Jump to content


Photo

I have detected several serious viruses, please help me with their removal


  • This topic is locked This topic is locked
11 replies to this topic

#1 Lonnie

Lonnie

    Member

  • Helper Trainee
  • Pip
  • 26 posts

Posted 22 May 2007 - 06:05 PM

Hello, I wish I could be visiting this forum under better circumstances but unfortunately I have gotten some bad viruses and need to clean my system of them. I have read the FAQS.

My computer has been acting up with pop ups, even when IE is closed but mostly when it is open. It also gets hijacked and redirects when going to some websites. Like For example a weight loss site I frequent now gets redirected to My Finder.net and at the top of the explorer window it says page could not load. The pop ups that always load up, load up pages by “Advertisement Outerinfo” this is what it says at the top of the IE window. All the advertisements are different but it is usually local singles related stuff or celebrity trivia win free ipod stuff.

All the problems seem to be related to my profile, not my wifes. She doesn’t get pop ups that I am aware of and I do not get redirected with her IE.

I have been using Firefox and i though it wasn't being effected by pop ups or redetects but it also might be being hijacked, though I'm not sure.

Also I have seen some program icons pop up on my desktop, although I deleted them before writing them down, sorry.

Before even going to this forum I did two scans of AVG and saved the second log but it caught several high level viruses, here are the ones it found: There were also lots of medium level and low level but I did not write those down. I will provide the log below but here is a list of the high level ones.

Trojon.Agent
Downloader.Age
Trogon.Small
Backdoor.Bifros.afd
Downloader.PurityScan.ee


After this I went to this forum, I did a scan with ad aware, and spybot search and destroy, I kept the log from ad aware and a screenshot of spybot should you need them.

I then scanned with hijack this and will also provide you the log below.

A couple other things to note, I am having a problem with my install shield, where I can not install some programs. I get the error: “The windows installer service could not be accessed.” error. Also I have been having issues with xp profile switching. Sometimes it ask for a password to switch to the other profile I have on the computer but none of my profiles use passwords so it doesn’t accept any and I have to reboot.

I do not know if these issues are related but I thought I should mention them just in case.


Here is the AVG LOG and Hijack this LOG

I look forward to a response, thank you
LB


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:56:11 PM 5/22/2007

+ Scan result:



C:\System Volume Information\_restore{C5318C23-9D2D-439D-93A0-142302474523}\RP265\A0033701.dll -> Adware.CommAd : No action taken.
C:\System Volume Information\_restore{C5318C23-9D2D-439D-93A0-142302474523}\RP265\A0033702.exe -> Adware.CommAd : No action taken.
C:\Program Files\eMule\Incoming\A4Desk Flash Website And Menu Builder 4.02.exe/mmwork.exe -> Adware.MediaMotor : No action taken.
C:\System Volume Information\_restore{C5318C23-9D2D-439D-93A0-142302474523}\RP265\A0033703.exe -> Adware.PurityScan : No action taken.
C:\System Volume Information\_restore{C5318C23-9D2D-439D-93A0-142302474523}\RP265\A0033704.dll -> Adware.PurityScan : No action taken.
C:\System Volume Information\_restore{C5318C23-9D2D-439D-93A0-142302474523}\RP265\A0033705.exe -> Adware.Softomate : No action taken.
C:\Program Files\webHancer -> Adware.Webhancer : No action taken.
C:\Program Files\webHancer\Programs -> Adware.Webhancer : No action taken.
C:\System Volume Information\_restore{C5318C23-9D2D-439D-93A0-142302474523}\RP265\A0033699.exe -> Adware.WebHancer : No action taken.
C:\System Volume Information\_restore{C5318C23-9D2D-439D-93A0-142302474523}\RP265\A0033700.exe -> Adware.WebHancer : No action taken.
E:\AVG Anti-Spyware Plus 7.5.0.47.rar/avgas-setup-7.5.0.47.exe/unpack.exe -> Backdoor.Bifrose.afd : No action taken.
C:\System Volume Information\_restore{C5318C23-9D2D-439D-93A0-142302474523}\RP265\A0033694.exe -> Downloader.Age : No action taken.
C:\Documents and Settings\Oldkrow\Local Settings\Temp\!update.exe -> Downloader.PurityScan.ee : No action taken.
C:\Documents and Settings\Oldkrow\Local Settings\Temporary Internet Files\Content.IE5\OPI34LQV\!update-4395[1].0000 -> Downloader.PurityScan.ee : No action taken.
C:\System Volume Information\_restore{C5318C23-9D2D-439D-93A0-142302474523}\RP265\A0033689.exe -> Downloader.PurityScan.eh : No action taken.
C:\System Volume Information\_restore{C5318C23-9D2D-439D-93A0-142302474523}\RP265\A0033690.exe -> Downloader.PurityScan.eh : No action taken.
C:\System Volume Information\_restore{C5318C23-9D2D-439D-93A0-142302474523}\RP265\A0033691.exe -> Downloader.Small.buy : No action taken.
C:\Documents and Settings\Oldkrow\Local Settings\Temporary Internet Files\Content.IE5\OPEFK5UR\SystemDoctorNewReleaseInstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : No action taken.
C:\System Volume Information\_restore{C5318C23-9D2D-439D-93A0-142302474523}\RP265\A0033706.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : No action taken.
E:\System Volume Information\_restore{C5318C23-9D2D-439D-93A0-142302474523}\RP265\A0033707.exe -> Not-A-Virus.VirTool.Win32.Patcher.a : No action taken.
C:\Documents and Settings\Oldkrow\Cookies\oldkrow@realmedia[2].txt -> TrackingCookie.Realmedia : No action taken.
C:\Documents and Settings\Oldkrow\Cookies\oldkrow@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : No action taken.
C:\Documents and Settings\Emily\Cookies\emily@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\Oldkrow\Cookies\oldkrow@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\System Volume Information\_restore{C5318C23-9D2D-439D-93A0-142302474523}\RP265\A0033692.exe -> Trojan.Agent : No action taken.
C:\System Volume Information\_restore{C5318C23-9D2D-439D-93A0-142302474523}\RP265\A0033693.exe -> Trojan.Agent : No action taken.
C:\System Volume Information\_restore{C5318C23-9D2D-439D-93A0-142302474523}\RP265\A0033686.exe -> Trojan.Rond : No action taken.
C:\System Volume Information\_restore{C5318C23-9D2D-439D-93A0-142302474523}\RP265\A0033687.dll -> Trojan.Rond : No action taken.
C:\System Volume Information\_restore{C5318C23-9D2D-439D-93A0-142302474523}\RP265\A0033688.exe -> Trojan.Rond : No action taken.
C:\System Volume Information\_restore{C5318C23-9D2D-439D-93A0-142302474523}\RP265\A0033695.vbs -> Trojan.Small : No action taken.
C:\System Volume Information\_restore{C5318C23-9D2D-439D-93A0-142302474523}\RP265\A0033696.exe -> Trojan.Small : No action taken.
C:\System Volume Information\_restore{C5318C23-9D2D-439D-93A0-142302474523}\RP265\A0033697.vbs -> Trojan.Small : No action taken.
C:\WINDOWS\system32\wapiicomsv.exe -> Trojan.Small : No action taken.


::Report end
-------------------------------------



Logfile of HijackThis v1.99.1
Scan saved at 3:39:17 PM, on 5/22/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Documents and Settings\Oldkrow\Application Data\??sks\m?iexec.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer =
https=sas.r1.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride =
*.r1.attbi.com
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15E0FE62-33FD-3A5A-F04F-19E33B92F39C} -
C:\WINDOWS\System32\xtyoe.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {C95E421F-D6D7-887B-8A08-FDADDFCC7294} -
C:\WINDOWS\System32\tqagekao.dll
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program
Files\PayPal\PayPal Virtual Debit Card\PayPalHelper.dll
O2 - BHO: (no name) - {F0C08B30-BA30-4FEB-924B-2E250CF0697D} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: PayPal Virtual Debit Card - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} -
C:\Program Files\PayPal\PayPal Virtual Debit Card\OToolbar.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\popcorn72.exe
rundll.dll,LoadMouseProfile
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\System32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\System32\sw24.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware
7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [PayPal Virtual Debit Card] rundll32.exe
C:\PROGRA~1\PayPal\PAYPAL~1\OToolbar.dll,StartUp /dontopenmycards
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu2000206.exe
61A847B5BBF72810329B385472FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [Andp] "C:\Documents and Settings\Oldkrow\Application
Data\??sks\m?iexec.exe"
O4 - HKCU\..\Run: [Dooe] "C:\WINDOWS\System32\MCROSO~1.NET\notepad.exe" -vt ndrv
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} -
C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} -
C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} -
C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file
missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.airnav.com
O15 - Trusted Zone: http://www.avsim.com
O15 - Trusted Zone: http://*.avsim.net
O15 - Trusted Zone: www.gymboree.com
O16 - DPF: YExplorer1_8US.CAB -
http://photos.groups...plorer1_8us.cab
O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) -
http://members9.club...tl_uploader.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX
Control) - http://www.winkflash...ers/SAXFile.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program
Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) -
http://tools.ebayimg...l_v1-0-3-30.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.micros.../wuweb_site.cab?
1139481533968
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.../housecall/xsca
n53.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) -
http://www.vzwpix.co...loadControl.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX
Control) - http://www.costcopho...ostcoUpload.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin)
- http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) -
http://www.live365.c...ers/play365.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) -
http://pdl.stream.ao.../ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B497D8A9-CA01-4387-8108-EA488EF27E3C}:
NameServer = 69.50.168.138,85.255.112.19
O17 - HKLM\System\CCS\Services\Tcpip\..\{C09F75DA-1E7E-4EA7-BFC0-81B7CD7F800A}:
NameServer = 69.50.168.138,85.255.112.19
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4F79B42-0D0F-485B-8CC9-D4D598179606}:
NameServer = 69.50.168.138,85.255.112.19
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -
"C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe
Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program
Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation -
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common
Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec
Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program
Files\TightVNC\WinVNC.exe" -service (file missing)



#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,520 posts

Posted 25 May 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 26 May 2007 - 03:46 PM

Hi,

Please re submit your HijackThis log.

Before you do remove the WordWrap functions on NotePad.

Look in the Menu > Format and remove the wordwarp.

Wait for further instructions from me.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#4 Lonnie

Lonnie

    Member

  • Helper Trainee
  • Pip
  • 26 posts

Posted 28 May 2007 - 12:44 PM

I took the word wrap off and rescanned with hijack this then resubmitted the log below. Should you need the first log I still have that too. Thank you.

Logfile of HijackThis v1.99.1
Scan saved at 10:39:51 AM, on 5/28/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = https=sas.r1.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r1.attbi.com
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15E0FE62-33FD-3A5A-F04F-19E33B92F39C} - C:\WINDOWS\System32\xtyoe.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {C95E421F-D6D7-887B-8A08-FDADDFCC7294} - C:\WINDOWS\System32\tqagekao.dll (file missing)
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Virtual Debit Card\PayPalHelper.dll
O2 - BHO: (no name) - {F0C08B30-BA30-4FEB-924B-2E250CF0697D} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: PayPal Virtual Debit Card - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Virtual Debit Card\OToolbar.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\popcorn72.exe rundll.dll,LoadMouseProfile
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\System32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\System32\sw24.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [PayPal Virtual Debit Card] rundll32.exe C:\PROGRA~1\PayPal\PAYPAL~1\OToolbar.dll,StartUp /dontopenmycards
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu2000206.exe 61A847B5BBF72810329B385472FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [Dooe] "C:\WINDOWS\System32\MCROSO~1.NET\notepad.exe" -vt ndrv
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.airnav.com
O15 - Trusted Zone: http://www.avsim.com
O15 - Trusted Zone: http://*.avsim.net
O15 - Trusted Zone: www.gymboree.com
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups...plorer1_8us.cab
O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members9.club...tl_uploader.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash...ers/SAXFile.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-30.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1139481533968
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.co...loadControl.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcopho...ostcoUpload.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B497D8A9-CA01-4387-8108-EA488EF27E3C}: NameServer = 69.50.168.138,85.255.112.19
O17 - HKLM\System\CCS\Services\Tcpip\..\{C09F75DA-1E7E-4EA7-BFC0-81B7CD7F800A}: NameServer = 69.50.168.138,85.255.112.19
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4F79B42-0D0F-485B-8CC9-D4D598179606}: NameServer = 69.50.168.138,85.255.112.19
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)



#5 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 28 May 2007 - 02:51 PM

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Open your Control Panel in *Add/Remove Programs* look for the following

Think-Adz Search Assistant
Enhanced Ads by Think-Adz
Surfsidekick
Oin
Yazzle by Oin
YazzleActiveX By OIN
Purityscan by Oin
Snowballwars by Oin
Cowabanga by OIN
(Anything) by OIN
Zolero
Tizzletalk
MediaTickets
Cowabanga
outerinfo

and any other programs you didn't install or don't recognize - if your not sure please ask first

If found, click on it and click remove.

Do not restart the computer

Then, download and run this OiUninstaller.exe uninstaller: follow the instructions on this page.
http://www.outerinfo.com/howto.html

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
O2 - BHO: (no name) - {15E0FE62-33FD-3A5A-F04F-19E33B92F39C} - C:\WINDOWS\System32\xtyoe.dll (file missing)
O2 - BHO: (no name) - {C95E421F-D6D7-887B-8A08-FDADDFCC7294} - C:\WINDOWS\System32\tqagekao.dll (file missing)
O2 - BHO: (no name) - {F0C08B30-BA30-4FEB-924B-2E250CF0697D} - (no file)
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\popcorn72.exe rundll.dll,LoadMouseProfile
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu2000206.exe 61A847B5BBF72810329B385472FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [Dooe] "C:\WINDOWS\System32\MCROSO~1.NET\notepad.exe" -vt ndrv


Click on Fix Checked when finished and exit HijackThis.

Delete these files/folders in bold if found.

Files
C:\WINDOWS\retadpu2000206.exe
C:\WINDOWS\System32\popcorn72.exe

Folders
C:\Program Files\Ipwindows\
C:\WINDOWS\System32\MCROSO~1.NET\

Restart the computer normally to reset the registry.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


p.s.
Check with your Internet provider and make sure these I.P. addresses are required by the service.

O17 - HKLM\System\CCS\Services\Tcpip\..\{B497D8A9-CA01-4387-8108-EA488EF27E3C}:
NameServer = 69.50.168.138,85.255.112.19
O17 - HKLM\System\CCS\Services\Tcpip\..\{C09F75DA-1E7E-4EA7-BFC0-81B7CD7F800A}:
NameServer = 69.50.168.138,85.255.112.19
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4F79B42-0D0F-485B-8CC9-D4D598179606}:
NameServer = 69.50.168.138,85.255.112.19


nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#6 Lonnie

Lonnie

    Member

  • Helper Trainee
  • Pip
  • 26 posts

Posted 07 June 2007 - 02:16 AM

Sorry it so long to get back to you, but I was out of town for a very long trip and also forgot that I would not get another reminder email. I've done everything u asked and here are the logs

SDFix: Version 1.86

Run by Oldkrow - Wed 06/06/2007 - 23:54:59.09

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\Oldkrow\Desktop\sdfix\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\SYSTEM32\C9LLT0~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\M83F1P~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\UA1NJL~1.HTM - Deleted
C:\WINDOWS\SYSTEM32\WINCTR~1.EXE - Deleted
C:\WINDOWS\SYSTEM32\WINCTR~2.EXE - Deleted
C:\WINDOWS\SYSTEM32\WINCTR~3.EXE - Deleted
C:\WINDOWS\system32\winsys.exe - Deleted
C:\WINDOWS\wr.txt - Deleted
C:\DOCUME~1\Oldkrow\LOCALS~1\Temp\tmp*.tmp - Deleted


Folder C:\Program Files\Ipwindows - Removed

Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking if ADS is attached to ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

Backups Folder: - C:\DOCUME~1\Oldkrow\Desktop\sdfix\SDFix\backups\backups.zip

Listing Files with Hidden Attributes:

C:\Documents and Settings\Emily\My Documents\My Music\Lisa Loeb - The Very Best Of Lisa Loeb (2006) - Pop [www.torrentazos.com]\Thumbs.db
C:\Documents and Settings\Oldkrow\My Documents\cpy of Lonniebruhn.com\TMPbdl7gpyplm.htm
C:\Documents and Settings\Oldkrow\My Documents\cpy of Lonniebruhn.com\TMPbfzsfpypoq.htm
C:\Documents and Settings\Oldkrow\My Documents\cpy of Lonniebruhn.com\_MPWBX~1.HTM
C:\Documents and Settings\Oldkrow\My Documents\cpy of Lonniebruhn.com\archives\TMP7hc5dpykju.htm
C:\Documents and Settings\Oldkrow\My Documents\cpy of Lonniebruhn.com\archives\TMPtxk1mmz5kz
C:\Documents and Settings\Oldkrow\My Documents\cpy of Lonniebruhn.com\Illustrator\Thumbs.db
C:\Documents and Settings\Oldkrow\My Documents\cpy of Lonniebruhn.com\Illustrator\galleries\_MPE65~1.HTM
C:\Documents and Settings\Oldkrow\My Documents\cpy of Lonniebruhn.com\Illustrator\galleries\_MPE83~1.HTM
C:\Documents and Settings\Oldkrow\My Documents\cpy of Lonniebruhn.com\Illustrator\galleries\_MPGDN~1.HTM
C:\Documents and Settings\Oldkrow\My Documents\cpy of Lonniebruhn.com\Illustrator\galleries\IMAGES\Thumbs.db
C:\Documents and Settings\Oldkrow\My Documents\cpy of Lonniebruhn.com\Images\Thumbs.db
C:\Documents and Settings\Oldkrow\My Documents\cpy of Lonniebruhn.com\Photoshop\Thumbs.db
C:\Documents and Settings\Oldkrow\My Documents\cpy of Lonniebruhn.com\_NOTES\dwSiteColumnsMe.xml
C:\Documents and Settings\Oldkrow\My Documents\Lonniebruhn.com\TMPbdl7gpyplm.htm
C:\Documents and Settings\Oldkrow\My Documents\Lonniebruhn.com\TMPbfzsfpypoq.htm
C:\Documents and Settings\Oldkrow\My Documents\Lonniebruhn.com\_MPWBX~1.HTM
C:\Documents and Settings\Oldkrow\My Documents\Lonniebruhn.com\Illustrator\Thumbs.db
C:\Documents and Settings\Oldkrow\My Documents\Lonniebruhn.com\Illustrator\galleries\_MPE65~1.HTM
C:\Documents and Settings\Oldkrow\My Documents\Lonniebruhn.com\Illustrator\galleries\_MPE83~1.HTM
C:\Documents and Settings\Oldkrow\My Documents\Lonniebruhn.com\Illustrator\galleries\_MPGDN~1.HTM
C:\Documents and Settings\Oldkrow\My Documents\Lonniebruhn.com\Illustrator\galleries\IMAGES\Thumbs.db
C:\Documents and Settings\Oldkrow\My Documents\Lonniebruhn.com\www\Images\Thumbs.db
C:\Documents and Settings\Oldkrow\My Documents\Lonniebruhn.com\www\Photoshop\Thumbs.db
C:\Documents and Settings\Oldkrow\My Documents\Lonniebruhn.com\www\sched_pics\Thumbs.db
C:\Documents and Settings\Oldkrow\My Documents\Lonniebruhn.com\www\sched_pics\kristine\Thumbs.db
C:\Documents and Settings\Oldkrow\My Documents\Lonniebruhn.com\www\sharing\Thumbs.db
C:\Documents and Settings\Oldkrow\My Documents\Lonniebruhn.com\_NOTES\dwSiteColumnsMe.xml
C:\Program Files\Ipswitch\WS_FTP Professional\wsftpgui.exe-CommandBars
C:\Program Files\Smart Projects\IsoBuster\Help\AHlp.exe
C:\Documents and Settings\Emily\Desktop\~WRL1197.tmp
C:\Documents and Settings\Emily\My Documents\~WRL0002.tmp
C:\Documents and Settings\Emily\My Documents\~WRL0003.tmp
C:\Documents and Settings\Emily\My Documents\~WRL0183.tmp
C:\Documents and Settings\Emily\My Documents\~WRL0392.tmp
C:\Documents and Settings\Emily\My Documents\~WRL0535.tmp
C:\Documents and Settings\Emily\My Documents\~WRL0877.tmp
C:\Documents and Settings\Emily\My Documents\~WRL1302.tmp
C:\Documents and Settings\Emily\My Documents\~WRL1410.tmp
C:\Documents and Settings\Emily\My Documents\~WRL1438.tmp
C:\Documents and Settings\Emily\My Documents\~WRL1907.tmp
C:\Documents and Settings\Emily\My Documents\~WRL1968.tmp
C:\Documents and Settings\Emily\My Documents\~WRL2118.tmp
C:\Documents and Settings\Emily\My Documents\~WRL2332.tmp
C:\Documents and Settings\Oldkrow\My Documents\Lonnie Bruhn's Promo Kit\Promo going out\_WRL0001.TMP
C:\Documents and Settings\Oldkrow\My Documents\Lonnie Bruhn's Promo Kit\Promo going out\_WRL0002.TMP
C:\Documents and Settings\Oldkrow\My Documents\Lonnie Bruhn's Promo Kit\Promo going out\_WRL0003.TMP
C:\Documents and Settings\Oldkrow\My Documents\Lonnie Bruhn's Promo Kit\Promo going out\_WRL0020.TMP
C:\Documents and Settings\Oldkrow\My Documents\Lonnie Bruhn's Promo Kit\Promo going out\_WRL0065.TMP
C:\Documents and Settings\Oldkrow\My Documents\Lonnie Bruhn's Promo Kit\Promo going out\_WRL0224.TMP
C:\Documents and Settings\Oldkrow\My Documents\Lonnie Bruhn's Promo Kit\Promo going out\_WRL0387.TMP
C:\Documents and Settings\Oldkrow\My Documents\Lonnie Bruhn's Promo Kit\Promo going out\_WRL0449.TMP
C:\Documents and Settings\Oldkrow\My Documents\Lonnie Bruhn's Promo Kit\Promo going out\_WRL0758.TMP
C:\Documents and Settings\Oldkrow\My Documents\Lonnie Bruhn's Promo Kit\Promo going out\_WRL0893.TMP
C:\Documents and Settings\Oldkrow\My Documents\Lonnie Bruhn's Promo Kit\Promo going out\_WRL0970.TMP
C:\Documents and Settings\Oldkrow\My Documents\Lonnie Bruhn's Promo Kit\Promo going out\_WRL1046.TMP
C:\Documents and Settings\Oldkrow\My Documents\Lonnie Bruhn's Promo Kit\Promo going out\_WRL1358.TMP
C:\Documents and Settings\Oldkrow\My Documents\Lonnie Bruhn's Promo Kit\Promo going out\_WRL1550.TMP
C:\Documents and Settings\Oldkrow\My Documents\Lonnie Bruhn's Promo Kit\Promo going out\_WRL1772.TMP
C:\Documents and Settings\Oldkrow\My Documents\Lonnie Bruhn's Promo Kit\Promo going out\_WRL2345.TMP
C:\Documents and Settings\Oldkrow\My Documents\Lonnie Bruhn's Promo Kit\Promo going out\_WRL2808.TMP
C:\Documents and Settings\Oldkrow\My Documents\Lonnie Bruhn's Promo Kit\Promo going out\_WRL3281.TMP
C:\Documents and Settings\Oldkrow\My Documents\Lonnie Bruhn's Promo Kit\Promo going out\_WRL3370.TMP
C:\Documents and Settings\Oldkrow\My Documents\Lonnie Bruhn's Promo Kit\Promo going out\_WRL3431.TMP
C:\Documents and Settings\Oldkrow\My Documents\Lonnie Bruhn's Promo Kit\Promo going out\_WRL3847.TMP
C:\Documents and Settings\Oldkrow\My Documents\Lonnie's Web Site\Lonnie's Web\PAGES\midget_fucking2_jpg.htm.TMP
C:\Documents and Settings\Oldkrow\My Documents\Think Tank Radeo Show\_WRL0003.TMP
C:\Documents and Settings\Oldkrow\My Documents\Think Tank Radeo Show\_WRL0005.TMP
C:\Documents and Settings\Oldkrow\My Documents\Think Tank Radeo Show\_WRL0174.TMP
C:\Documents and Settings\Oldkrow\My Documents\Think Tank Radeo Show\_WRL3871.TMP
C:\WINDOWS\LastGood.Tmp\INF\oem6.inf
C:\WINDOWS\LastGood.Tmp\INF\oem6.PNF
C:\Documents and Settings\Oldkrow\Start Menu\chintzyc.zip\Desktop.ini
C:\Program Files\Flight Sim 2004\Scenery\pdx2004ver3.zip\pdx2004\Thumbs.db
C:\Program Files\Flight Sim 2004\Scenery\pdx2004ver3.zip\pdx2004\texture\Thumbs.db

Listing User Accounts:

User accounts for \\DESKTOP2

Administrator ASPNET Emily
FS cockpit Guest HelpAssistant
IUSR_DESKTOP2 IWAM_DESKTOP2 Oldkrow
SUPPORT_388945a0


Finished



Logfile of HijackThis v1.99.1
Scan saved at 12:22:04 AM, on 6/7/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = https=sas.r1.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r1.attbi.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15E0FE62-33FD-3A5A-F04F-19E33B92F39C} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Virtual Debit Card\PayPalHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: PayPal Virtual Debit Card - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Virtual Debit Card\OToolbar.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\System32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\System32\sw24.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [PayPal Virtual Debit Card] rundll32.exe C:\PROGRA~1\PayPal\PAYPAL~1\OToolbar.dll,StartUp /dontopenmycards
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.airnav.com
O15 - Trusted Zone: http://www.avsim.com
O15 - Trusted Zone: http://*.avsim.net
O15 - Trusted Zone: www.gymboree.com
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups...plorer1_8us.cab
O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members9.club...tl_uploader.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash...ers/SAXFile.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-30.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1139481533968
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.co...loadControl.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcopho...ostcoUpload.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B497D8A9-CA01-4387-8108-EA488EF27E3C}: NameServer = 69.50.168.138,85.255.112.19
O17 - HKLM\System\CCS\Services\Tcpip\..\{C09F75DA-1E7E-4EA7-BFC0-81B7CD7F800A}: NameServer = 69.50.168.138,85.255.112.19
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4F79B42-0D0F-485B-8CC9-D4D598179606}: NameServer = 69.50.168.138,85.255.112.19
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)



Thank you again in advance
LB

#7 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 07 June 2007 - 08:57 AM

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Nice work, just some clean up to do.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O2 - BHO: (no name) - {15E0FE62-33FD-3A5A-F04F-19E33B92F39C} - (no file)

Click on Fix Checked when finished and exit HijackThis.

Restart the computer normally.

No urgency but I would update my Java.

Updating Java
  • Download the latest version of Java Runtime Environment (JRE) 6u1.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions. <- important.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Please read this Prevention page with lots of info and tips how to prevent this in the future.
http://users.telenet...prevention.html
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#8 Lonnie

Lonnie

    Member

  • Helper Trainee
  • Pip
  • 26 posts

Posted 07 June 2007 - 02:37 PM

Thank you for the quick response.

ok I took out that last key from hjackthis. Honestly I was going to do that on your last set of instructions but as of the instructions you had that key in the list but in the list you asked me to remove that key and it had a file at the end on the above list so because it did not completely match I chose not to remove it until I was told to.

I tried to update my java but something is wrong with my windows installer so I can't remove the other java apps. I do not believe this is of the same issue, I think it is messed up. I get errors. This will be another project. Next I will contact my service provider and find out about those ip numbers.

I'll let you know how this is going because I did do a scan with AVG and it had two high level infections and on some sites I still am getting redirects to foxic.net. Like for axample I was trying to go to a page www.kpam.com and down at the bottom it says page not found, up at the top it says in the address bar www.kpam.com but the page is a page called foxic.net and it has several links to porn related sites and than a couple of main links to other radio services.

Do you want my latest log of hijackthis or avg?
LB

Edited by Lonnie, 07 June 2007 - 02:40 PM.


#9 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 07 June 2007 - 06:47 PM

I know for a fact that the 85.255.112.19 I.P addresses are bad.

O17 - HKLM\System\CCS\Services\Tcpip\..\{B497D8A9-CA01-4387-8108-EA488EF27E3C}: NameServer = 69.50.168.138,85.255.112.19
O17 - HKLM\System\CCS\Services\Tcpip\..\{C09F75DA-1E7E-4EA7-BFC0-81B7CD7F800A}: NameServer = 69.50.168.138,85.255.112.19
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4F79B42-0D0F-485B-8CC9-D4D598179606}: NameServer = 69.50.168.138,85.255.112.19

Check with your Internet provider and to find out if the 69.50.168.138 are good.

Then Execute this.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from this site:
http://downloads.sub.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items:

O17 - HKLM\System\CCS\Services\Tcpip\..\{B497D8A9-CA01-4387-8108-EA488EF27E3C}: NameServer = 69.50.168.138,85.255.112.19
O17 - HKLM\System\CCS\Services\Tcpip\..\{C09F75DA-1E7E-4EA7-BFC0-81B7CD7F800A}: NameServer = 69.50.168.138,85.255.112.19
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4F79B42-0D0F-485B-8CC9-D4D598179606}: NameServer = 69.50.168.138,85.255.112.19


Click Fix Checked. Close HijackThis, and click OK to proceed.

At the end of the fix, you need to restart your computer again.

Note:

If you have problems with your internet connection after this fix, try this.
Please go to Start -> Control Panel, and choose Network Connections. Then right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer.


Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#10 Lonnie

Lonnie

    Member

  • Helper Trainee
  • Pip
  • 26 posts

Posted 08 June 2007 - 06:42 PM

Okay, here are the results: I did talk to my service provider and there the 69.50.168.138 IP was not anything they used.

Here is the first log report:

Fixwareout Last edited 5/15/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="csquf.exe"

»»»»»

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1dedoc" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "llams_ogol" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "repiwh" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "ytpme" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "domdnb" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "orcimlh" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "putesprpgd" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "23tsniow" Deleted
....
»»»»» Misc files.
C:\WINDOWS\Help\SPAlert.chm Deleted
C:\WINDOWS\RDT.INI Deleted
C:\WINDOWS\System32\msblank.html Deleted
C:\WINDOWS\System32\WOINST32.EXE Deleted
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.


Click browse, find the file then click submit.
http://www.virustota...h/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other

»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="C:\\Program Files\\NavNT\\vptray.exe"
"SW20"="C:\\WINDOWS\\System32\\sw20.exe"
"SW24"="C:\\WINDOWS\\System32\\sw24.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe"
"PayPal Virtual Debit Card"="rundll32.exe C:\\PROGRA~1\\PayPal\\PAYPAL~1\\OToolbar.dll,StartUp /dontopenmycards"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»



Here is the hijack this log, however their was no 017 strings to check, I'm assuming that is a good thing.

Logfile of HijackThis v1.99.1
Scan saved at 4:42:50 PM, on 6/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = https=sas.r1.attbi.com:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.r1.attbi.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Virtual Debit Card\PayPalHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: PayPal Virtual Debit Card - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Virtual Debit Card\OToolbar.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\System32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\System32\sw24.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [PayPal Virtual Debit Card] rundll32.exe C:\PROGRA~1\PayPal\PAYPAL~1\OToolbar.dll,StartUp /dontopenmycards
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.airnav.com
O15 - Trusted Zone: http://www.avsim.com
O15 - Trusted Zone: http://*.avsim.net
O15 - Trusted Zone: www.gymboree.com
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups...plorer1_8us.cab
O16 - DPF: {03177121-226B-11D4-B0BE-005004AD3039} (UploaderCtrl Class) - http://members9.club...tl_uploader.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash...ers/SAXFile.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-30.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1139481533968
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.co...loadControl.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcopho...ostcoUpload.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterf...ds/Uploader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)



hope that helps
LB

#11 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 09 June 2007 - 07:13 AM

Nice Work your log is clean.

Nothing urgent but I suggest you update your Java.

Updating Java
  • Download the latest version of Java Runtime Environment (JRE) 6u1.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions. <- important.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Please read this Prevention page with lots of info and tips how to prevent this in the future.
http://users.telenet...prevention.html
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#12 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 20 June 2007 - 07:59 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button