Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Tried several adware programs... nothing is working.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Tried several adware programs... nothing is working.

Unread postby nanrector » June 12th, 2005, 7:25 pm

I have spent hours trying to get rid of an adware I've had for a few weeks using five or six different adware programs. But I cant' get rid of it. Every time I reboot my machine my browser opens up with different adware screens. It will do it 8 to 10 times then stop... until I reboot again. Even opens up the browser sometimes if I'm not connected.

This is the entry in my HJT log. I fix it, but its back again on rebooting.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.190.135/?to=FED&from=start ... start_page

Anyone know what I can do to rid myself of this?

Thanks a bunch!
Below is my full HJT log if needed:

------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 6:14:59 PM, on 6/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\explorer.exe
E:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
E:\WINDOWS\twain_32\SiPix\SC-3300\USBPNP.exe
E:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
E:\Program Files\Messenger Plus! 3\MsgPlus.exe
E:\WINDOWS\system32\sys876.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\windows\hffext\hffsrv.exe
E:\Program Files\Internet Download Manager\idman.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Modem-On-Hold\moh.exe
E:\Program Files\Personal Notepad\PersonalNotepad.exe
E:\Program Files\Print Screen Deluxe\psdeluxe.exe
E:\Program Files\Microsoft Reference\Bookshelf 2000\qshelf2k.exe
E:\Program Files\trayit\trayit!.exe
E:\WINDOWS\System32\CTsvcCDA.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\system32\pctspk.exe
E:\Program Files\Norton AntiVirus\SAVScan.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
E:\Program Files\Maxthon\Maxthon.exe
C:\Software Programs\1 UTILITIES\VIRUS AND ADWARE\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.190.135/?to=FED&from=start ... start_page
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = E:\WINDOWS\about.htm
F2 - REG:system.ini: Shell=explorer.exe E:\WINDOWS\System32\ftpex.exe
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - E:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - E:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {67970B26-F57D-4455-8262-81C3AE3B8B5E} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - E:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] E:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [SC3300CC] E:\WINDOWS\twain_32\SiPix\SC-3300\SC3300CC.exe
O4 - HKLM\..\Run: [USBPNP] E:\WINDOWS\twain_32\SiPix\SC-3300\USBPNP.exe
O4 - HKLM\..\Run: [CTSysVol] E:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\K-Lite Codec Pack\real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PinnacleDriverCheck] E:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "E:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [McRegWiz] E:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [MCAgentExe] e:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] E:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [eTrustPPAP] "E:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Backup NOW! Scheduler] "E:\Program Files\NewTech Infosystems\NTI Backup NOW!\Schdlr32.exe" -s
O4 - HKLM\..\Run: [sys876] E:\WINDOWS\system32\sys876.exe
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] E:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [hffsrv] e:\windows\hffext\hffsrv.exe
O4 - HKCU\..\Run: [SrvShield32] E:\PROGRA~1\SPYTEC~1\SPYTEC~1\SpamAgent.exe
O4 - HKCU\..\Run: [IDMan] E:\Program Files\Internet Download Manager\idman.exe /onboot
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - Startup: moh.lnk = E:\Program Files\Modem-On-Hold\moh.exe
O4 - Startup: Personal Notepad.lnk = E:\Program Files\Personal Notepad\PersonalNotepad.exe
O4 - Startup: Print Screen Deluxe.lnk = E:\Program Files\Print Screen Deluxe\psdeluxe.exe
O4 - Startup: QuickShelf 2000.lnk = E:\Program Files\Microsoft Reference\Bookshelf 2000\qshelf2k.exe
O4 - Startup: TrayIt!.lnk = E:\Program Files\trayit\trayit!.exe
O8 - Extra context menu item: BugMeNot - E:\Program Files\Maxthon\Plugin\BugMeNot4Maxthon\BugMeNot4Maxthon.html
O8 - Extra context menu item: Customize Menu - file://E:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download All Links with IDM - E:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - E:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Fill Forms - file://E:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://E:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://E:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://E:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://E:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://E:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://E:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - E:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Snippets - {7130DF06-BBC1-4e16-83D4-1F875E65B695} - E:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://E:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://E:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - E:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - E:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: e:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\idmmbc.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{279EE0DA-2F55-4745-AAB9-8452071AD97B}: NameServer = 209.244.0.3 209.244.0.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{279EE0DA-2F55-4745-AAB9-8452071AD97B}: NameServer = 209.244.0.3 209.244.0.4
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: Adobe LM Service - Unknown owner - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - E:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - E:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - E:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - E:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
nanrector
Regular Member
 
Posts: 47
Joined: June 12th, 2005, 7:16 pm
Advertisement
Register to Remove

Unread postby Bertha » June 13th, 2005, 1:44 pm

Hey nanrecotr,

Im looking at your Hijackthis Log, just a moment

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Unread postby Bertha » June 13th, 2005, 2:06 pm

nanrector,

Hello! and welcome to the MR forums.

Print/Copy this so you can follow it

-Be sure to look this solution over before you begin.

===============

Go to www.trendmicro.com, and then:

1. Click "Free Online Scan".
2. Click "Scan now, it's free".

It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:

1. Select all available drives.
2. Check(tick) "Auto Clean".
3. Click "Scan".

When it completes, post back the full filename of any files that cannot be cleaned or deleted.

===============

You have a LOP infection that often comes together with Messenger Plus. To remove it we will try the simple way first.

1. Go to Add/Remove programs. Double click on "Messenger Plus!" (or click on Remove)

2. The "Messenger Plus! - Setup" is now displayed. Click on the Uninstall button. Note: options displayed on the first screen are not related to the sponsor program.

3. The sponsor screen is now displayed (if you don't see it, search for it in your Task Bar). To prove that someone is currently reading the screen, you have to type the code that is displayed. Once you enter the code, press Uninstall.

4. If you entered the code properly, the program will ask you to confirm that you want to uninstall. You must answer "Yes" to this question, else, you won't have another chance of uninstalling.

5. To complete the uninstallation, follow the instructions that are displayed (the first one is to close all your Internet Explorer windows, that's very important). When everything is complete, restart your computer and, hopefully voila one nasty infection is gone.

===============

Run HiJackThis then:

1. Click "Config..."
2. Click "Misc Tools"
3. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

E:\Program Files\Messenger Plus! 3\MsgPlus.exe
E:\WINDOWS\system32\sys876.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://69.50.190.135/?to=FED&from=start ... start_page
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = E:\WINDOWS\about.htm

F2 - REG:system.ini: Shell=explorer.exe E:\WINDOWS\System32\ftpex.exe

O3 - Toolbar: (no name) - {67970B26-F57D-4455-8262-81C3AE3B8B5E} - (no file)

O4 - HKLM\..\Run: [MessengerPlus3] "E:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [sys876] E:\WINDOWS\system32\sys876.exe


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

folders...

E:\Program Files\Messenger Plus! 3

files...

E:\WINDOWS\system32\sys876.exe
E:\WINDOWS\System32\ftpex.exe

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin


===============

Post back a new log, and let me know how everything goes.

-

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Its fixed!

Unread postby nanrector » June 14th, 2005, 2:12 pm

Well that seems to have fixed it. I think Im good now. Thanks so much for your time and help!
Nancy
nanrector
Regular Member
 
Posts: 47
Joined: June 12th, 2005, 7:16 pm

Unread postby Bertha » June 14th, 2005, 2:31 pm

Can you post a new Hijackthis Log for me to see

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

HJT log

Unread postby nanrector » June 14th, 2005, 2:35 pm

Here is my log. Messenger Plus did not have the adware installed. I delelted it and reinstalled it... again without the adware option checked. This is the first time in weeks Ive not had pop ups. Sure is nice! I also have installed some adware prevention tools to help prevent further attacks.

Logfile of HijackThis v1.99.1
Scan saved at 1:33:53 PM, on 6/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
E:\WINDOWS\twain_32\SiPix\SC-3300\USBPNP.exe
E:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\Microsoft AntiSpyware\gcasServ.exe
E:\Program Files\MessengerPlus! 3\MsgPlus.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Modem-On-Hold\moh.exe
E:\Program Files\Personal Notepad\PersonalNotepad.exe
E:\Program Files\Print Screen Deluxe\psdeluxe.exe
E:\Program Files\Microsoft Reference\Bookshelf 2000\qshelf2k.exe
E:\Program Files\trayit\trayit!.exe
E:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
E:\WINDOWS\System32\CTsvcCDA.exe
E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\system32\pctspk.exe
E:\Program Files\Norton AntiVirus\SAVScan.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
E:\Program Files\Maxthon\Maxthon.exe
E:\Program Files\Norton AntiVirus\OPScan.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - E:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - E:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - E:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] E:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [SC3300CC] E:\WINDOWS\twain_32\SiPix\SC-3300\SC3300CC.exe
O4 - HKLM\..\Run: [USBPNP] E:\WINDOWS\twain_32\SiPix\SC-3300\USBPNP.exe
O4 - HKLM\..\Run: [CTSysVol] E:\Program Files\Creative\SBAudigy LS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [UpdReg] E:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] E:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [McRegWiz] E:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [MCAgentExe] e:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] E:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [eTrustPPAP] "E:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Backup NOW! Scheduler] "E:\Program Files\NewTech Infosystems\NTI Backup NOW!\Schdlr32.exe" -s
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] E:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] E:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [gcasServ] "E:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "E:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [SrvShield32] E:\PROGRA~1\SPYTEC~1\SPYTEC~1\SpamAgent.exe
O4 - HKCU\..\Run: [IDMan] E:\Program Files\Internet Download Manager\idman.exe /onboot
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - Startup: moh.lnk = E:\Program Files\Modem-On-Hold\moh.exe
O4 - Startup: Personal Notepad.lnk = E:\Program Files\Personal Notepad\PersonalNotepad.exe
O4 - Startup: Print Screen Deluxe.lnk = E:\Program Files\Print Screen Deluxe\psdeluxe.exe
O4 - Startup: QuickShelf 2000.lnk = E:\Program Files\Microsoft Reference\Bookshelf 2000\qshelf2k.exe
O4 - Startup: TrayIt!.lnk = E:\Program Files\trayit\trayit!.exe
O8 - Extra context menu item: BugMeNot - E:\Program Files\Maxthon\Plugin\BugMeNot4Maxthon\BugMeNot4Maxthon.html
O8 - Extra context menu item: Customize Menu - file://E:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download All Links with IDM - E:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - E:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Fill Forms - file://E:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://E:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://E:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://E:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://E:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://E:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://E:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - E:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Snippets - {7130DF06-BBC1-4e16-83D4-1F875E65B695} - E:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://E:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://E:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - E:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - E:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: e:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: e:\windows\system32\idmmbc.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{279EE0DA-2F55-4745-AAB9-8452071AD97B}: NameServer = 209.244.0.3 209.244.0.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{279EE0DA-2F55-4745-AAB9-8452071AD97B}: NameServer = 209.244.0.3 209.244.0.4
O23 - Service: Adobe LM Service - Unknown owner - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - E:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - E:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - E:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - E:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - E:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - E:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
nanrector
Regular Member
 
Posts: 47
Joined: June 12th, 2005, 7:16 pm

Unread postby Bertha » June 14th, 2005, 2:37 pm

This is my normal post for when you are clear - which you now are - or seem to be. Please advise of any problems you still have :-

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

  1. Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
    You can find instructions on how to enable and re enable system restore here:
    Managing Windows Millennium System Restore
    or
    Windows XP System Restore Guide
    re-enable system restore with instructions from tutorial above
  2. Make your Internet Explorer more secure - This can be done by following these simple instructions:

    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.

      1. Change the Download signed ActiveX controls to Prompt
      2. Change the Download unsigned ActiveX controls to Disable
      3. Change the Initialise and script ActiveX controls not marked as safe to Disable
      4. Change the Installation of desktop items to Prompt
      5. Change the Launching programs and files in an IFRAME to Prompt
      6. Change the Navigate sub-frames across different domains to Prompt
      7. When all these settings have been made, click on the OK button.
      8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.
  3. Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
    Computer Safety On line - Anti-Virus
  4. Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
  5. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below:
    Computer Safety On line - Software Firewalls
  6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  7. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
    This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
    Instructions for - Spybot S & D and Ad-aware
  8. Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot. A tutorial on installing & using this product can be found here:
    Instructions for - Spybot S & D and Ad-aware
  9. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A article on anti-malware products with links for this program and others can be found here:
    Computer Safety on line - Anti-Malware
  10. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

(ChrisRLG)

Bertha
User avatar
Bertha
Admin/Teacher Emeritus
 
Posts: 2053
Joined: February 6th, 2005, 1:17 pm
Location: Midlands

Thanks so much!

Unread postby nanrector » June 15th, 2005, 9:41 am

Thanks again. I have copied your last instructions and will go over them in detail.
Appreicate the help.
Nancy
nanrector
Regular Member
 
Posts: 47
Joined: June 12th, 2005, 7:16 pm

Unread postby Nick-YF19 » June 16th, 2005, 1:21 am

Glad we could be of assistance.

This topic is now closed. If you wish it
reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.


You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Nick-YF19
Admin/Teacher Emeritus
 
Posts: 4036
Joined: May 17th, 2005, 12:42 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 38 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware