====================

 

2010-05-02 19:36:26 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-04-29 22:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 22:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll

2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-03-11 12:38:51 17408 ------w- c:\windows\system32\corpol.dll

2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll

2007-06-28 16:14:44 232960 ----a-w- c:\program files\iTunesOutlookAddIn.dll

2007-06-28 16:14:44 168960 ----a-w- c:\program files\iTunesPhotoSupport.dll

2007-06-28 16:14:44 132408 ----a-w- c:\program files\iTunesMiniPlayer.dll

2007-06-28 16:14:42 270648 ----a-w- c:\program files\iTunesHelper.exe

2007-06-28 16:14:42 108344 ----a-w- c:\program files\iTunesAdmin.dll

2007-06-28 16:14:36 15330616 ----a-w- c:\program files\iTunes.exe

2007-06-28 16:14:34 116024 ----a-w- c:\program files\ITDetector.ocx

2007-06-28 16:14:32 630784 ----a-w- c:\program files\iPodUpdaterExt.dll

2007-06-28 16:14:32 438272 ----a-w- c:\program files\CDDBControlApple.dll

2007-06-28 16:14:24 4904 ----a-w- c:\program files\About iTunes.rtf

2007-06-28 16:13:18 8356 ----a-w- c:\program files\Acknowledgements.rtf

2004-09-10 20:40:38 5970 ----a-w- c:\program files\eula.txt

2009-05-30 10:14:58 32768 --sha-w- c:\windows\system32\config\systemprofile\cookies\index.dat

2009-05-30 10:14:58 16384 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat

 

============= FINISH: 19:02:07.84 ===============

Attach.txt

Share this post


Link to post
Share on other sites

Hi there,

 

Step 1

Please download OTM

  • Save it to your desktop.
  • Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
     
    :Processes
    explorer.exe
    
    :Services
    
    :Reg
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
    "Search Bar"=""
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
    "Search Bar"=""
    [HKEY_CLASSES_ROOT\CLSID\{FE063DB9-4EC0-403e-8DD8-394C54984B2C}]
    [HKEY_CLASSES_ROOT\CLSID\{C4069E3A-68F1-403E-B40E-20066696354B}]
    [HKEY_CLASSES_ROOT\CLSID\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3}]
    [HKEY_CLASSES_ROOT\CLSID\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    [HKEY_CLASSES_ROOT\CLSID\{75043d1c-9eab-49ab-8754-c5ed61041508}]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{FE063DB9-4EC0-403e-8DD8-394C54984B2C}]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{C4069E3A-68F1-403E-B40E-20066696354B}]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3}]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{75043d1c-9eab-49ab-8754-c5ed61041508}]
    
    :Files
    C:\Program Files\Tango
    c:\windows\system32\f878.dll
    
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [EMPTYFLASH]
    [Reboot]
    


     

  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
     
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

 

Step 2

Your version of Adobe Acrobat Reader is outdated and vulnerable. Go to Start > Control Panel > Add or Remove Programs and remove the following program:

Adobe Reader

Then go to to http://www.adobe.com and download and install the current version, When you install it, be careful to UNcheck any optional toolbar installation unless you really want the toolbar.

 

Step 3

Please scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetOnline.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your Desktop.
    • Double click on the esetSmartInstallDesktopIcon.png icon on your Desktop.

    [*]Check esetAcceptTerms.png

    [*]Click the esetStart.png button.

    [*]Accept any security warnings from your browser.

    [*]Check esetScanArchives.png

    [*]Push the Start button.

    [*]ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.

    [*]When the scan completes, push esetListThreats.png

    [*]Push esetExport.png, and save the file to your Desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply along with the OTM Log.

    [*]Push the esetBack.png button.

    [*]Push esetFinish.png

Share this post


Link to post
Share on other sites

OTM report:

 

All processes killed

========== PROCESSES ==========

No active process named explorer.exe was found!

========== SERVICES/DRIVERS ==========

========== REGISTRY ==========

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\"Search Bar"|"" /E : value set successfully!

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\\"Search Bar"|"" /E : value set successfully!

========== FILES ==========

File/Folder C:\Program Files\Tango not found.

File/Folder c:\windows\system32\f878.dll not found.

========== COMMANDS ==========

C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.

HOSTS file reset successfully

 

[EMPTYTEMP]

 

User: All Users

 

User: Guest

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 0 bytes

 

User: Hopper

->Temp folder emptied: 541609 bytes

->Temporary Internet Files folder emptied: 1662609 bytes

->Java cache emptied: 0 bytes

->FireFox cache emptied: 43189495 bytes

->Google Chrome cache emptied: 0 bytes

->Flash cache emptied: 405 bytes

 

User: Intel

 

User: LocalService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

 

User: NetworkService

->Temp folder emptied: 0 bytes

->Temporary Internet Files folder emptied: 33170 bytes

 

%systemdrive% .tmp files removed: 0 bytes

%systemroot% .tmp files removed: 0 bytes

%systemroot%\System32 .tmp files removed: 0 bytes

%systemroot%\System32\dllcache .tmp files removed: 0 bytes

%systemroot%\System32\drivers .tmp files removed: 0 bytes

Windows Temp folder emptied: 17068 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes

%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes

RecycleBin emptied: 731181645 bytes

 

Total Files Cleaned = 741.00 mb

 

Restore point Set: OTM Restore Point (0)

 

OTM by OldTimer - Version 3.1.12.2 log created on 06052010_015936

 

 

ESET OnlineScan report:

 

C:\Program Files\Hotspot Shield\bin\openvpnas.exe a variant of Win32/HotSpotShield application cleaned by deleting - quarantined

C:\Program Files\Shoppinguard.com\shpngrd\1.3.61.1\shpngrdApp.dll probably a variant of Win32/Adware.Lifze.A application cleaned by deleting (after the next restart) - quarantined

C:\System Volume Information\_restore{EA10BEA4-2D2C-494D-9EF3-5EC8A5B65143}\RP276\A0042009.dll a variant of Win32/Adware.OneStep.G application cleaned by deleting - quarantined

C:\System Volume Information\_restore{EA10BEA4-2D2C-494D-9EF3-5EC8A5B65143}\RP276\A0042010.exe a variant of Win32/Adware.OneStep.H application cleaned by deleting - quarantined

C:\System Volume Information\_restore{EA10BEA4-2D2C-494D-9EF3-5EC8A5B65143}\RP278\A0042165.exe a variant of Win32/Adware.OneStep.H application cleaned by deleting - quarantined

C:\System Volume Information\_restore{EA10BEA4-2D2C-494D-9EF3-5EC8A5B65143}\RP279\A0043318.dll a variant of Win32/Adware.OneStep.G application cleaned by deleting - quarantined

C:\System Volume Information\_restore{EA10BEA4-2D2C-494D-9EF3-5EC8A5B65143}\RP279\A0043319.exe a variant of Win32/Adware.OneStep.H application cleaned by deleting - quarantined

C:\System Volume Information\_restore{EA10BEA4-2D2C-494D-9EF3-5EC8A5B65143}\RP279\A0043330.exe a variant of Win32/Adware.OneStep.H application cleaned by deleting - quarantined

C:\System Volume Information\_restore{EA10BEA4-2D2C-494D-9EF3-5EC8A5B65143}\RP280\A0043342.dll a variant of Win32/Adware.OneStep.G application cleaned by deleting - quarantined

C:\System Volume Information\_restore{EA10BEA4-2D2C-494D-9EF3-5EC8A5B65143}\RP280\A0043343.exe a variant of Win32/Adware.OneStep.H application cleaned by deleting - quarantined

C:\System Volume Information\_restore{EA10BEA4-2D2C-494D-9EF3-5EC8A5B65143}\RP284\A0043589.exe a variant of Win32/HotSpotShield application cleaned by deleting - quarantined

C:\System Volume Information\_restore{EA10BEA4-2D2C-494D-9EF3-5EC8A5B65143}\RP284\A0043590.dll probably a variant of Win32/Adware.Lifze.A application cleaned by deleting - quarantined

C:\_OTM\MovedFiles\06032010_184945\C_Program Files\SpaceQuery\SpaceQuery_deleted_\spacequery.dll a variant of Win32/Adware.OneStep.G application cleaned by deleting - quarantined

D:\ThumbDrive Backup\Misc\Mini Computer\Free VPN\HSS-1.21-install-anchorfree-76-conduit.zip a variant of Win32/HotSpotShield application deleted - quarantined

D:\ThumbDrive Backup\Misc\Mini Computer\Torrent\Aduio_Video converter\FFSetup210.zip a variant of Win32/Adware.ADON application deleted - quarantined

D:\ThumbDrive Backup\Misc\Portable Aps\Portable Suites\Lupo PenSuites\Lupo_PenSuite_v6.75_Full.exe probably a variant of Win32/Agent trojan deleted - quarantined

G:\Toshiba_28May2010\Mini Computer\Free VPN\HSS-1.21-install-anchorfree-76-conduit.zip a variant of Win32/HotSpotShield application deleted - quarantined

G:\Toshiba_28May2010\Mini Computer\Portable Aps\Portable Suites\Lupo PenSuites\Lupo_PenSuite_v6.75_Full.exe probably a variant of Win32/Agent trojan deleted - quarantined

G:\Toshiba_28May2010\ThumbDrive Backup\Misc\Mini Computer\Free VPN\HSS-1.21-install-anchorfree-76-conduit.zip a variant of Win32/HotSpotShield application deleted - quarantined

G:\Toshiba_28May2010\ThumbDrive Backup\Misc\Mini Computer\Torrent\Aduio_Video converter\FFSetup210.zip a variant of Win32/Adware.ADON application deleted - quarantined

 

Adobe Reader is also updated.

 

Thanks.

Edited by tweetiepie

Share this post


Link to post
Share on other sites

Now I am not able to open Firefox. When I try to open Firefox, I get a runtime error. I have removed Firefox and re-installed it and FF still will not open. Not sure what happened as I have not my used my computer after I completed the 2 scan above. How do I fix my FF?

 

The Runtime error is:

Edited by tweetiepie

Share this post


Link to post
Share on other sites

Program: C:\Program Files\Mozilla Firefox\firefox.exe

 

This application has requested the runtime to terminate it in an unusual way.

Please contact the application's support team for more information.

Share this post


Link to post
Share on other sites

I have re-installed Firefox and it is working again. Is there anything else I need to do to remove Tango permanently?

 

Thanks

Share this post


Link to post
Share on other sites

Here is the new HJT report:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 6:28:43 PM, on 07/06/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17023)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe

C:\WINDOWS\system32\cba\pds.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

C:\WINDOWS\system32\fxssvc.exe

C:\WINDOWS\system32\ams_ii\hndlrsvc.exe

C:\WINDOWS\system32\cba\casvc.exe

C:\WINDOWS\system32\cba\xfr.exe

C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\Documents and Settings\Hopper\Desktop\HiJackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

R3 - URLSearchHook: Hotspot Shield Toolbar - {c95a4e8e-816d-4655-8c79-d736da1adb6d} - C:\Program Files\Hotspot_Shield\tbHot1.dll

R3 - URLSearchHook: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\tbVuz1.dll

O1 - Hosts: ÿþ127.0.0.1 localhost

O1 - Hosts: ::1 localhost

O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\IPSBHO.DLL

O2 - BHO: Video Download Toolbar Helper - {83BD144C-5E53-4E12-8E99-5A7F1BBF3EA0} - C:\Program Files\Video Download Toolbar\v3.3.0.2\Video_Download_Toolbar.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: FoxmarksDLLBHO - {A2A71ABA-3939-43B2-BD8F-8C1767EF9020} - C:\Program Files\Xmarks\IE Extension\foxmarksdll.dll

O2 - BHO: ShpngrdHlpr - {A3ED2449-E049-4ab9-A059-DD0F9BA1BA44} - C:\Program Files\Shoppinguard.com\shpngrd\1.3.61.1\shpngrd.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll

O2 - BHO: Video Download Toolbar IE Browser Helper Object - {B29002A0-87A1-4DC4-AC55-5982034EB61E} - C:\PROGRA~1\VIDEOD~1\V330~1.2\RESOUR~1\VIDEOD~1.DLL

O2 - BHO: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\tbVuz1.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O2 - BHO: Hotspot Shield Toolbar - {c95a4e8e-816d-4655-8c79-d736da1adb6d} - C:\Program Files\Hotspot_Shield\tbHot1.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll

O3 - Toolbar: (no name) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file)

O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll

O3 - Toolbar: Video Download Toolbar - {E52BE12D-A44A-4F51-9DC1-34F37A488CC7} - C:\Program Files\Video Download Toolbar\v3.3.0.2\Video_Download_Toolbar.dll

O3 - Toolbar: Hotspot Shield Toolbar - {c95a4e8e-816d-4655-8c79-d736da1adb6d} - C:\Program Files\Hotspot_Shield\tbHot1.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O3 - Toolbar: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\tbVuz1.dll

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\IEXPLORE.EXE http://www.symantec.com/techsupp/servlet/ProductMessages?module=2009&error=0&language=en&product=SymNRT&version=2009.0.5.40&build=Symantec&a=00000082.0000001e.00000059&b=00000082.00000046.000000b5&c=00000082.00000097.000001cd

O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')

O4 - Global Startup: Bluetooth.lnk = ?

O4 - Global Startup: McAfee Security Scan Plus.lnk = ?

O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\Camex MP3 Player\MP3 Player Utilities 4.15\AMVConverter\grab.html

O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\Camex MP3 Player\MP3 Player Utilities 4.15\MediaManager\grab.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\MSNXP~1\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Shoppinguard.com - {B67544A0-D1AC-4c74-8D28-1E3421CFFB77} - C:\Program Files\Shoppinguard.com\shpngrd\1.3.61.1\shpngrd.dll

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: (no name) - {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Program Files\Xmarks\IE Extension\foxmarksdll.dll (HKCU)

O9 - Extra 'Tools' menuitem: Xmarks for IE... - {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Program Files\Xmarks\IE Extension\foxmarksdll.dll (HKCU)

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O15 - Trusted Zone: http://connectphl02.sap.com

O15 - Trusted Zone: *.stumbleupon.com

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - https://connectphl02.sap.com/vdesk/cachecleaner.cab#version=6030,2009,0622,1839

O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://connectphl02.sap.com/vdesk/terminal/InstallerControl.cab#version=6030,2009,0622,1853

O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://connectphl02.sap.com/vdesk/terminal/f5InspectionHost.cab#version=6030,2009,0622,1842

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173335266491

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - https://connectphl02.sap.com/policy/download_binary.php/win32/f5syschk.cab#Version=6030,2009,0622,1850

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: BroadCam Service (BroadCamService) - Unknown owner - C:\Program Files\NCH Software\BroadCam\broadCam.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Eyeline Service (EyelineService) - Unknown owner - C:\Program Files\NCH Software\Eyeline\eyeline.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe

O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE

O23 - Service: Intel Alert Handler - Intel Corporation - C:\WINDOWS\system32\ams_ii\hndlrsvc.exe

O23 - Service: Intel Certificate Authority - Intel Corporation - C:\WINDOWS\system32\cba\casvc.exe

O23 - Service: Intel File Transfer - Intel Corporation - C:\WINDOWS\system32\cba\xfr.exe

O23 - Service: Intel PDS - Intel Corporation - C:\WINDOWS\system32\cba\pds.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero7.9.6.0\Extracted Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe

O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: StumbleUponUpdateService - stumbleupon.com - C:\Program Files\StumbleUpon\StumbleUponUpdateService.exe

O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

O23 - Service: TMA Distribution - Unknown owner - C:\WINDOWS\system32\cba\lcfinst.exe

O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

 

--

End of file - 14767 bytes

Share this post


Link to post
Share on other sites

Hello again,

 

Step 1

Please re-open HijackThis and scan. Check the boxes next to all the entries listed below.

 

O1 - Hosts: ÿþ127.0.0.1 localhost

O1 - Hosts: ::1 localhost

 

Now close all windows other than Hijackthis, then click Fix Checked. Close HijackThis.

 

Step 2

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

 

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

 

2. To optimize scanning time and produce a more sensible report for review:

  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.

3. Click Run at the Security prompt.

 

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take quite a long time to download.

  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, adware, dialers, and other riskware
  • Archives
  • E-mail databases

[*]Click on My Computer under the green Scan bar to the left to start the scan. [*]Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. [*]Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined. [*]Click View report... at the bottom.

[*] Click the Save report... button.

 

KasReport.png

 

 

[*] Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply along with a new HJT Log

Share this post


Link to post
Share on other sites

Kaspersky Report:

 

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Thursday, June 10, 2010

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Thursday, June 10, 2010 01:42:05

Records in database: 4241739

--------------------------------------------------------------------------------

 

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

 

Scan area - My Computer:

C:\

D:\

F:\

G:\

 

Scan statistics:

Objects scanned: 139656

Threats found: 5

Infected objects found: 9

Suspicious objects found: 0

Scan duration: 03:38:34

 

 

File name / Threat / Threats count

C:\Documents and Settings\Hopper\Desktop\backups\backup-20100603-183508-225.dll Infected: Trojan.Win32.Pasta.lcs 1

C:\System Volume Information\_restore{EA10BEA4-2D2C-494D-9EF3-5EC8A5B65143}\RP279\A0042313.dll Infected: Trojan.Win32.Pasta.lcs 1

C:\System Volume Information\_restore{EA10BEA4-2D2C-494D-9EF3-5EC8A5B65143}\RP284\A0043591.dll Infected: not-a-virus:AdWare.Win32.Zwangi.acn 1

C:\_OTM\MovedFiles\06032010_184945\C_Documents and Settings\Hopper\Application Data\GabPath\gabpath.exe Infected: Trojan-Downloader.Win32.Agent.drmo 1

C:\_OTM\MovedFiles\06032010_184945\C_Documents and Settings\Hopper\Application Data\Microsoft\Windows\jnipmo.exe Infected: Trojan-Downloader.Win32.Agent.drct 1

D:\System Volume Information\_restore{EA10BEA4-2D2C-494D-9EF3-5EC8A5B65143}\RP284\A0043616.exe Infected: not-a-virus:PSWTool.Win32.ProductKey.an 1

D:\ThumbDrive Backup\Lupo PenSuites\Lupo PenSuite v6.74 Full\Apps\Extra\Registry\RegScanner\RegScanner.exe Infected: not-a-virus:PSWTool.Win32.ProductKey.an 1

D:\ThumbDrive Backup\Lupo PenSuites\Lupo PenSuite v6.75 Full\Apps\Extra\Registry\RegScanner\RegScanner.exe Infected: not-a-virus:PSWTool.Win32.ProductKey.an 1

D:\ThumbDrive Backup\Misc\Portable Aps\Portable Suites\Lupo PenSuites\Lupo_PenSuite_v6.74_Full.exe Infected: not-a-virus:PSWTool.Win32.ProductKey.an 1

 

Selected area has been scanned.

 

 

HJT Report:

 

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 5:29:03 AM, on 10/06/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.17023)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe

C:\WINDOWS\system32\cba\pds.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

C:\WINDOWS\system32\ams_ii\hndlrsvc.exe

C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe

C:\WINDOWS\system32\cba\casvc.exe

C:\WINDOWS\system32\cba\xfr.exe

C:\WINDOWS\system32\fxssvc.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Hopper\Desktop\HiJackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

R3 - URLSearchHook: Hotspot Shield Toolbar - {c95a4e8e-816d-4655-8c79-d736da1adb6d} - C:\Program Files\Hotspot_Shield\tbHot1.dll

R3 - URLSearchHook: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\tbVuz1.dll

O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\IPSBHO.DLL

O2 - BHO: Video Download Toolbar Helper - {83BD144C-5E53-4E12-8E99-5A7F1BBF3EA0} - C:\Program Files\Video Download Toolbar\v3.3.0.2\Video_Download_Toolbar.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: FoxmarksDLLBHO - {A2A71ABA-3939-43B2-BD8F-8C1767EF9020} - C:\Program Files\Xmarks\IE Extension\foxmarksdll.dll

O2 - BHO: ShpngrdHlpr - {A3ED2449-E049-4ab9-A059-DD0F9BA1BA44} - C:\Program Files\Shoppinguard.com\shpngrd\1.3.61.1\shpngrd.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll

O2 - BHO: Video Download Toolbar IE Browser Helper Object - {B29002A0-87A1-4DC4-AC55-5982034EB61E} - C:\PROGRA~1\VIDEOD~1\V330~1.2\RESOUR~1\VIDEOD~1.DLL

O2 - BHO: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\tbVuz1.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O2 - BHO: Hotspot Shield Toolbar - {c95a4e8e-816d-4655-8c79-d736da1adb6d} - C:\Program Files\Hotspot_Shield\tbHot1.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll

O3 - Toolbar: (no name) - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - (no file)

O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll

O3 - Toolbar: Video Download Toolbar - {E52BE12D-A44A-4F51-9DC1-34F37A488CC7} - C:\Program Files\Video Download Toolbar\v3.3.0.2\Video_Download_Toolbar.dll

O3 - Toolbar: Hotspot Shield Toolbar - {c95a4e8e-816d-4655-8c79-d736da1adb6d} - C:\Program Files\Hotspot_Shield\tbHot1.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O3 - Toolbar: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files\Vuze_Remote\tbVuz1.dll

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\IEXPLORE.EXE http://www.symantec.com/techsupp/servlet/ProductMessages?module=2009&error=0&language=en&product=SymNRT&version=2009.0.5.40&build=Symantec&a=00000082.0000001e.00000059&b=00000082.00000046.000000b5&c=00000082.00000097.000001cd

O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')

O4 - Global Startup: Bluetooth.lnk = ?

O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\Camex MP3 Player\MP3 Player Utilities 4.15\AMVConverter\grab.html

O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\Camex MP3 Player\MP3 Player Utilities 4.15\MediaManager\grab.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\MSNXP~1\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Shoppinguard.com - {B67544A0-D1AC-4c74-8D28-1E3421CFFB77} - C:\Program Files\Shoppinguard.com\shpngrd\1.3.61.1\shpngrd.dll

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: (no name) - {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Program Files\Xmarks\IE Extension\foxmarksdll.dll (HKCU)

O9 - Extra 'Tools' menuitem: Xmarks for IE... - {638F11AA-DF27-433b-BA2E-7281CE561D71} - C:\Program Files\Xmarks\IE Extension\foxmarksdll.dll (HKCU)

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O15 - Trusted Zone: http://connectphl02.sap.com

O15 - Trusted Zone: *.stumbleupon.com

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - https://connectphl02.sap.com/vdesk/cachecleaner.cab#version=6030,2009,0622,1839

O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://connectphl02.sap.com/vdesk/terminal/InstallerControl.cab#version=6030,2009,0622,1853

O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://connectphl02.sap.com/vdesk/terminal/f5InspectionHost.cab#version=6030,2009,0622,1842

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173335266491

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - https://connectphl02.sap.com/policy/download_binary.php/win32/f5syschk.cab#Version=6030,2009,0622,1850

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: BroadCam Service (BroadCamService) - Unknown owner - C:\Program Files\NCH Software\BroadCam\broadCam.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Eyeline Service (EyelineService) - Unknown owner - C:\Program Files\NCH Software\Eyeline\eyeline.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Hotspot Shield Routing Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe

O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE

O23 - Service: Intel Alert Handler - Intel Corporation - C:\WINDOWS\system32\ams_ii\hndlrsvc.exe

O23 - Service: Intel Certificate Authority - Intel Corporation - C:\WINDOWS\system32\cba\casvc.exe

O23 - Service: Intel File Transfer - Intel Corporation - C:\WINDOWS\system32\cba\xfr.exe

O23 - Service: Intel PDS - Intel Corporation - C:\WINDOWS\system32\cba\pds.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - Unknown owner - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe (file missing)

O23 - Service: NBService - Nero AG - C:\Program Files\Nero7.9.6.0\Extracted Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.8.0.41\ccSvcHst.exe

O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: StumbleUponUpdateService - stumbleupon.com - C:\Program Files\StumbleUpon\StumbleUponUpdateService.exe

O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

O23 - Service: TMA Distribution - Unknown owner - C:\WINDOWS\system32\cba\lcfinst.exe

O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

 

--

End of file - 14157 bytes

Share this post


Link to post
Share on other sites

Nice job your log looks clean!

Please use the following suggestions to help prevent reinfection.

 

  • Download OTC to your desktop and run it
  • Click Yes to beginning the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

 

System Restore maintains a backup of your programs and may also backup infections. I recommend using the following link on how to disable and then enable System Restore.

Windows XP

 

The following is a list of tools and utilities that I like to suggest to people to help keep from getting infected again. As a note, all of the tools and utilities mentioned are either free or have free versions available.

 

ThreatFire - Great antivirus supplement when using a free security program approach using behavior-based security.

**Tutorial on installing & using this product can be found HERE**

 

FileHippo.com Update Checker - Stay up to date on all of your applications with this powerful tool that will scan, detect, check, and secure the applications installed on your computer.

 

WOT Web of Trust - Warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory.

 

MVPS Hosts file - This handy download replaces your current HOSTS file with one containing well known ad sites and other bad/malicous sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

 

TFC Cleaner - Great tool to help speed up your computer and knock out malware that like to reside in temporary folders.

 

Firewall A firewall is very important program in order to protect your computer from hackers. I notice that you don't have one installed! Therefore I recommend Online Armor, PC Tools Firewall Plus, or Outpost.

**Tutorial on Firewalls can be found HERE**

 

Internet Browser - Internet Explorer is not the safest nor the fastest internew browser anymore. There are way better alternatives out there that are faster, more secure, and have many more useful features. I recommend Opera or Google Chrome

 

It is important to run only one of each type of protection program in resident mode at a time since conflicts can make them less effective. This would mean only one resident antivirus, firewall and scanning type of anti-spyware. Programs like Spyware Blaster and MBAM do not conflict with any of these since they don't have a real time scanning engine that would conflict.

 

Windows Updates - It is highly recommended to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

 

Finally, I strongly recommend action-smiley-036.gifHow did I get infected in the first place? (by Tony Klein)

 

Good luck and safe surfing :)

Share this post


Link to post
Share on other sites

Thanks so much for all your help!

 

I noticed that I have a few things that is on my start up and was wondering if I should disable it using msconfig:

 

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

 

Should I use HJT to delete this as I am not susing it?

 

O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')

Share this post


Link to post
Share on other sites

I am not sure what is this so should I get rid of it with HJT?

 

O9 - Extra button: Shoppinguard.com - {B67544A0-D1AC-4c74-8D28-1E3421CFFB77} - C:\Program Files\Shoppinguard.com\shpngrd\1.3.61.1\shpngrd.dll

Share this post


Link to post
Share on other sites

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE ~ You can check this in HJT and fix it. No need for MSCONFIG.

http://www.systemlookup.com/Startup/596.html

 

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe ~ You can check this in HJT if you want to and fix it. No need for MSCONFIG.

http://www.systemlookup.com/Startup/2443-ctfmon_exe.html

 

Removing the lines of Picasa Media Detector from HJT will only prevent it from starting up when Windows boots. If you want to remove it completely you will have to go into Add or Remove Programs.

 

O9 - Extra button: Shoppinguard.com - {B67544A0-D1AC-4c74-8D28-1E3421CFFB77} - C:\Program Files\Shoppinguard.com\shpngrd\1.3.61.1\shpngrd.dll ~ You can leave that, reported to be legit and part of Shopping Guard Toolbar.

http://www.systemlookup.com/CLSID/70111-shpngrd_dll.html

Share this post


Link to post
Share on other sites

Since this issue appears resolved ... this Topic is closed.

 

If you need this topic reopened, please tell the moderating team by replying HERE with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0