Jump to content


Photo

Outerinfo pop-up problem


  • This topic is locked This topic is locked
18 replies to this topic

#1 dmesser403

dmesser403

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 24 May 2007 - 07:29 PM

Hello, I just started having a lot of pop-ups from Outerinfo. Thanks for your help!!

Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:07:15 PM, on 1/23/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.prucar.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www1.priv.cml...ch/XMLCache.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://www.topprodu...ads/arview2.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://www.andersonf...timage40930.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.va...OCX/FlashAX.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.sonypictu...aploader_v6.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - http://activex.micro...b5/comdlg32.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0522FD6-940C-4953-A325-2AE11C350E52}: NameServer = 10.10.70.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 27 May 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 didom

didom

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,439 posts

Posted 27 May 2007 - 08:25 AM

Open HijackThis.
  • Click Open the Misc Tools section.
  • Click Open Uninstall Manager.
  • Click Save list (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


#4 dmesser403

dmesser403

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 30 May 2007 - 03:51 PM

Thank you! Here is the list:

ABBYY FineReader 5.0 Sprint Plus
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0.9
Adobe Shockwave Player
AOL Instant Messenger
Apple Software Update
Backspin Billiards
Bodog Poker Version 2.8.2.8
CardRd81
CCScore
CR2
Dell Photo AIO Printer 922
Dell Support
Disc2Phone
Documents To Go
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSEMAIL
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
ESSTUTOR
essvcpt
ESSvpaht
ESSvpot
Form Viewer
FUJIFILM USB Driver
Full Tilt Poker
Google Toolbar for Internet Explorer
HijackThis 1.99.1
HLPIndex
HLPPDOCK
HLPSFO
Intel® Extreme Graphics Driver
iPod for Windows 2006-01-10
iTunes
J2SE Runtime Environment 5.0 Update 9
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Kodak EasyShare software
KSU
LAN-Fax Utilities
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft Data Access Components KB870669
Microsoft Office Basic Edition 2003
MicroStaff WINASPI
Modem Helper
Musicmatch® Jukebox
NETGEAR WG511 54 Mbps Wireless PC Card
Notifier
OfotoXMI
OTtBP
OTtBPSDK
Outerinfo
Outlook Express Q823353
Paint Shop Pro 7
Palm Desktop
Paradise Poker
PartyPoker
PCTEL 2304WT V.92 MDC Modem Drivers
Quicken 2002 New User Edition
QuickTime
RealOne Player
ScanRouter V2 Link
SFR
SHASTA
SKIN0001
SKINXSDK
SmartNetMonitor for Client
Sony Ericsson PC Suite 1.20.224
Spybot - Search & Destroy 1.4
Spyware Doctor 3.2
Synaptics Pointing Device Driver
The Tournament Director 2
Travelogue 360 Paris
Viewpoint Media Player
VPRINTOL
Windows Installer 3.1 (KB893803)
Windows Media Player Hotfix [See wm828026 for more information]
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB824146
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833407
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB883357
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889293
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891711
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Hotfix (SP2) [See Q329115 for more information]
Windows XP Hotfix (SP2) [See Q329390 for more information]
Windows XP Hotfix (SP2) [See Q329834 for more information]
Windows XP Hotfix (SP2) Q328310
Windows XP Hotfix (SP2) Q329170
Windows XP Hotfix (SP2) Q329441
Windows XP Hotfix (SP2) Q810565
Windows XP Hotfix (SP2) Q810577
Windows XP Hotfix (SP2) Q810833
Windows XP Hotfix (SP2) Q811493
Windows XP Hotfix (SP2) Q814033
Windows XP Hotfix (SP2) Q815021
Windows XP Hotfix (SP2) Q817287
Windows XP Hotfix (SP2) Q817606
Windows XP Hotfix (SP2) Q819696
WIRELESS

#5 didom

didom

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,439 posts

Posted 05 June 2007 - 09:09 AM

I'm sorry. I totally forgot this thread!

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1

I see Viewpoint installed. Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.co...cle.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint Media Player
    Also delete:
  • Outerinfo
Step #2

Scan again with HijackThis and check the following items:
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Then reboot your computer.

Step #3

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Start HijackThis, perform a new scan and save the log file.

Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

#6 dmesser403

dmesser403

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 05 June 2007 - 09:39 PM

Incident Status Location

Virus:Trj/Agent.ERL Disinfected Operating system
Potentially unwanted tool:application/winfixer2005 Not disinfected c:\windows\downloaded program files\UERS_9999_N91S2507NetInstaller.exe
Potentially unwanted tool:application/regclean32 Not disinfected C:\Documents and Settings\BridgetBruner\Desktop\Click to Find and Fix Errors.url
Adware:adware/surfaccuracy Not disinfected Windows Registry
Adware:adware/ist.sidefind Not disinfected Windows Registry
Adware:adware/ucmore Not disinfected Windows Registry
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\ComboFix\nircmd.cfexe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\ComboFix\nircmd.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\BridgetBruner\Desktop\ComboFix.exe[ComboFixT\nircmd.exe]
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\BridgetBruner\Local Settings\Temp\!update.exe
Adware:Adware/SpySheriff Not disinfected C:\Documents and Settings\BridgetBruner\Local Settings\Temp\236DkqAa.exe
Adware:Adware/SpySheriff Not disinfected C:\Documents and Settings\BridgetBruner\Local Settings\Temp\95BZF3a.exe
Spyware:Spyware/LinkReplacer Not disinfected C:\Documents and Settings\BridgetBruner\Local Settings\Temp\F3BBC.tmp
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Documents and Settings\BridgetBruner\Local Settings\Temp\ICD1.tmp\UERS_9999_N91S2507NetInstaller.exe
Spyware:Spyware/LinkReplacer Not disinfected C:\Documents and Settings\BridgetBruner\Local Settings\Temp\pmt.exe
Adware:Adware/eZula Not disinfected C:\Documents and Settings\BridgetBruner\Local Settings\Temp\s1pg.9.exe[²èÇ]
Adware:Adware/Adsmart Not disinfected C:\Documents and Settings\BridgetBruner\Local Settings\Temp\Tam01065.exe
Adware:Adware/Zenosearch Not disinfected C:\Documents and Settings\BridgetBruner\Local Settings\Temp\TICHD003.exe
Potentially unwanted tool:Application/WinAntiVirus2007 Not disinfected C:\Documents and Settings\BridgetBruner\Local Settings\Temp\WinAntiVirusPro2007FreeInstall.exe
Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\BridgetBruner\Local Settings\Temp\YazzleBundle-1281.exe
Adware:Adware/Trymedia Not disinfected C:\Downloads\FamilyFeudSetup-dm[1].exe
Adware:Adware/eZula Not disinfected C:\HJT\backups\backup-20060123-210537-828.dll
Virus:Trj/Agent.ERL Disinfected C:\Program Files\Common Files\Dell\EUSW\Support.exe
Virus:Trj/Agent.ERL Disinfected C:\Program Files\Common Files\Real\Update_OB\realsched.exe
Adware:Adware/PurityScan Not disinfected C:\Program Files\Common Files\??curity\msdtc.exe
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\EarthLink 5.0\bbruner7@earthlink.net\Cookies\bridgetbruner@247realmedia[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Program Files\EarthLink 5.0\bbruner7@earthlink.net\Cookies\bridgetbruner@advertising[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Program Files\EarthLink 5.0\bbruner7@earthlink.net\Cookies\bridgetbruner@bs.serving-sys[1].txt
Spyware:Cookie/Go Not disinfected C:\Program Files\EarthLink 5.0\bbruner7@earthlink.net\Cookies\bridgetbruner@go[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Program Files\EarthLink 5.0\bbruner7@earthlink.net\Cookies\bridgetbruner@serving-sys[1].txt
Virus:Trj/Agent.ERL Disinfected C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
Virus:Trj/Agent.ERL Disinfected C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
Virus:Trj/Agent.ERL Disinfected C:\Program Files\REGSHAVE\REGSHAVE.EXE
Virus:Trj/Agent.ERL Disinfected C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
Virus:Trj/Agent.ERL Disinfected C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
Adware:Adware/Yazzle Not disinfected C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinAdmin.exe.vir
Adware:Adware/Yazzle Not disinfected C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinUninstaller.exe.vir
Adware:Adware/EliteBar Not disinfected C:\QooBox\Quarantine\C\WINDOWS\eliteunstall.exe.vir
Adware:Adware/eZula Not disinfected C:\QooBox\Quarantine\C\WINDOWS\justin.exe.vir
Adware:Adware/Zenosearch Not disinfected C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dwdsregt.exe.vir
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\hggefgf.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\hnmcxcsb.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\iiffdaa.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\ikuuvdmx.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\jkkligd.dll.bad
Adware:Adware/WinAntivirus2006 Not disinfected C:\VundoFix Backups\rnxwpgle.dll.bad
Spyware:Application/ErrorProtector Not disinfected C:\WINDOWS\Downloaded Program Files\UERT_0001_D19M2109NetInstaller.exe
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\WINDOWS\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe
Adware:Adware/Zeno Not disinfected C:\WINDOWS\SYSTEM32\pwinmsap.exe
Adware:Adware/Zenosearch Not disinfected C:\WINDOWS\SYSTEM32\rldsregm.exe
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\SYSTEM32\S?mantec\r?gsvr32.exe
Adware:Adware/Adsmart Not disinfected C:\WINDOWS\SYSTEM32\T1QaSQ\T1QaSQ1065.exe
Adware:Adware/Ucmore Not disinfected C:\WINDOWS\SYSTEM32\T2\dlb66.exe
Adware:Adware/TTC Not disinfected C:\WINDOWS\SYSTEM32\T3\dlltk67.exe
Virus:Trj/Downloader.OJF

#7 dmesser403

dmesser403

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 05 June 2007 - 09:44 PM

Logfile of HijackThis v1.99.1
Scan saved at 22:43, on 2007-06-06
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Bodog Poker\BPGame.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.prucar.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www1.priv.cml...ch/XMLCache.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://www.topprodu...ads/arview2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://www.andersonf...timage40930.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.sonypictu...aploader_v6.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://cdn.downloadc...tector-Free.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0522FD6-940C-4953-A325-2AE11C350E52}: NameServer = 10.10.70.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

#8 didom

didom

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,439 posts

Posted 06 June 2007 - 02:14 PM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1

Download Killbox.
Click killbox.exe.
Select the option "Delete on reboot".

Now copy the next bold part:

C:\windows\downloaded program files\UERS_9999_N91S2507NetInstaller.exe
C:\Documents and Settings\BridgetBruner\Desktop\Click to Find and Fix Errors.url
C:\Documents and Settings\BridgetBruner\Local Settings\Temp\!update.exe
C:\Documents and Settings\BridgetBruner\Local Settings\Temp\236DkqAa.exe
C:\Documents and Settings\BridgetBruner\Local Settings\Temp\95BZF3a.exe
C:\Documents and Settings\BridgetBruner\Local Settings\Temp\F3BBC.tmp
C:\Documents and Settings\BridgetBruner\Local Settings\Temp\ICD1.tmp\UERS_9999_N91S2507NetInstaller.exe
C:\Documents and Settings\BridgetBruner\Local Settings\Temp\pmt.exe
C:\Documents and Settings\BridgetBruner\Local Settings\Temp\s1pg.9.exe
C:\Documents and Settings\BridgetBruner\Local Settings\Temp\Tam01065.exe
C:\Documents and Settings\BridgetBruner\Local Settings\Temp\TICHD003.exe
C:\Documents and Settings\BridgetBruner\Local Settings\Temp\WinAntiVirusPro2007FreeInstall.exe
C:\Documents and Settings\BridgetBruner\Local Settings\Temp\YazzleBundle-1281.exe
C:\Downloads\FamilyFeudSetup-dm[1].exe
C:\Program Files\EarthLink 5.0\bbruner7@earthlink.net\Cookies\bridgetbruner@247realmedia[2].txt
C:\Program Files\EarthLink 5.0\bbruner7@earthlink.net\Cookies\bridgetbruner@advertising[1].txt
C:\Program Files\EarthLink 5.0\bbruner7@earthlink.net\Cookies\bridgetbruner@bs.serving-sys[1].txt
C:\Program Files\EarthLink 5.0\bbruner7@earthlink.net\Cookies\bridgetbruner@go[2].txt
C:\Program Files\EarthLink 5.0\bbruner7@earthlink.net\Cookies\bridgetbruner@serving-sys[1].txt
C:\WINDOWS\Downloaded Program Files\UERT_0001_D19M2109NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe
C:\WINDOWS\SYSTEM32\pwinmsap.exe
C:\WINDOWS\SYSTEM32\rldsregm.exe
C:\WINDOWS\SYSTEM32\T1QaSQ\T1QaSQ1065.exe
C:\WINDOWS\SYSTEM32\T2\dlb66.exe
C:\WINDOWS\SYSTEM32\T3\dlltk67.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines must be there together if the files are
present!

Click the button: All Files (!important!)

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.

Your computer must reboot now.

Find and delete this folder :
C:\!Killbox <= this folder

Step #2

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Step #3

Reboot Your System in Safe Mode:
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #4

Find and delete these folders (if they are still there):
C:\WINDOWS\SYSTEM32\T1QaSQ
C:\WINDOWS\SYSTEM32\T2
C:\WINDOWS\SYSTEM32\T3

C:\WINDOWS\SYSTEM32\S?mantec
C:\Program Files\Common Files\??curity


The "?" could be anything. Delete the folder and all its content.

Step #5

Go to start > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
Press OK to remove them.

Reboot your computer normally.

Step #6

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
Step #7
Download Combofix to your desktop (I need you to (re)download it again!).
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with the contents of the log from Dr.Web you saved previously and a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Edited by didom, 06 June 2007 - 02:19 PM.


#9 dmesser403

dmesser403

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 15 June 2007 - 05:48 PM

ComboFix 07-06-13.3 - C:\Documents and Settings\BridgetBruner\Desktop\ComboFix.exe
"BridgetBruner" - 2007-06-16 18:14:44 - Service Pack 1 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\WINDOWS\system32\pog
C:\WINDOWS\system32\T4


((((((((((((((((((((((((( Files Created from 2007-05-16 to 2007-06-16 )))))))))))))))))))))))))))))))


2007-06-16 18:14 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-15 18:41 <DIR> d-------- C:\DOCUME~1\BRIDGE~1\DoctorWeb
2007-06-06 21:16 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-05-26 11:22 <DIR> d-------- C:\WINDOWS\SYSTEM32\SoftwareDistribution
2007-05-24 18:52 <DIR> d-------- C:\VundoFix Backups
2007-05-22 20:49 <DIR> d--hs---- C:\UWA7P
2007-05-22 20:46 24,064 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll
2007-05-22 20:46 <DIR> d-------- C:\Program Files\Common Files\WinAntiVirus Pro 2007
2007-05-22 20:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
2007-05-22 20:43 <DIR> d-------- C:\WINDOWS\SYSTEM32\T6
2007-05-22 20:42 <DIR> d-------- C:\Temp


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-07 02:57:45 -------- d-----w C:\Program Files\REGSHAVE
2007-06-07 02:57:26 -------- d-----w C:\Program Files\QuickTime
2007-06-07 02:48:09 -------- d-----w C:\Program Files\iTunes
2007-06-07 02:47:18 -------- d-----w C:\Program Files\Google
2007-06-07 02:43:49 -------- d-----w C:\Program Files\Bodog Poker
2007-05-26 01:21:45 -------- d-----w C:\Program Files\Messenger
2007-05-24 23:10:10 -------- d-----w C:\Program Files\Spyware Doctor
2007-04-19 23:07:47 -------- d-----w C:\Program Files\iPod
2007-04-19 23:01:24 -------- d-----w C:\Program Files\Apple Software Update


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}=C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll [2005-05-24 08:44]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2005-11-08 17:43]
{B56A7D7D-6927-48C8-A975-17DF180C71AC}=C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll [2005-03-09 08:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe" [2002-07-18 16:58 C:\WINDOWS\SYSTEM32\pctspk.exe]
"@"="" []
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 09:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 18:05]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^BridgetBruner^Start Menu^Programs^Startup^DLHelperEXE.exe]
path=C:\Documents and Settings\BridgetBruner\Start Menu\Programs\Startup\DLHelperEXE.exe
backup=C:\WINDOWS\pss\DLHelperEXE.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^BridgetBruner^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\BridgetBruner\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ConMgr.exe]
"C:\Program Files\EarthLink 5.0\conmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Photo AIO Printer 922]
"C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JobHisInit]
C:\Program Files\RMClient\JobHisInit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
"C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MplSetUp]
C:\Program Files\RMClient\MplSetUp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\MSMSGS.EXE" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)
"wuauserv"=2 (0x2)
"uploadmgr"=2 (0x2)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"Alerter"=3 (0x3)
"SysmonLog"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"mnmsrvc"=3 (0x3)
"Dcfssvc"=2 (0x2)
"ClipSrv"=3 (0x3)
"CiSvc"=2 (0x2)
"BITS"=3 (0x3)
"ALG"=3 (0x3)
"McTaskManager"=2 (0x2)
"McShield"=2 (0x2)
"McAfeeFramework"=2 (0x2)


Contents of the 'Scheduled Tasks' folder
2007-04-19 23:01:28 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-16 18:21:33
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-16 18:22:33
C:\ComboFix-quarantined-files.txt ... 2007-06-16 18:22

--- E O F ---

#10 dmesser403

dmesser403

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 15 June 2007 - 05:52 PM

backup-20060123-210537-828.dll;C:\HJT\backups;Adware.Ezula;Incurable.Moved.;
tdMain.js;C:\Poker\TournamentDirector\TournamentDirector\lib;Probably SCRIPT.Virus;Incurable.Moved.;
WxBug.EXE;C:\Program Files\AIM\Sysfiles;Adware.Aws;Incurable.Moved.;
Yazzle1281OinAdmin.exe.vir;C:\QooBox\Quarantine\C\Program Files\Common Files;Adware.ClickSpring;Incurable.Moved.;
lavuna.dll.vir;C:\QooBox\Quarantine\C\Program Files\Messenger;Trojan.StartPage.19992;Deleted.;
eliteunstall.exe.vir;C:\QooBox\Quarantine\C\WINDOWS;Adware.MediaMotor;Incurable.Moved.;
dwdsregt.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32;Adware.ZenoSearch;Incurable.Moved.;
A0053428.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP445;Adware.ZenoSearch;Incurable.Moved.;
A0053448.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP445;Trojan.PurityAd;Deleted.;
A0053457.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP446;Trojan.Virtumod;Deleted.;
A0053476.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP447;Trojan.Virtumod;Deleted.;
A0053478.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP447;Trojan.Virtumod;Deleted.;
A0053480.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP447;Trojan.Virtumod;Deleted.;
A0053483.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP447;Trojan.Virtumod;Deleted.;
A0053485.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP447;Trojan.Virtumod;Deleted.;
A0053486.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP447;Trojan.Virtumod;Deleted.;
A0053499.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP447;Adware.ClickSpring;Incurable.Moved.;
A0053501.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP447;Trojan.StartPage.19992;Deleted.;
A0053502.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP447;Adware.ZenoSearch;Incurable.Moved.;
A0053503.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP447;Adware.MediaMotor;Incurable.Moved.;
A0053728.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP453;Trojan.DownLoader.22225;Deleted.;
A0053833.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP454;Adware.TryMedia;Incurable.Moved.;
A0053834.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP454;Adware.ZenoSearch;Incurable.Moved.;
A0053835.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP454;Adware.ZenoSearch;Incurable.Moved.;
A0053836.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP454;Trojan.DownLoader.24027;Deleted.;
A0053837.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP454;Adware.Ucmore;Incurable.Moved.;
A0053838.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP454;Trojan.StartPage.19993;Deleted.;
A0053850.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP454;Trojan.DownLoader.22753;Deleted.;
A0053851.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP454;Adware.ClickSpring;Incurable.Moved.;
A0053852.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP454;Trojan.DownLoader.22753;Deleted.;
A0053853.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP454;Trojan.Fakealert;Deleted.;
A0053854.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP454;Trojan.Fakealert;Deleted.;
A0053855.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP454;Adware.Ucmore;Incurable.Moved.;
A0053856.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP454;Trojan.StartPage.19993;Deleted.;
A0053857.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP454;Adware.TryMedia;Incurable.Moved.;
A0053858.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP454;Trojan.DownLoader.3945;Deleted.;
A0053859.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP454;Adware.ZenoSearch;Incurable.Moved.;
A0053860.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP454;Adware.ZenoSearch;Incurable.Moved.;
A0053862.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP454;Trojan.DownLoader.24027;Deleted.;
A0053864.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP454;Adware.ZenoSearch;Incurable.Moved.;
A0053865.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP454;Trojan.DownLoader.10963;Deleted.;
A0053867.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP454;Trojan.DownLoader.10963;Deleted.;
byxut.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
hnmcxcsb.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
ikuuvdmx.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
rnxwpgle.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
urspn.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
vturq.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
SCDSetup.EXE;C:\WINDOWS;Probably DLOADER.Trojan;Incurable.Moved.;
DLHelperEXE.exeStartup;C:\WINDOWS\pss;Adware.Webcom;Incurable.Moved.;

#11 dmesser403

dmesser403

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 15 June 2007 - 06:02 PM

Logfile of HijackThis v1.99.1
Scan saved at 6:53:42 PM, on 6/16/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Bodog Poker\BPGame.exe
C:\WINDOWS\EXPLORER.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.prucar.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www1.priv.cml...ch/XMLCache.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://www.topprodu...ads/arview2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://www.andersonf...timage40930.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.sonypictu...aploader_v6.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://cdn.downloadc...tector-Free.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0522FD6-940C-4953-A325-2AE11C350E52}: NameServer = 10.10.70.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

#12 didom

didom

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,439 posts

Posted 16 June 2007 - 05:35 AM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1

Please click: Start--> Control Panel--> Add or Remove Programs--> Uninstall (if found) any instances of:
Bodog Poker Version 2.8.2.8

Then reboot your computer.

Step #2

Scan again with HijackThis and check the following items:
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe

If you have not put these yourself in the Trusted Zone also check:

O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Step #3

Delete everything inside this folder: (except you know what its it.)
c:\temp

Step #4

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Folder::
C:\WINDOWS\SYSTEM32\T6
C:\UWA7P
C:\Program Files\Common Files\WinAntiVirus Pro 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
C:\Program Files\Bodog Poker


Save this as ComboFix-Do.txt and change the "Save as type" to "All Files" and place it on your desktop.


Posted Image



Referring to the screenshot above, drag ComboFix-Do.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Step #5

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Start HijackThis, perform a new scan and save the log file.

Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

Please post the log from the ComboFix scan located at C:\ComboFix.txt.

#13 dmesser403

dmesser403

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 01 July 2007 - 08:26 PM

Sorry to take so long getting back on this! My 3 logs are posted below: Thanks!

ComboFix 07-06-13.3 - C:\Documents and Settings\BridgetBruner\Desktop\ComboFix.exe
"BridgetBruner" - 2007-06-16 18:14:44 - Service Pack 1 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\WINDOWS\system32\pog
C:\WINDOWS\system32\T4


((((((((((((((((((((((((( Files Created from 2007-05-16 to 2007-06-16 )))))))))))))))))))))))))))))))


2007-06-16 18:14 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-15 18:41 <DIR> d-------- C:\DOCUME~1\BRIDGE~1\DoctorWeb
2007-06-06 21:16 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-05-26 11:22 <DIR> d-------- C:\WINDOWS\SYSTEM32\SoftwareDistribution
2007-05-24 18:52 <DIR> d-------- C:\VundoFix Backups
2007-05-22 20:49 <DIR> d--hs---- C:\UWA7P
2007-05-22 20:46 24,064 --a------ C:\WINDOWS\SYSTEM32\msxml3a.dll
2007-05-22 20:46 <DIR> d-------- C:\Program Files\Common Files\WinAntiVirus Pro 2007
2007-05-22 20:46 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
2007-05-22 20:43 <DIR> d-------- C:\WINDOWS\SYSTEM32\T6
2007-05-22 20:42 <DIR> d-------- C:\Temp


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-07 02:57:45 -------- d-----w C:\Program Files\REGSHAVE
2007-06-07 02:57:26 -------- d-----w C:\Program Files\QuickTime
2007-06-07 02:48:09 -------- d-----w C:\Program Files\iTunes
2007-06-07 02:47:18 -------- d-----w C:\Program Files\Google
2007-06-07 02:43:49 -------- d-----w C:\Program Files\Bodog Poker
2007-05-26 01:21:45 -------- d-----w C:\Program Files\Messenger
2007-05-24 23:10:10 -------- d-----w C:\Program Files\Spyware Doctor
2007-04-19 23:07:47 -------- d-----w C:\Program Files\iPod
2007-04-19 23:01:24 -------- d-----w C:\Program Files\Apple Software Update


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}=C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll [2005-05-24 08:44]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2005-11-08 17:43]
{B56A7D7D-6927-48C8-A975-17DF180C71AC}=C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll [2005-03-09 08:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe" [2002-07-18 16:58 C:\WINDOWS\SYSTEM32\pctspk.exe]
"@"="" []
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 09:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 18:05]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^BridgetBruner^Start Menu^Programs^Startup^DLHelperEXE.exe]
path=C:\Documents and Settings\BridgetBruner\Start Menu\Programs\Startup\DLHelperEXE.exe
backup=C:\WINDOWS\pss\DLHelperEXE.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^BridgetBruner^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\BridgetBruner\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ConMgr.exe]
"C:\Program Files\EarthLink 5.0\conmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Photo AIO Printer 922]
"C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JobHisInit]
C:\Program Files\RMClient\JobHisInit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
"C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MplSetUp]
C:\Program Files\RMClient\MplSetUp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\MSMSGS.EXE" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)
"wuauserv"=2 (0x2)
"uploadmgr"=2 (0x2)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"Alerter"=3 (0x3)
"SysmonLog"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"mnmsrvc"=3 (0x3)
"Dcfssvc"=2 (0x2)
"ClipSrv"=3 (0x3)
"CiSvc"=2 (0x2)
"BITS"=3 (0x3)
"ALG"=3 (0x3)
"McTaskManager"=2 (0x2)
"McShield"=2 (0x2)
"McAfeeFramework"=2 (0x2)


Contents of the 'Scheduled Tasks' folder
2007-04-19 23:01:28 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-16 18:21:33
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-16 18:22:33
C:\ComboFix-quarantined-files.txt ... 2007-06-16 18:22

--- E O F ---

#14 dmesser403

dmesser403

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 01 July 2007 - 08:28 PM

Oh, and I didn't delete the Bodog Poker files b/c I actually play poker at Bodog a couple times a week. I hope that's okay.


Incident Status Location

Adware:adware/surfaccuracy Not disinfected Windows Registry
Adware:adware/ist.sidefind Not disinfected Windows Registry
Adware:adware/ucmore Not disinfected Windows Registry
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\BridgetBruner\Desktop\ComboFix.exe[nircmd.exe]
Adware:Adware/Zenosearch Not disinfected C:\Documents and Settings\BridgetBruner\DoctorWeb\Quarantine\A0053428.exe
Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\BridgetBruner\DoctorWeb\Quarantine\A0053499.exe
Adware:Adware/Zenosearch Not disinfected C:\Documents and Settings\BridgetBruner\DoctorWeb\Quarantine\A0053502.exe
Adware:Adware/EliteBar Not disinfected C:\Documents and Settings\BridgetBruner\DoctorWeb\Quarantine\A0053503.exe
Adware:Adware/Trymedia Not disinfected C:\Documents and Settings\BridgetBruner\DoctorWeb\Quarantine\A0053833.exe
Adware:Adware/Zeno Not disinfected C:\Documents and Settings\BridgetBruner\DoctorWeb\Quarantine\A0053834.exe
Adware:Adware/Zenosearch Not disinfected C:\Documents and Settings\BridgetBruner\DoctorWeb\Quarantine\A0053835.exe
Adware:Adware/Ucmore Not disinfected C:\Documents and Settings\BridgetBruner\DoctorWeb\Quarantine\A0053837.exe
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\BridgetBruner\DoctorWeb\Quarantine\A0053851.exe
Adware:Adware/Ucmore Not disinfected C:\Documents and Settings\BridgetBruner\DoctorWeb\Quarantine\A0053855.exe
Adware:Adware/Trymedia Not disinfected C:\Documents and Settings\BridgetBruner\DoctorWeb\Quarantine\A0053857.exe
Adware:Adware/Zeno Not disinfected C:\Documents and Settings\BridgetBruner\DoctorWeb\Quarantine\A0053859.exe
Adware:Adware/Zenosearch Not disinfected C:\Documents and Settings\BridgetBruner\DoctorWeb\Quarantine\A0053860.exe
Adware:Adware/Zenosearch Not disinfected C:\Documents and Settings\BridgetBruner\DoctorWeb\Quarantine\A0053864.exe
Adware:Adware/eZula Not disinfected C:\Documents and Settings\BridgetBruner\DoctorWeb\Quarantine\backup-20060123-210537-828.dll
Adware:Adware/Zenosearch Not disinfected C:\Documents and Settings\BridgetBruner\DoctorWeb\Quarantine\dwdsregt.exe.vir
Adware:Adware/EliteBar Not disinfected C:\Documents and Settings\BridgetBruner\DoctorWeb\Quarantine\eliteunstall.exe.vir
Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\BridgetBruner\DoctorWeb\Quarantine\Yazzle1281OinAdmin.exe.vir
Adware:Adware/PurityScan Not disinfected C:\HJT\backups\backup-20070525-202741-878.dll
Spyware:Cookie/RealMedia Not disinfected C:\Program Files\EarthLink 5.0\bbruner7@earthlink.net\Cookies\bridgetbruner@247realmedia[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Program Files\EarthLink 5.0\bbruner7@earthlink.net\Cookies\bridgetbruner@ad.yieldmanager[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Program Files\EarthLink 5.0\bbruner7@earthlink.net\Cookies\bridgetbruner@ads.pointroll[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Program Files\EarthLink 5.0\bbruner7@earthlink.net\Cookies\bridgetbruner@advertising[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\EarthLink 5.0\bbruner7@earthlink.net\Cookies\bridgetbruner@atdmt[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Program Files\EarthLink 5.0\bbruner7@earthlink.net\Cookies\bridgetbruner@bs.serving-sys[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Program Files\EarthLink 5.0\bbruner7@earthlink.net\Cookies\bridgetbruner@casalemedia[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Program Files\EarthLink 5.0\bbruner7@earthlink.net\Cookies\bridgetbruner@fastclick[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\EarthLink 5.0\bbruner7@earthlink.net\Cookies\bridgetbruner@phg.hitbox[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Program Files\EarthLink 5.0\bbruner7@earthlink.net\Cookies\bridgetbruner@questionmarket[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Program Files\EarthLink 5.0\bbruner7@earthlink.net\Cookies\bridgetbruner@server.iad.liveperson[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Program Files\EarthLink 5.0\bbruner7@earthlink.net\Cookies\bridgetbruner@serving-sys[1].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Program Files\EarthLink 5.0\bbruner7@earthlink.net\Cookies\bridgetbruner@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Program Files\EarthLink 5.0\bbruner7@earthlink.net\Cookies\bridgetbruner@tribalfusion[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Program Files\EarthLink 5.0\bbruner7@earthlink.net\Cookies\bridgetbruner@zedo[1].txt
Adware:Adware/Yazzle Not disinfected C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinUninstaller.exe.vir
Adware:Adware/eZula Not disinfected C:\QooBox\Quarantine\C\WINDOWS\justin.exe.vir
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\hggefgf.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\iiffdaa.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\jkkligd.dll.bad
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe

#15 dmesser403

dmesser403

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 01 July 2007 - 08:29 PM

ComboFix 07-06-13.3 - C:\Documents and Settings\BridgetBruner\Desktop\ComboFix.exe
"BridgetBruner" - 2007-06-29 11:26:22 - Service Pack 1 NTFS
Command switches used :: C:\Documents and Settings\BridgetBruner\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\ActivationCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiVirus Pro 2007\Data\ProductCode
C:\Program Files\Common Files\WinAntiVirus Pro 2007
C:\Program Files\Common Files\WinAntiVirus Pro 2007\err.log
C:\Program Files\Common Files\WinAntiVirus Pro 2007\mfc71.dll
C:\Program Files\Common Files\WinAntiVirus Pro 2007\msvcp71.dll
C:\Program Files\Common Files\WinAntiVirus Pro 2007\msvcr71.dll
C:\UWA7P
C:\WINDOWS\SYSTEM32\T6


((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-29 )))))))))))))))))))))))))))))))


2007-06-29 10:07 <DIR> d-------- C:\WINDOWS\LastGood
2007-06-16 18:14 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-15 18:41 <DIR> d-------- C:\DOCUME~1\BRIDGE~1\DoctorWeb
2007-06-06 21:16 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-27 00:49:54 -------- d-----w C:\Program Files\Dl_cats
2007-06-22 15:22:26 -------- d-----w C:\Program Files\PartyGaming
2007-06-07 02:57:45 -------- d-----w C:\Program Files\REGSHAVE
2007-06-07 02:57:26 -------- d-----w C:\Program Files\QuickTime
2007-06-07 02:48:09 -------- d-----w C:\Program Files\iTunes
2007-06-07 02:47:18 -------- d-----w C:\Program Files\Google
2007-06-07 02:43:49 -------- d-----w C:\Program Files\Bodog Poker
2007-05-26 01:21:45 -------- d-----w C:\Program Files\Messenger
2007-05-24 23:10:10 -------- d-----w C:\Program Files\Spyware Doctor
2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}=C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll [2005-05-24 08:44]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2005-11-08 17:43]
{B56A7D7D-6927-48C8-A975-17DF180C71AC}=C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll [2005-03-09 08:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe" [2002-07-18 16:58 C:\WINDOWS\SYSTEM32\pctspk.exe]
"@"="" []
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 09:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 18:05]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher.lnk
backup=C:\WINDOWS\pss\Exif Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^BridgetBruner^Start Menu^Programs^Startup^DLHelperEXE.exe]
path=C:\Documents and Settings\BridgetBruner\Start Menu\Programs\Startup\DLHelperEXE.exe
backup=C:\WINDOWS\pss\DLHelperEXE.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^BridgetBruner^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\BridgetBruner\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ConMgr.exe]
"C:\Program Files\EarthLink 5.0\conmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell Photo AIO Printer 922]
"C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JobHisInit]
C:\Program Files\RMClient\JobHisInit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
"C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MplSetUp]
C:\Program Files\RMClient\MplSetUp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\MSMSGS.EXE" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)
"wuauserv"=2 (0x2)
"uploadmgr"=2 (0x2)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"Alerter"=3 (0x3)
"SysmonLog"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=3 (0x3)
"mnmsrvc"=3 (0x3)
"Dcfssvc"=2 (0x2)
"ClipSrv"=3 (0x3)
"CiSvc"=2 (0x2)
"BITS"=3 (0x3)
"ALG"=3 (0x3)
"McTaskManager"=2 (0x2)
"McShield"=2 (0x2)
"McAfeeFramework"=2 (0x2)


Contents of the 'Scheduled Tasks' folder
2007-04-19 23:01:28 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-29 11:33:42
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-29 11:34:28
C:\ComboFix-quarantined-files.txt ... 2007-06-29 11:34
C:\ComboFix2.txt ... 2007-06-16 18:22

--- E O F ---

#16 didom

didom

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,439 posts

Posted 02 July 2007 - 04:23 AM

Please post a fresh HijackThis log and tell me how your system is running now!

#17 dmesser403

dmesser403

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 08 July 2007 - 02:40 PM

My system seems to be running okay. The pop-ups stopped a while ago. Any thing else I need to do? Thanks for your help!!!

Logfile of HijackThis v1.99.1
Scan saved at 3:38:31 PM, on 7/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.prucar.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www1.priv.cml...ch/XMLCache.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {8569D715-FF88-44BA-8D1D-AD3E59543DDE} (ActiveReports Viewer2) - https://www.topprodu...ads/arview2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://www.andersonf...timage40930.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.sonypictu...aploader_v6.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://cdn.downloadc...tector-Free.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0522FD6-940C-4953-A325-2AE11C350E52}: NameServer = 10.10.70.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: dlbt_device - Dell - C:\WINDOWS\System32\dlbtcoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

#18 didom

didom

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,439 posts

Posted 20 July 2007 - 06:56 AM

This log looks clean!
  • Don't forget to re-hide all files and folders. To re-hide all files and folders:
    • Open My Computer.
    • Select the Tools menu and click Folder Options.
    • Select the View Tab.
    • Under the Hidden files and folders heading deselect "Show hidden files and folders".
    • Check the Hide protected operating system files (recommended) option.
    • Click Yes to confirm.
    • Click OK.

    To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
    • Turn off System Restore.
      • On the Desktop, right-click My Computer.
      • Click Properties.
      • Click the System Restore tab.
      • Check "Turn off System Restore".
      • Click Apply, and then click OK.
    • Reboot your computer.
    • Turn ON System Restore.
      • On the Desktop, right-click My Computer.
      • Click Properties.
      • Click the System Restore tab.
      • UN-Check "Turn off System Restore".
      • Click Apply, and then click OK.
  • This is a good time to set up protection against further attacks. Read the article behind this link "How did I get infected". If you don't already have them, you need an antivirus that is updated, a good firewall for example Kerio Personal Firewall or ZoneLabs Zone Alarm, a spyware blocker like SpywareBlaster and also IE-Spyads and spyware detection (Ad-aware SE and SpyBot S+D). All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

    Instead of Internet Explorer, use a different browser like Opera, Mozilla or Firefox.

    Last, but not least, you need to keep Windows and Internet Explorer up to date by getting all the latest security patches that protects your computer.

    This can be accessed by going to http://windowsupdate.microsoft.com and following the prompts. If you are running Windows XP make sure you get updated to SP-2!!

    Please post back if you are still having any problems....

    Posted Image


#19 didom

didom

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 1,439 posts

Posted 20 July 2007 - 06:56 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button