|
|
|
winsinstall.exe removal
|
|
|
corumisri
Inactive
|
31. December 2008 @ 17:36 |
Link to this message
|
All of a sudden my computer has gone hay-wire with constant pop-ups being thrown onto my screen every time I open up fire-fox. I ran avg and it says I have a crap ton of viruses and I am trying to get rid of each and everyone manually. Does anyone know how to get rid of winsinstall(NOT WININSTALL)? I have tried looking online and I think this is the most annoying virus I have on my computer at the moment. Thanks for any help. FYI I would rather not have to install anything new but if it is really going to help I guess I can't help it.
|
|
Advertisement
|
|
|
|
AfterDawn Addict
|
5. January 2009 @ 05:18 |
Link to this message
|
Hi corumisri,
In order to cleanup most malware problems and make a final cleaning of the leftovers easier, please do the following pre-clean. It may very well take care of your problems without the need of further cleaning:
Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download and install SUPERAntiSpyware Free
? Double-click SUPERAntiSypware.exe and use the default settings for installation.
? An icon will be created on your desktop. Double-click that icon to launch the program.
? If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
? Under the "Configuration and Preferences", click the Preferences... button.
? Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
? Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
? Click the "Close" button to leave the control center screen and exit the program.
? Do not run a scan just yet.
Download Malwarebytes' Anti-Malware to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
? At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
? If an update is found, it will download and install the latest version.
? "Close" the program. Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and before the Windows icon appears press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
Double-click ATF-Cleaner.exe to run the program.
? Under Main "Select Files to Delete" choose: Select All.
? Click the Empty Selected button.
? If you use Firefox browser click Firefox at the top and choose: Select All
? Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
? If you use Opera browser click Opera at the top and choose: Select All
? Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
? Click Exit on the Main menu to close the program.
Scan with SUPERAntiSpyware as follows:
? Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
? On the left, make sure you check C:\Fixed Drive.
? On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
? After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
? Make sure everything has a checkmark next to it and click "Next".
? A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
? If asked if you want to reboot, click "Yes" and reboot normally.
? To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
? Click Close to exit the program.
Scan with Malwarebytes' Anti-Malware as follows:
Double-click and run mbam
? Once the program has loaded, select Perform full scan, then click Scan.
? When the scan is complete, click OK, then Show Results to view the results.
? Make sure that everything is checked, and click Remove Selected. <-- Don't forget this.
? When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Reboot to Normal Mode
If you?re still having problems:
Download and install TrendMicro HijackThis.exe (HJT)
? Double-click on HJTInstall.
? Click on the Install button.
? It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
? Upon install, HijackThis should open for you.
? Click on the Do a system scan and save a log file button
? Hijackthis will scan and then a log will open in notepad.
? Copy and then paste the entire contents of the log in your post.
? Do not have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
Please describe those problems as best you can and post the SUPERAntiSpyware Log, Malwarebytes' Anti-Malware Log and a fresh HijackThis Lg in your next reply.
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
khadden
Newbie
|
11. January 2009 @ 10:03 |
Link to this message
|
Thanks for the help. I have AVG Internet security (up to date) and am VERY disappointed that is didn't block winsinstall.exe from my computer. Anyway...here are the log files that you requested we post. My Internet Explorer is still locking up but I am going to give it a couple days to see if it is just an internet thing or still something on my computer.
Thanks! khadden
SUPERAntiSpyware Scan Log - 01-11-2009 - 05-15-49.log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 01/11/2009 at 05:15 AM
Application Version : 4.24.1004
Core Rules Database Version : 3705
Trace Rules Database Version: 1680
Scan type : Complete Scan
Total Scan Time : 01:16:44
Memory items scanned : 219
Memory threats detected : 2
Registry items scanned : 6890
Registry threats detected : 76
File items scanned : 142163
File threats detected : 7
Trojan.Vundo-Variant/Packed-GEN
C:\WINDOWS\SYSTEM32\VTUOOHGG.DLL
C:\WINDOWS\SYSTEM32\VTUOOHGG.DLL
C:\WINDOWS\SYSTEM32\WVUMJHYQ.DLL
C:\WINDOWS\SYSTEM32\WVUMJHYQ.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AAF35E07-39DC-42CE-AAFA-6E00050E7E80}
HKCR\CLSID\{AAF35E07-39DC-42CE-AAFA-6E00050E7E80}
HKCR\CLSID\{AAF35E07-39DC-42CE-AAFA-6E00050E7E80}\InprocServer32
HKCR\CLSID\{AAF35E07-39DC-42CE-AAFA-6E00050E7E80}\InprocServer32#ThreadingModel
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\vtUoOhgg
C:\WINDOWS\SYSTEM32\SSQNOETU.DLL
Adware.Prun-A
[prunnet] C:\WINDOWS\SYSTEM32\PRUNNET.EXE
C:\WINDOWS\SYSTEM32\PRUNNET.EXE
[prunnet] C:\WINDOWS\SYSTEM32\PRUNNET.EXE
Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
HKU\S-1-5-21-1435463386-401530978-3356590047-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}
Rogue.AntiSpywareMaster
HKU\S-1-5-21-1435463386-401530978-3356590047-1005\Software\{5222008A-DD62-49c7-A735-7BD18ECC7350}
Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\FCOVM
HKLM\SOFTWARE\Microsoft\RemoveRP
HKLM\SOFTWARE\Microsoft\MS Juan
HKLM\SOFTWARE\Microsoft\MS Juan#RID
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\winsinstall.exe
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\winsinstall.exe#LU
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\winsinstall.exe#CT
HKLM\SOFTWARE\Microsoft\MS Juan\JKWL\winsinstall.exe#LT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#LBL
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan#MN
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan#CNT
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#LTM
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CDY
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan#CNT
HKLM\SOFTWARE\Microsoft\contim
HKLM\SOFTWARE\Microsoft\contim#SysShell
HKLM\SOFTWARE\Microsoft\MS Track System
HKLM\SOFTWARE\Microsoft\MS Track System#Uid
HKLM\SOFTWARE\Microsoft\MS Track System#Shows
HKLM\SOFTWARE\Microsoft\MS Track System#Uqs
HKLM\SOFTWARE\Microsoft\rdfa
HKLM\SOFTWARE\Microsoft\rdfa#F
HKLM\SOFTWARE\Microsoft\rdfa#N
C:\WINDOWS\SYSTEM32\MCRH.TMP
Rogue.VirusRemover2008
HKLM\Software\{5222008A-DD62-49c7-A735-7BD18ECC7350}
HKU\S-1-5-21-1435463386-401530978-3356590047-1005\Software\VirusRemover2008
HKLM\Software\VirusRemover2008
Rogue.Component/Trace
HKLM\Software\Microsoft\16781358
HKLM\Software\Microsoft\16781358#16781358
HKLM\Software\Microsoft\16781358#Version
HKLM\Software\Microsoft\16781358#1678bed8
HKLM\Software\Microsoft\16781358#1678d73d
HKU\S-1-5-21-1435463386-401530978-3356590047-1005\Software\Microsoft\CS41275
HKU\S-1-5-21-1435463386-401530978-3356590047-1005\Software\Microsoft\FIAS4018
Adware.Prun
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet#UninstallString
HKLM\Software\Microsoft\Windows\CurrentVersion\Run#prunnet [ "C:\WINDOWS\system32\prunnet.exe" ]
HKU\S-1-5-21-1435463386-401530978-3356590047-1005\Software\Microsoft\Windows\CurrentVersion\Run#prunnet [ "C:\WINDOWS\system32\prunnet.exe" ]
Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\FFKUZ.DLL
Trojan.Vundo-Variant/Small-GEN
C:\WINDOWS\SYSTEM32\JKKKEBXV.DLL
mbam-log-2009-01-11 (09-29-02).txt
Malwarebytes' Anti-Malware 1.32
Database version: 1638
Windows 5.1.2600 Service Pack 2
1/11/2009 9:29:02 AM
mbam-log-2009-01-11 (09-29-02).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 196790
Time elapsed: 53 minute(s), 52 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 10
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 13
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\kokhgbys.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\rnoavs.dll (Trojan.Vundo.H) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{97d02d5b-0111-4ddc-92be-c033df03fec2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{97d02d5b-0111-4ddc-92be-c033df03fec2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{97d02d5b-0111-4ddc-92be-c033df03fec2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\167801d6 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\rnoavs.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\kokhgbys.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\sybghkok.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Karen\Local Settings\Temp\winvsnet.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Karen\Local Settings\Temp\senekaa079.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dammyagn.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekagkhroyep.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekaixeaswie.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekapsfojwpv.sys (Trojan.Agent) -> Quarantined and deleted successfully.
|
AfterDawn Addict
|
11. January 2009 @ 10:23 |
Link to this message
|
Hi khadden,
Looks like that cleared a lot of problems..
Please post a HJT Log and let me know if you still have problems and what they are?
Download TrendMicro HijackThis.exe (HJT)
? Double-click on HJTInstall.
? Click on the Install button.
? It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
? Upon install, HijackThis should open for you.
? Click on the Do a system scan and save a log file button
? Hijackthis will scan and then a log will open in notepad.
? Copy and then paste the entire contents of the log in your post.
? Do not have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
khadden
Newbie
|
11. January 2009 @ 10:26 |
Link to this message
|
Wow that was a quick response! I had already run the other program but didn't post the results so here they are:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:49:57 AM, on 1/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Vongo\VongoService.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
C:\Program Files\CalendarPal\CalendarPal.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3...ilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: BellSouth Toolbar - {4E7BD74F-2B8D-469E-8CBD-FD60BB9AAE2E} - C:\PROGRA~1\BLSTOO~1\BLSTOO~1.DLL
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand2515.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Copernic Desktop Search 2] "C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - HKCU\..\Run: [CalendarPal] C:\Program Files\CalendarPal\CalendarPal.exe -min
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://clubgames.pogo.com/online2/pogop/luxor_2/mjolauncher.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://www.disneyphotopass.com/software/ImageUploader4.cab
O20 - AppInit_DLLs: rnoavs.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe
--
End of file - 9530 bytes
|
AfterDawn Addict
|
11. January 2009 @ 11:09 |
Link to this message
|
khadden,
Sorry to alarm you, but I was setting at the computer when your post came through.. : )
Log looks clean except for one entry, that I cannot find any info on? It?s probably a random file name and I just can?t trust those?
Do the following and let me know if you have any problems and what they are??
Fix entries using HiJackThis
Launch HiJackThis
Click the Do a system scan only button
Put a check next to the entries listed below (if they still remain)
O20 - AppInit_DLLs: rnoavs.dll
IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
Click the Fix checked button and close HiJackThis
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
khadden
Newbie
|
11. January 2009 @ 14:00 |
Link to this message
|
|
Thanks for your help! I made the change, rebooted and so far so good!
Have a great day!
K
|
AfterDawn Addict
|
12. January 2009 @ 05:28 |
Link to this message
|
|
Glad I could help.
Any more problems, just give me a shout..
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
Modzey
Newbie
|
12. January 2009 @ 12:14 |
Link to this message
|
i am having a very similar problem to the one above. Winsinstall got onto my computer somehow. My norton antivirus has been dasabled, IE will not load or by the looks of it attempt to load any websites, my system restore seems to not be working either. i went through the steps above with the virus scans and all but also for some reason some of the virus programs could not check for updates. also my computer is overall running incredibly slower then normal (lagging when typing). After i went through those scans i did run the hijack this and was wondering if anyone could give me some help.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:11:41 PM, on 1/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Documents and Settings\Kevin\Application Data\cogad\cogad.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [lrijh8s73jhbfgfd] C:\DOCUME~1\Kevin\LOCALS~1\Temp\winloggn.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Uniblue Quick Access] "C:\Program Files\Uniblue\ProcessLibrary\qaccess.exe" /startup
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [cogad] "C:\Documents and Settings\Kevin\Application Data\cogad\cogad.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\Run: [lrijh8s73jhbfgfd] C:\DOCUME~1\Kevin\LOCALS~1\Temp\winloggn.exe
O4 - HKCU\..\Run: [tezrtsjhfr84iusjfo84f] C:\DOCUME~1\Kevin\LOCALS~1\Temp\csrssc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O20 - AppInit_DLLs: ikizhs.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINDOWS\taskbarmngr.exe (file missing)
--
End of file - 8846 bytes
|
AfterDawn Addict
|
13. January 2009 @ 00:22 |
Link to this message
|
Modzey,
Let?s see what we can do??
Please follow these instructions:
Fix entries using HiJackThis
Launch HiJackThis
Click the Do a system scan only button
Put a check next to the entries listed below (if they still remain)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O4 - HKLM\..\Run: [lrijh8s73jhbfgfd] C:\DOCUME~1\Kevin\LOCALS~1\Temp\winloggn.exe
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [cogad] "C:\Documents and Settings\Kevin\Application Data\cogad\cogad.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\Run: [lrijh8s73jhbfgfd] C:\DOCUME~1\Kevin\LOCALS~1\Temp\winloggn.exe
O4 - HKCU\..\Run: [tezrtsjhfr84iusjfo84f] C:\DOCUME~1\Kevin\LOCALS~1\Temp\csrssc.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZS
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O20 - AppInit_DLLs: ikizhs.dll
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)
O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINDOWS\taskbarmngr.exe (file missing)
IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
Click the Fix checked button and close HiJackThis
Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download and install SUPERAntiSpyware Free
Note: If SAS fails to install try renaming the file to S_A_S.exe and run setup again. If it will not update then you can manually update the definitions.
? Double-click SUPERAntiSypware.exe and use the default settings for installation.
? An icon will be created on your desktop. Double-click that icon to launch the program.
? If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
? Under the "Configuration and Preferences", click the Preferences... button.
? Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
? Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
o Close browsers before scanning.
o Scan for tracking cookies.
o Terminate memory threats before quarantining.
? Click the "Close" button to leave the control center screen and exit the program.
? Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".
Double-click ATF-Cleaner.exe to run the program.
? Under Main "Select Files to Delete" choose: Select All.
? Click the Empty Selected button.
? If you use Firefox browser click Firefox at the top and choose: Select All
? Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
? If you use Opera browser click Opera at the top and choose: Select All
? Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
? Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".
Scan with SUPERAntiSpyware as follows:
? Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
? On the left, make sure you check C:\Fixed Drive.
? On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
? After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
? Make sure everything has a checkmark next to it and click "Next".
? A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
? If asked if you want to reboot, click "Yes" and reboot normally.
? To retrieve the removal information after reboot, launch SUPERAntispyware again.
o Click Preferences, then click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
o Please copy and paste the Scan Log results in your next reply.
? Click Close to exit the program.
Reboot to Normal Mode
Please post the SUPERAntiSpyware Log and a fresh HijackThis log in your next reply.
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
Modzey
Newbie
|
13. January 2009 @ 17:39 |
Link to this message
|
it seems like currently getting rid of some of those you pointed out helped. IE still does not work and Norton will not load either.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 01/13/2009 at 05:24 PM
Application Version : 4.24.1004
Core Rules Database Version : 3706
Trace Rules Database Version: 1681
Scan type : Complete Scan
Total Scan Time : 01:00:13
Memory items scanned : 153
Memory threats detected : 0
Registry items scanned : 6767
Registry threats detected : 35
File items scanned : 23431
File threats detected : 74
Adware.Viewpoint Toolbar
HKLM\Software\Classes\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}
HKCR\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}
HKCR\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}
HKCR\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}\InProcServer32
HKCR\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}\InProcServer32#ThreadingModel
HKCR\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}\ProgID
HKCR\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}\Programmable
HKCR\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}\TypeLib
HKCR\CLSID\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}\VersionIndependentProgID
HKCR\ViewBar.ViewBar.1
HKCR\ViewBar.ViewBar.1\CLSID
HKCR\ViewBar.ViewBar
HKCR\ViewBar.ViewBar\CLSID
HKCR\ViewBar.ViewBar\CurVer
HKCR\TypeLib\{E060D9D9-E979-4C2F-A840-BE5150F84AC5}
HKCR\TypeLib\{E060D9D9-E979-4C2F-A840-BE5150F84AC5}\1.0
HKCR\TypeLib\{E060D9D9-E979-4C2F-A840-BE5150F84AC5}\1.0\0
HKCR\TypeLib\{E060D9D9-E979-4C2F-A840-BE5150F84AC5}\1.0\0\win32
HKCR\TypeLib\{E060D9D9-E979-4C2F-A840-BE5150F84AC5}\1.0\FLAGS
HKCR\TypeLib\{E060D9D9-E979-4C2F-A840-BE5150F84AC5}\1.0\HELPDIR
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT TOOLBAR\VIEWBAR.DLL
HKU\S-1-5-21-2025429265-1637723038-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F8AD5AA5-D966-4667-9DAF-2561D68B2012}
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{F8AD5AA5-D966-4667-9DAF-2561D68B2012}
Adware.MyWebSearch/FunWebProducts
HKU\S-1-5-21-2025429265-1637723038-725345543-1003\SOFTWARE\FunWebProducts
HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}
HKCR\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\TreatAs
Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\MS Juan
HKLM\SOFTWARE\Microsoft\MS Juan#RID
HKLM\SOFTWARE\Microsoft\MS Juan\DJZERO
HKLM\SOFTWARE\Microsoft\MS Juan\metajuan
HKLM\SOFTWARE\Microsoft\MS Juan\meta_mg
HKLM\SOFTWARE\Microsoft\MS Juan\profiling4
HKLM\SOFTWARE\Microsoft\MS Juan\superjuan
HKLM\SOFTWARE\Microsoft\MS Juan\TrackDJuan
HKLM\SOFTWARE\Microsoft\MS Track System
HKLM\SOFTWARE\Microsoft\MS Track System#Uid
Adware.Tracking Cookie
.atdmt.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.doubleclick.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.iacas.adbureau.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.iacas.adbureau.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.iacas.adbureau.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.iacas.adbureau.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.iacas.adbureau.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.iacas.adbureau.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.iacas.adbureau.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.iacas.adbureau.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
media.adrevolver.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.searchfeed.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.advertising.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.imrworldwide.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.bluestreak.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.tribalfusion.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
ad.yieldmanager.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.realmedia.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
www.findstuff.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
ads.bridgetrack.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
ads.bridgetrack.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.specificmedia.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.specificmedia.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.specificclick.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.adopt.specificclick.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.kontera.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.kontera.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.kontera.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.adbrite.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.mediaonenetwork.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.msnportal.112.2o7.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.casalemedia.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.mediaplex.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.mediaplex.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.apmebf.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
bridge2.admarketplace.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.admarketplace.net [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.stopzilla.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.stopzilla.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.stopzilla.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
www.stopzilla.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.bs.serving-sys.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
.serving-sys.com [ C:\Documents and Settings\Kevin\Application Data\Mozilla\Firefox\Profiles\hyqz1c1k.Default User\cookies.txt ]
BearShare File Sharing Client
C:\PROGRAM FILES\BEARSHARE APPLICATIONS\BEARSHARE\BEARSHARE.EXE
Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\FFKUZ.DLL
also i have one more thing,
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe (file missing)
O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINDOWS\taskbarmngr.exe (file missing)
both those would not remove, or they would but they come right back if i scan a second time.
thanks again for all your help.
|
|
Modzey
Newbie
|
13. January 2009 @ 18:01 |
Link to this message
|
Also a more interesting problem i am having is i cannot log into any emails. I have an account with excite.com and cannot get past the login phase. it is the same with a school account i have, i know its not the webpage itself because it works on other computers and i have no clue about this one.
|
AfterDawn Addict
|
14. January 2009 @ 05:47 |
Link to this message
|
Modzey,
Using Excite.com may not be a good idea. After a little research, I find:
Quote:
The Avast! forums were recently hacked and the injected iframe code was serving up malware. MySpace & Excite.com (search portal) are also serving up malware-laced banner ads.
I haven?t seen the Malware you have since 2005 and can?t remember how I handled it. Give me a break; I?m an Old dude?
I?ll be doing more research but in the meantime please do the following:
Delete Bad Services
Please open Notepad. Ensure that word wrap is turned off. Click on Format and make sure that there is not a tick next to Word Wrap. If there's one, click on Word Wrap to remove it. Copy and paste the following in the quote box into Notepad:
Quote:
@echo off
sc stop ntlogin32
sc delete wtaskbarmngr
exit
Click on File > Save As....
In the File Name box, copy and paste in fix.bat
In the Save as type box, select All Files from the drop-down list.
Click Save and save it to your Desktop.
Double click on fix.bat. A Command Prompt window will open and close quickly. That is normal.
Run Malwarebytes? AntiMalware
Download Malwarebytes' Anti-Malware to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
? At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
? If an update is found, it will download and install the latest version.
? Once the program has loaded, select Perform full scan, then click Scan.
? When the scan is complete, click OK, then Show Results to view the results.
? Make sure that everything is checked, and click Remove Selected. <-- Don't forget this.
? When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Last run ComboFix
1. Download Combo fix from one of these locations.
* IMPORTANT !!! Place combofix.exe on your Desktop
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Click start > run and Copy and Paste this in exactly, using the picture below for reference, then click OK.
Quote:
"%userprofile%\desktop\combofix.exe" /killall
3. Combo will begin to run DO NOTHING while this is happening.
? It will kill a few processes and disconnect you from the internet.
? If by chance it stops prematurely you can re-establish your internet connection by restarting your computer.
? This needs to be done so the program can work most efficiently for you.
Do not attempt to use the internet or anything else while it's doing its job for you.
**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
If when it's completed you can not get on the internet just reboot the computer
Post the log from comboFix for me located in
c:\comboFix.txt
Please post the MBAM Log, ComboFix Log and a fresh HJT log in your next reply.
Hang in there, we?ll get you cleaned up????
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
Modzey
Newbie
|
14. January 2009 @ 10:05 |
Link to this message
|
|
wow thanks so much for your help. also i got IE to work as well as my logins. It seemed that norton had something to do with alot of the login problems and such. so now i have kaspersky : )
once again thanks for your help.
|
AfterDawn Addict
|
14. January 2009 @ 10:12 |
Link to this message
|
|
You're welcome. just glad when I can help a little..
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
Modzey
Newbie
|
14. January 2009 @ 15:10 |
Link to this message
|
ok here are the three logs
MBAM
Malwarebytes' Anti-Malware 1.32
Database version: 1653
Windows 5.1.2600 Service Pack 2
1/14/2009 2:41:35 PM
mbam-log-2009-01-14 (14-41-35).txt
Scan type: Full Scan (C:\|)
Objects scanned: 242942
Time elapsed: 1 hour(s), 3 minute(s), 33 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{afe35be6-a800-43b0-933c-c7b7a35f4db4} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afe35be6-a800-43b0-933c-c7b7a35f4db4} (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Kevin\Application Data\cogad\cogad.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{FDA24120-426D-41B7-B4D1-33793DFE4BF6}\RP5\A0001706.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ikizhs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xghubtyt.dll (Trojan.Vundo) -> Delete on reboot.
----------------------------------------------------------------------
COMBOfix
ComboFix 09-01-13.04 - Kevin 2009-01-14 14:52:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1630 [GMT -5:00]
Running from: C:\Documents and Settings\Kevin\desktop\combofix.exe
Command switches used :: /killall
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
FW: Kaspersky Internet Security *disabled*
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Mozilla Firefox\plugins\NPMyGlSh.dll
C:\WINDOWS\system32\AutoRun.inf
C:\WINDOWS\system32\Memman.vxd
C:\WINDOWS\system32\skinboxer43.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_HAXDRV
-------\Legacy_NTLOGIN32
-------\Service_haxdrv
-------\Service_ntlogin32
-------\Service_seneka
((((((((((((((((((((((((( Files Created from 2008-12-14 to 2009-01-14 )))))))))))))))))))))))))))))))
.
2009-01-13 23:13 . 2009-01-13 23:13 96,976 --a------ C:\WINDOWS\system32\drivers\klin.dat
2009-01-13 23:13 . 2009-01-13 23:13 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat
2009-01-13 23:12 . 2009-01-13 23:12 <DIR> d-------- C:\Program Files\Kaspersky Lab
2009-01-13 23:12 . 2009-01-14 14:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2009-01-13 23:12 . 2009-01-14 14:55 6,583,840 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2009-01-13 23:12 . 2009-01-14 14:58 376,864 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2009-01-13 23:12 . 2009-01-14 14:55 52,516 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2009-01-13 23:12 . 2009-01-14 14:58 2,368 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2009-01-13 23:08 . 2009-01-13 23:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-01-11 20:14 . 2009-01-11 20:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PrevxCSI
2009-01-11 19:31 . 2009-01-11 19:31 <DIR> d-------- C:\Program Files\Trend Micro
2009-01-09 16:56 . 2009-01-09 16:56 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2009-01-09 16:56 . 2009-01-09 16:56 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Malwarebytes
2009-01-09 16:56 . 2009-01-09 16:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-01-09 16:56 . 2009-01-04 18:41 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2009-01-09 16:56 . 2009-01-04 18:41 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2009-01-09 16:51 . 2009-01-09 16:51 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2009-01-09 16:51 . 2009-01-09 16:51 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\SUPERAntiSpyware.com
2009-01-09 16:51 . 2009-01-09 16:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-09 15:55 . 2009-01-09 16:17 0 --a------ C:\WINDOWS\system32\drivers\93671a7c.sys
2009-01-09 15:54 . 2009-01-14 13:45 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\cogad
2009-01-07 22:13 . 2009-01-07 22:13 <DIR> d-------- C:\Program Files\Total Video Converter
2009-01-07 21:48 . 2009-01-07 21:48 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2009-01-07 21:48 . 2009-01-07 21:48 1,409 --a------ C:\WINDOWS\QTFont.for
2009-01-07 21:41 . 2009-01-07 21:41 <DIR> d-------- C:\Program Files\FLV Player
2009-01-06 00:36 . 2009-01-06 00:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\2C52
2009-01-04 23:20 . 2009-01-04 23:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\92E
2009-01-04 23:19 . 2009-01-04 23:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\F138
2008-12-25 00:50 . 2008-12-25 00:50 <DIR> d-------- C:\Program Files\Lead Pursuit
2008-12-25 00:33 . 2008-12-25 00:33 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\ATI
2008-12-25 00:33 . 2008-12-25 00:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATI
2008-12-25 00:32 . 2008-12-25 00:32 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-12-25 00:08 . 2008-12-25 00:08 <DIR> d-------- C:\Program Files\Common Files\ATI Technologies
2008-12-25 00:07 . 2008-01-09 21:35 887,724 -ra------ C:\WINDOWS\system32\ativva6x.dat
2008-12-25 00:07 . 2008-01-09 21:05 593,920 --------- C:\WINDOWS\system32\ati2sgag.exe
2008-12-25 00:07 . 2008-01-09 22:07 368,640 -ra------ C:\WINDOWS\system32\ATIDEMGX.dll
2008-12-25 00:07 . 2008-01-09 21:58 307,200 -ra------ C:\WINDOWS\system32\atiiiexx.dll
2008-12-25 00:07 . 2007-11-20 03:23 11,874 -ra------ C:\WINDOWS\atiogl.xml
2008-12-25 00:07 . 2007-08-31 09:20 7,167 -ra------ C:\WINDOWS\system32\atifglpf.xml
2008-12-25 00:06 . 2008-01-09 21:35 3,107,788 -ra------ C:\WINDOWS\system32\ativvaxx.dat
2008-12-25 00:06 . 2008-01-09 21:35 3,107,788 -ra------ C:\WINDOWS\system32\ativva5x.dat
2008-12-25 00:06 . 2008-01-07 09:43 165,782 -ra------ C:\WINDOWS\system32\atiicdxx.dat
2008-12-25 00:04 . 2008-12-25 00:18 <DIR> d-------- C:\Program Files\ATI Technologies
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-14 04:20 --------- d-----w C:\Documents and Settings\Kevin\Application Data\uTorrent
2009-01-14 04:10 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2009-01-14 04:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-14 03:45 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2009-01-09 21:48 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2009-01-09 21:48 --------- d-----w C:\Documents and Settings\Kevin\Application Data\Registry Booster
2009-01-05 04:24 --------- d-----w C:\Program Files\BearShare
2008-12-25 05:09 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-12-24 06:42 --------- d-----w C:\Program Files\LIVEUPDATE
2008-12-20 16:31 37,510 ----a-w C:\Documents and Settings\Kevin\Application Data\wklnhst.dat
2008-12-04 16:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\1064
2008-12-04 04:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\E1BC
2008-12-04 03:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\C1BC
2008-11-30 21:15 --------- d-----w C:\Program Files\Netflix
2008-11-26 08:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-11-25 06:54 --------- d-----w C:\Program Files\BearShare Applications
2008-11-25 06:44 --------- d-----w C:\Program Files\PartyGaming
2008-11-25 00:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\43B9
2008-11-24 20:27 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-11-23 18:51 --------- d-----w C:\Documents and Settings\Kevin\Application Data\U3
2008-11-23 18:46 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-11-01 22:57 1,594,541 ----a-w C:\WINDOWS\WANEUninstaller.exe
2008-09-16 18:10 65,976 ----a-w C:\Documents and Settings\Kevin\Application Data\GDIPFONTCACHEV1.DAT
2008-12-20 06:29 67,688 ----a-w C:\Program Files\mozilla firefox\components\jar50.dll
2008-12-20 06:29 54,368 ----a-w C:\Program Files\mozilla firefox\components\jsd3250.dll
2008-12-20 06:29 34,944 ----a-w C:\Program Files\mozilla firefox\components\myspell.dll
2008-12-20 06:29 46,712 ----a-w C:\Program Files\mozilla firefox\components\spellchk.dll
2008-12-20 06:29 172,136 ----a-w C:\Program Files\mozilla firefox\components\xpinstal.dll
2006-02-21 04:02 2 --shatr C:\WINDOWS\winstart.bat
.
----------------------------------------------------------------------
HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:08, on 2009-01-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Uniblue Quick Access] "C:\Program Files\Uniblue\ProcessLibrary\qaccess.exe" /startup
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OpcEnum - OPC Foundation - C:\WINDOWS\system32\OpcEnum.exe
--
End of file - 5574 bytes
|
|
jdmorris1
Newbie
|
15. January 2009 @ 00:44 |
Link to this message
|
Hey guys.
I'm also having the same problem. I was wondering if you could help me out as well.
I've already downloaded the 3 pieces of software you suggested. I am currently in safe mode and ran ATF Cleaner and I am in the process of running SUPERantispyware Free. I will run Mbam after that and post the resutls.
Any help will be greatly appreciated.
Thanks
|
AfterDawn Addict
|
15. January 2009 @ 01:53 |
Link to this message
|
@jdmorris1, post your logs and I?ll look them over.
Modzey,
Your Logs look good now, are you having any problems???
The only thing I see; is that your Java is way out of date?..
Java Runtime can be activated by websites, so if there is security vulnerability in any Java version on your machine, it can be exploited by a malicious site to infect your machine. Each new version of Java fixes security vulnerabilities, so it's extremely important to keep up to date, and it's auto-update mechanism isn't considered very reliable. So yes, it's important to regularly check for updates and if you don't use it, then its best removed from your machine.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
Remove Old Java using JavaRa
Download JavaRa and unzip it to your desktop.
***Please close any instances of Internet Explorer before continuing!***
? Double-click on JavaRa.exe to start the program
? From the drop-down menu, choose English and click on Select
? JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer
? Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK
? A logfile will pop up. Save it to a convenient location
? Click on Additional Tasks then tick Remove Useless JRE Files
? Click Go then OK when prompted & close the program.
Update Java Runtime
? Go to http://java.sun.com/javase/downloads/index.jsp
? Scroll down to Java Runtime Environment (JRE) 6 Update 11 and click on the Download button
? In the Platform box choose Windows
? Check the box to Accept License Agreement and click Continue
? Click on Windows Offline Installation, click on the link under it which says "jre-6u11-windows-i586-p.exe" and save the downloaded file to your desktop
? Install the new version by running the downloaded file with the Java icon & follow the on-screen instructions
? Reboot your computer
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
cachee
Junior Member
|
15. January 2009 @ 04:24 |
Link to this message
|
|
hiya guys, i managed to get this virus last night too *angry face* so will be posting a thread for much needed help. My pc blue screened before i could do anything which sucked :( then i went to bed and gave up.
There is no spoon...
|
|
cachee
Junior Member
|
15. January 2009 @ 13:13 |
Link to this message
|
tried all of the above, here are my logs mate. Havent removed anything from HJT so advise would be appreciated.
Chris
--
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 01/15/2009 at 04:35 PM
Application Version : 4.24.1004
Core Rules Database Version : 3710
Trace Rules Database Version: 1685
Scan type : Complete Scan
Total Scan Time : 00:40:33
Memory items scanned : 149
Memory threats detected : 1
Registry items scanned : 7463
Registry threats detected : 23
File items scanned : 29393
File threats detected : 11
Trojan.Vundo-Variant/Packed-GEN
C:\WINDOWS\SYSTEM32\JKKJCCST.DLL
C:\WINDOWS\SYSTEM32\JKKJCCST.DLL
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\jkkJcCst
C:\WINDOWS\SYSTEM32\PMNKLDSS.DLL
Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}
HKCR\CLSID\{6D794CB4-C7CD-4C6F-BFDC-9B77AFBDC02C}
Trojan.Dropper/Sys-NV
HKLM\System\ControlSet001\Services\aylnlfdx
C:\WINDOWS\SYSTEM32\DRIVERS\PHQGHUME.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_aylnlfdx
HKLM\System\ControlSet003\Services\aylnlfdx
HKLM\System\ControlSet003\Enum\Root\LEGACY_aylnlfdx
HKLM\System\CurrentControlSet\Services\aylnlfdx
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_aylnlfdx
Adware.Vundo Variant/Rel
HKLM\SOFTWARE\Microsoft\RemoveRP
Rogue.Component/Trace
HKLM\Software\Microsoft\14B0B47D
HKLM\Software\Microsoft\14B0B47D#14b0b47d
HKLM\Software\Microsoft\14B0B47D#Version
HKU\S-1-5-21-1659004503-2049760794-839522115-1003\Software\Microsoft\CS41275
Adware.Prun
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet#UninstallString
BearShare File Sharing Client
C:\PROGRAM FILES\BEARSHARE\BEARSHARE.EXE
C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\BEARSHARE.LNK
C:\DOCUMENTS AND SETTINGS\RECON\DESKTOP\PROGRAMS\BEARSHARE.LNK
Trojan.Vundo-Variant/Small-GEN
C:\WINDOWS\SYSTEM32\PMNOGWOE.DLL
Rootkit.SENEKA-Trace
C:\WINDOWS\SYSTEM32\SENEKA.DAT
C:\WINDOWS\SYSTEM32\SENEKADF.DAT
C:\WINDOWS\SYSTEM32\SENEKALOG.DAT
C:\WINDOWS\SYSTEM32\SENEKAPAFKKDAC.DLL
--
Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 3
15/01/2009 18:03:59
mbam-log-2009-01-15 (18-03-59).txt
Scan type: Full Scan (C:\|D:\|Z:\|)
Objects scanned: 210503
Time elapsed: 1 hour(s), 17 minute(s), 2 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 10
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3ede7658-d3b6-40e1-8360-cdf6c880ffab} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3ede7658-d3b6-40e1-8360-cdf6c880ffab} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\vwqpafru (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\vwqpafru (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vwqpafru (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\yftelter (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\yftelter (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\yftelter (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\seneka (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\seneka (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seneka (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\pmnkLDsS.dll (Trojan.BHO.H) -> Delete on reboot.
C:\Documents and Settings\RecoN\Local Settings\Temp\winvsnet.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\RecoN\Local Settings\Temp\xpre.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\RecoN\Local Settings\Temp\senekab6b6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\My Completed Downloads\TB.Christmas.Presents.Dec.10th.2008\Ahead.Nero.LiTE.Multilanguage.v8.3.6.0.Incl.Keymaker-EMBRACE\keygen.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\jycwaivz.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\wywlbuef.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\system32\prunnet.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekaulalpxne.sys (Trojan.Agent) -> Quarantined and deleted successfully.
---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:10:04, on 15/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Razer\DeathAdder\razerhid.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\program files\steam\steam.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Razer\DeathAdder\razertra.exe
C:\Program Files\Razer\DeathAdder\razerofa.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Click-to-Call BHO - {5C255C8A-E604-49b4-9D64-90988571CECB} - C:\Program Files\Windows Live\Messenger\wlchtc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [DeathAdder] C:\Program Files\Razer\DeathAdder\razerhid.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared...01/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1230315314078
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupd...b?1230315308843
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
--
End of file - 7385 bytes
There is no spoon...
|
|
Modzey
Newbie
|
15. January 2009 @ 16:44 |
Link to this message
|
|
ya my computer is running alot better now. the only thing that i notice is still a little odd is my internet loading of pages and pictures and all is a little slower then before. But aside from that its great.
Thanks again!!!
|
AfterDawn Addict
|
15. January 2009 @ 18:03 |
Link to this message
|
@cachee, your logs look good. You need an antivirus.
@Modzey, post some logs and I?ll look them over when I get back. I have to be gone for the weekend so if there is anything left I?ll be back sun or mon.
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
cachee
Junior Member
|
15. January 2009 @ 18:35 |
Link to this message
|
|
Thanks for the info mate. Which one do you suggest?
Chris
There is no spoon...
|
|
jdmorris1
Newbie
|
15. January 2009 @ 19:16 |
Link to this message
|
Hey there, sorry for the delay here are my 3 logs
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 01/15/2009 at 05:23 AM
Application Version : 4.24.1004
Core Rules Database Version : 3710
Trace Rules Database Version: 1685
Scan type : Complete Scan
Total Scan Time : 06:55:39
Memory items scanned : 154
Memory threats detected : 1
Registry items scanned : 5529
Registry threats detected : 5
File items scanned : 69268
File threats detected : 3
Adware.Vundo/Variant-Checkers
C:\WINDOWS\SYSTEM32\EBMVFK.DLL
C:\WINDOWS\SYSTEM32\EBMVFK.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{65297192-6076-4b8a-bad8-76b4b32330b3}
HKCR\CLSID\{65297192-6076-4B8A-BAD8-76B4B32330B3}
HKCR\CLSID\{65297192-6076-4B8A-BAD8-76B4B32330B3}\InprocServer32
HKCR\CLSID\{65297192-6076-4B8A-BAD8-76B4B32330B3}\InprocServer32#ThreadingModel
HKU\S-1-5-21-3495030888-1619856395-551336379-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{65297192-6076-4B8A-BAD8-76B4B32330B3}
C:\WINDOWS\SYSTEM32\EPBMILLM.DLL
Trojan.Vundo-Variant/Packed-GEN
C:\WINDOWS\SYSTEM32\OPNOHFFD.DLL
Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 3
1/15/2009 7:00:23 PM
mbam-log-2009-01-15 (19-00-23).txt
Scan type: Full Scan (C:\|)
Objects scanned: 114585
Time elapsed: 6 hour(s), 59 minute(s), 23 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\ebmvfk.dll (Trojan.Vundo) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pjxbolnl (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\pjxbolnl (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pjxbolnl (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\seneka (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\seneka (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seneka (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\ebmvfk.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\drivers\wbnbcuwj.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekavrswurwt.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekamppboyly.sys (Trojan.Agent) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:09:04 PM, on 1/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\TEMP\KD4ECE.EXE
C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\V0500Mon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://tfuss/default.aspx
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [V0500Mon.exe] C:\WINDOWS\V0500Mon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - https://usstrend4:4343/officescan/console/html/ClientInstall/WinNTChk.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://usstrend4:4343/officescan/console/html/ClientInstall/setup.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008...toUploader5.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsof...b?1189697688937
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/j...ows-i586-jc.cab
O20 - AppInit_DLLs: ebmvfk.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmPfw.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 10637 bytes
Again thanks for the help. I really appreciate it
|
|
Advertisement
|
|
|
AfterDawn Addict
|
16. January 2009 @ 10:08 |
Link to this message
|
Here is what I use and recommend (partial) to keep your computer clean????
Layered protection works?. I NEVER get any malware, spyware, Trojans, etc. etc. There is more to my plan than is here but I don?t have the time or resources to make it all available, right now. I?m working 12 hr shifts?
When I get back, we?ll cuss and discuss the reasons I have chosen this software and some others that I recommend in my full plan.
AntiVirus ?
Avira Antivir ? The Best! 1st choice, Avast ? Very Good 2nd choice, AVG ? not recommended..
AVAST 4 Home Edition had the highest rate of zoo virus detection (92%), followed by AntiVir PersonalEdition Classic at 85% and AVG Free Edition at 81%. However, AVAST's higher zoo detection was offset by a correspondingly higher rate of false positives, 9 total compared to AntiVir at only 2. Conversely, AVG scored the lowest in both categories, racking up 11 false positives.
AntiVir is the BEST AV available, bar none, and has the credentials to prove it?.
One drawback to Antivir is the Nag Screens.
Hate nag screens? Me too. I use Avira AntiVir on my computers and here's how to stop that annoying Avira Antivir PE Classic avnotify nag screen:
http://www.elitekiller.com/files/disable_antivir_nag.htm
Of course, these particular antivirus scanners don't claim to have adware and spyware removal capabilities, so it would be unfair to judge them harshly if they do not.
Adware and Spyware ?
SpywareBlaster is passive protection. It plugs the holes that spyware and other potentially unwanted software use to get in to your system. As such, there is no running process - and no CPU and memory usage either. All you have to do is remember to update SpywareBlaster once a week, and enable the latest protection.
Note: I?m cheap and am not going to pay for updates. I?m also Old and tend to forget to update, so I set up a scheduled task to run SpywareBlaster once a week to remind me. : )
Tutorial and Download:
http://www.bleepingcomputer.com/tutorials/tutorial49.html
Browser -
Use Firefox and install the latest Java ? much safer than IE.
Firewall ?
Sunbelt-Kerio Personal Firewall is my top recommendation, as it seems to cause the fewest problems yet also manages reasonable protection.
The free and paid versions of Sunbelt Kerio are the same. If you don't buy the product, some advanced features are automatically turned off after 30 days. The product will also nag you every time you start it. For some, this is a small price to pay for a great free firewall. For others, it's a real turnoff. For those, I recommend ZoneAlarm [free]
For new users this is a more or less "set it and forget it" firewall. TIP: Turn off the Inbound Alerts! - there are so many that the prompts become bothersome. There is really nothing you can do about these probes and you can ignore these as long as your setup is Stealth. Test your Firewall configuration with ShieldsUp
AntiMalware/ Trojans ?
Comodo BOClean protects your computer against trojans, malware and other threats. It constantly scans your system in the background and intercepts any recognized trojan activity. The program can ask the user what to do, or run in unattended mode and automatically shutdown and remove any suspected trojan application. Comodo BOClean currently supports more than 68,000 malware items and offers automatic daily updates. Other features include updating via network share, tamper protection and stealth mode.
Antivirus software frequently fails to detect, and more often fails to effectively clean most malware. BOClean runs automatically in the background without interfering with your work and kills malwares INSTANTLY the moment they activate without giving them the chance to invade your machine. BOClean also eliminates the need to stop what you're doing to secure your machine after it's too late. BOClean works with all versions of Windows. Unlike antivirus programs, BOClean will actually shut them down and destroy them without the need for you to seek out the method of removal or risking dangerous editing of your system's innermost configurations. BOClean requires no technical skills and handles detection, removal and repair of your system automatically.
This should hold you guys until I get home and then we will see if you are clean or not... If you have any questions, please feel free to smack me with them and I?ll do my best to answer in between trying to get a new computer system going?. : )
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
