|
Can't remove spyware
|
|
|
mav41
Junior Member
|
4. December 2007 @ 03:09 |
Link to this message
|
|
I was using Limewire and all of a sudden 3 icons appear on my desktop.
Error Cleaner
Privacy Protector
Spyware & Malware Protection
These are the 3 icons that appeared. And I am also getting popups trying to get me to download spyware protection even when offline.
I would really appreciate any help.
|
|
Advertisement
|
|
|
|
Member
|
4. December 2007 @ 14:07 |
Link to this message
|
|
Member
|
4. December 2007 @ 14:09 |
Link to this message
|
|
post back so i can see if it got rid of your problem
|
|
mav41
Junior Member
|
4. December 2007 @ 16:54 |
Link to this message
|
Thank you for responding, but neither worked.
I tried Spyware Doctor, and the description of the things that it found affecting my computer seem pretty accurate, but I have to buy it so it can remove them. So I was wondering if there's any way I can get it for free. Or any similar software.
|
|
shiloh72
Suspended due to non-functional email address
|
4. December 2007 @ 21:19 |
Link to this message
|
|
Try www.spywareterminator.com download then make sure its updated then reboot your computer in safe mode and run the proram it has never failed me.
lee mullin
|
|
mav41
Junior Member
|
5. December 2007 @ 18:55 |
Link to this message
|
I tried it and it did'nt work. I'll probably buy the Spyware doctor it's only $30. I'll still try any suggestions if anybody has any.
|
Member
|
5. December 2007 @ 21:02 |
Link to this message
|
hi,
Quote:
Error Cleaner
Privacy Protector
Spyware & Malware Protection
These are the 3 icons that appeared. And I am also getting popups trying to get me to download spyware protection even when offline.
thats the classic sign of smitfraud.
i have a some screenshots on my website;
http://www.virusvault.us/smitfraud_trojan_downloaders.htm
i would also suggest you get hjt and post a log after you run smitfraud as it can be packaged with other "goodies" that the smitfraud fix will not address.
-------------------------------------
Download SmitfraudFix (by S!Ri) to your Desktop:
http://www.bleepingcomputer.com/files/smitfraudfix.php
you might want to copy/paste this into notepad and save it so you can read it in safe mode:
boot computer into safe mode.
to reach safe mode: restart your computer and tap the f8 key during the boot up. chose the first option from the list: safe mode. log on the your regular account.
locate the smitfraud icon on the desktop and double click it to start.
from the main option menu, chose the second option (clean). after smitfraud runs-- disk clean will run, last when asked if you want to clean the registry, select y (yes) then enter. computer will reboot and after the restart produce a log. please save the log somewhere.
post the smitfraud log and a hjt log.
echoreply
|
|
shiloh72
Suspended due to non-functional email address
|
6. December 2007 @ 02:37 |
Link to this message
|
|
Well good luck I hope you get it fixed
lee mullin
|
Member
|
6. December 2007 @ 05:10 |
Link to this message
|
try, http://free.grisoft.com/doc/20/lng/us/tpl/v5
that is avg anti-spyware(free version). This version of AVG Anti Spyware features the same powerful scanner as the paid for version does, only this version will not watch your computer in real time, this is one of the best on demand scanners.
|
|
mav41
Junior Member
|
6. December 2007 @ 17:21 |
Link to this message
|
This is what came up after i did what you said. I did'nt try hjt, it said it could do more harm than good if you don't know how to use it.
[SmitFraudFix v2.258
Scan done at 13:43:32.84, Thu 12/06/2007
Run from C:\Documents and Settings\HP_Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» DNS
HKLM\SYSTEM\CCS\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CCS\Services\Tcpip\..\{BA2D26AE-8B5B-463B-9162-ADC3FFB93BE1}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CS1\Services\Tcpip\..\{BA2D26AE-8B5B-463B-9162-ADC3FFB93BE1}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{892900FC-9814-4488-99C0-81491C1EE93D}: DhcpNameServer=16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
HKLM\SYSTEM\CS3\Services\Tcpip\..\{BA2D26AE-8B5B-463B-9162-ADC3FFB93BE1}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
|
Member
|
6. December 2007 @ 20:03 |
Link to this message
|
hi,
the smitfraud scan looks ok.
you dont have to really use hjt, just scan with it and post the results for me:
Download HiJackThis log - Trend Micro HijackThis 2.0.2
http://www.trendsecure.com/portal/en-US/.../HJTInstall.exe
* Save HJTInstall.exe to your desktop.
* Doubleclick on the HJTInstall.exe icon on your desktop.
* By default it will install to C:\Program Files\Trend Micro\HijackThis .
* Click on Install.
* It will create a HijackThis icon on the desktop.
* Once installed, it will launch Hijackthis.
* Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
* Click on "Edit > Select All" then click on "Edit > Copy" and Paste the entire contents of the log in next reply.
echoreply
|
|
mav41
Junior Member
|
7. December 2007 @ 15:23 |
Link to this message
|
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:21:31 PM, on 12/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\WINDOWS\system32\wuauclt.exe
c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\browser\YBrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3...LION&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AudioGizmo Toolbar Helper - {5980B104-CA68-4A9F-9E78-80ADBD2CA53B} - C:\Program Files\AudioGizmo Extension\v3.2.0.0\AudioGizmo_Toolbar.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: AudioGizmo Toolbar - {C6BB606F-232D-4957-8AFF-7D4F4A220F67} - C:\Program Files\AudioGizmo Extension\v3.2.0.0\AudioGizmo_Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: AT&T Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredit...?p=ZKxdm021YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
|
Member
|
7. December 2007 @ 21:35 |
Link to this message
|
|
|
mav41
Junior Member
|
12. December 2007 @ 00:10 |
Link to this message
|
Sorry I took so long.
ComboFix 07-12-12.3 - HP_Administrator 2007-12-11 21:00:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.91 [GMT -8:00]
Running from: C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\PARRS8BS\ComboFix[1].exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\internet explorer\msimg32.dll
C:\WINDOWS\dat.txt
C:\WINDOWS\rs.txt
C:\WINDOWS\system32\f3PSSavr.scr
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2007-11-12 to 2007-12-12 )))))))))))))))))))))))))))))))
.
2007-12-11 20:49 . 2007-12-11 20:49 <DIR> d-------- C:\WINDOWS\LastGood
2007-12-07 12:21 . 2007-12-07 12:21 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-06 14:02 . 2007-12-06 14:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-06 13:33 . 2007-12-06 13:43 3,894 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-06 12:58 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-12-06 12:58 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-12-06 12:58 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-12-06 12:58 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-06 12:58 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-04 00:12 . 2007-12-11 20:50 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-04 00:12 . 2007-12-04 00:12 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\PC Tools
2007-12-04 00:12 . 2007-10-18 00:16 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-12-04 00:12 . 2007-10-18 00:15 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-12-04 00:12 . 2007-10-18 00:14 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-12-04 00:12 . 2007-10-18 00:16 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-12-03 23:45 . 2007-12-03 23:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-02 23:47 . 2007-12-02 23:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-02 23:47 . 2007-12-02 23:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2007-12-02 21:49 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-30 00:31 . 2007-11-30 00:31 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-30 00:31 . 2007-11-30 00:31 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-25 20:30 . 2007-11-25 20:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2007-11-23 13:32 . 2007-11-23 13:32 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\Viewpoint
2007-11-17 23:20 . 2007-11-17 23:20 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\MySpace
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-09 06:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-07 20:25 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-07 19:36 --------- d-----w C:\Program Files\Norton Internet Security
2007-12-07 19:32 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-07 19:32 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-07 19:32 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-07 19:32 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-07 19:32 --------- d-----w C:\Program Files\Symantec
2007-12-03 02:20 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\LimeWire
2007-12-02 21:56 21,556 ----a-w C:\Documents and Settings\HP_Administrator\xrt_log.dat
2007-11-23 21:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-11-08 23:41 --------- d-----w C:\Program Files\DVDFab HD Decrypter 3
2007-11-08 22:51 --------- d-----w C:\Program Files\Elaborate Bytes
2007-11-08 21:22 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\RipIt4Me
2007-11-07 22:58 --------- d-----w C:\Program Files\Digital Photo Recovery
2007-11-06 08:33 --------- d-----w C:\Program Files\GetData
2007-11-03 18:32 --------- d-----w C:\Program Files\SBC Self Support Tool
2007-11-03 18:32 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Motive
2007-11-02 08:13 --------- d-----w C:\Program Files\LimeWire
2007-10-31 18:52 19,818 ----a-w C:\Documents and Settings\HP_Administrator\xrt_collect.zip
2007-10-26 05:01 --------- d-----w C:\Program Files\Java
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-24 18:53 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\TuneUp Software
2007-10-23 00:21 36,864 ----a-w C:\WINDOWS\y8lcr4ox.exe
2007-10-23 00:21 36,864 ----a-w C:\WINDOWS\tp5kji4s.exe
2007-10-23 00:21 36,864 ----a-w C:\WINDOWS\qxqiny84.exe
2007-10-23 00:21 36,864 ----a-w C:\WINDOWS\q2x3c0sm.exe
2007-10-23 00:21 36,864 ----a-w C:\WINDOWS\gr1tbk7a.exe
2007-10-23 00:21 36,864 ----a-w C:\WINDOWS\8a2t4lwu.exe
2007-10-23 00:21 36,864 ----a-w C:\WINDOWS\156wooq4.exe
2007-10-23 00:20 36,864 ----a-w C:\WINDOWS\l8ttvcks.exe
2007-10-23 00:20 36,864 ----a-w C:\Documents and Settings\HP_Administrator\xrt_wtyo.exe
2007-10-13 17:19 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\Netscape
2007-10-13 05:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\WildTangent
2007-10-13 05:19 --------- d-----w C:\Program Files\HP Games
2007-10-13 02:31 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-10-12 02:09 --------- d-----w C:\Program Files\Common Files\Motive
2007-10-11 00:45 155,995 ----a-w C:\WINDOWS\java\Packages\3RJLJ1JZ.ZIP
2007-10-03 20:59 958 ----a-w C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2007-10-01 22:49 542,088 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-10-01 22:49 161,160 ----a-w C:\WINDOWS\system32\SymRedir.dll
2006-02-19 10:28 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5980B104-CA68-4A9F-9E78-80ADBD2CA53B}]
2007-03-28 21:18 798720 --a------ C:\Program Files\AudioGizmo Extension\v3.2.0.0\AudioGizmo_Toolbar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{C6BB606F-232D-4957-8AFF-7D4F4A220F67}"= C:\Program Files\AudioGizmo Extension\v3.2.0.0\AudioGizmo_Toolbar.dll [2007-03-28 21:18 798720]
[HKEY_CLASSES_ROOT\clsid\{c6bb606f-232d-4957-8aff-7d4f4a220f67}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{C6BB606F-232D-4957-8AFF-7D4F4A220F67}"= C:\Program Files\AudioGizmo Extension\v3.2.0.0\AudioGizmo_Toolbar.dll [2007-03-28 21:18 798720]
[HKEY_CLASSES_ROOT\clsid\{c6bb606f-232d-4957-8aff-7d4f4a220f67}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 08:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 13:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-17 21:25]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 16:43]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 13:01]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 15:19 C:\WINDOWS\arpwrmsg.exe]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 15:35]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-22 14:14]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 14:34]
"Reminder"="C:\Windows\Creator\Remind_XP.exe" [2004-12-13 18:23]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-12-15 10:18]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-14 00:45]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-07 20:54 C:\WINDOWS\RTHDCPL.EXE]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 20:26]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 15:19]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 06:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 18:58]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-11-02 17:24]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AT&T Self Support Tool.lnk - C:\Program Files\SBC Self Support Tool\bin\matcli.exe [2007-10-10 20:56:24]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 10:40:44]
Updates From HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2006-05-14 01:06:58]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DMAScheduler"="c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
"DiscUpdateManager"=C:\Program Files\DISC\DiscUpdMgr.exe
"DISCover"=C:\Program Files\DISC\DISCover.exe
*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-11-03 00:15:02 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2007-07-09 14:52:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-12 04:59:10 C:\WINDOWS\Tasks\Easy Internet Sign-up.job"
- C:\Program Files\Hewlett-Packard\SDP\HPSdpApp.exef/remind /LaunchPoint reminder /App C:\Program Files\Hewlett-Packard\Easy Internet signup\StartEIS.aml
"2007-11-24 04:42:34 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - HP_Administrator.job"
- c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-11 21:05:45
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwClose
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-11 21:07:15
.
2007-11-13 21:21:00 --- E O F ---
|
Member
|
12. December 2007 @ 06:00 |
Link to this message
|
|
hi,
ok thanks for the info. i will get back to you soon.
echoreply
|
Member
|
12. December 2007 @ 19:18 |
Link to this message
|
hi,
Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C
File::
C:\WINDOWS\y8lcr4ox.exe
C:\WINDOWS\tp5kji4s.exe
C:\WINDOWS\qxqiny84.exe
C:\WINDOWS\q2x3c0sm.exe
C:\WINDOWS\gr1tbk7a.exe
C:\WINDOWS\8a2t4lwu.exe
C:\WINDOWS\156wooq4.exe
C:\WINDOWS\l8ttvcks.exe
Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop
next;
locate the .txt file you just saved and the combofix icon both on the desktop. left click with the mouse on the CFScript.txt and holding down the mouse button drag the .txt right on top of the combofix icon and release the mouse button.
combofix will run and generate a new report. post the new log in next reply.
also using explorer look here:
C:\Documents and Settings\HP_Administrator\
and delete this file: xrt_wtyo.exe
reboot once then rescan and post a new hjt log please.
----------------------------
|
|
mav41
Junior Member
|
13. December 2007 @ 23:56 |
Link to this message
|
|
I did the thing with combofix and after the reboot my taskbar and start menu changed to the old version and i can't go online. I'm writing this on a different PC.I really need help as soon as possible, PLEASE.
|
|
mav41
Junior Member
|
14. December 2007 @ 18:16 |
Link to this message
|
|
I tried using system restore and it this is what it says.
System Restore is not able to protect your computer.Please restart your computer, and then run System Restore again.
I'm trying to restore to a point before I used Combofix.
Please Help.
|
Member
|
14. December 2007 @ 19:41 |
Link to this message
|
hi,
Quote:
I tried using system restore
system restore should never be used in the middle of a malware fix and not at all until the computer is clean. malware can get archived in the restore points and you can re-infect yourself by using system restore.
|
|
mav41
Junior Member
|
15. December 2007 @ 02:19 |
Link to this message
|
|
So what can I do, and why can't I go online.
Please Help.
|
Member
|
15. December 2007 @ 17:44 |
Link to this message
|
if you have used system restore then you may have reinfected yourself. time to start over, rescan and post a new hjt log.
|
|
mav41
Junior Member
|
15. December 2007 @ 20:36 |
Link to this message
|
|
I could'nt run system restore I was trying to use it so everything would go back to a point before I used combofix because after I used it the task bar and start menu changed to the old version and i can't go online and I don't know what to do to fix it. the main thing is why can't I go online.
|
Member
|
16. December 2007 @ 00:23 |
Link to this message
|
mav41,
have you made any progress? your HJT log has a few suspects from what i can see....although i'm no experet on these logs.
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredit...?p=ZKxdm021YYUS.....tool bar edit...hmmmm
I would certainly recomend doing another HJT "SCAN ONLY" and check and remove the "R3" & "08" PATHS LISTED ABOVE. NOT QUITE SURE ABOUT THE "04" i'd leave it alone 4 now.
And after that... re-boot in SAFE MODE"(tap F8 continously upon restart) and run every anti-virus, and anti-spyware program you have installed. then reboot in normal mode and check your progress/post back.
cheers
This message has been edited since posting. Last time this message was edited on 16. December 2007 @ 00:31
|
|
mav41
Junior Member
|
16. December 2007 @ 02:01 |
Link to this message
|
|
Why do you think I should remove those things can you please tell me what they are.
Does anybody know why i can't go online after using combofix.
|
|
Advertisement
|
|
|
Member
|
16. December 2007 @ 10:17 |
Link to this message
|
|
combofix has nothing to do with your ability to get online. remove it like this:
start>run type in combofix /u
click ok there is a space after the 'x' in combofix
|
