Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Malware Infection - Help?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Malware Infection - Help?

Unread postby Jason2781 » August 4th, 2007, 7:39 pm

Today at some point while I was on the internet, somehow WinSpywareRemoval 2007 installed on my PC, and while I've deleted it at least 3 times, it keeps popping back up. In addition to that, I am having problems with constant pop ups. Below is my HijackThis logfile. Any help would be greatly appreciated. Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 7:36:05 PM, on 8/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\svhost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\WNSXS~1\csrss.exe
C:\Documents and Settings\Owner\Application Data\s?curity\w?wexec.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Scanner\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\MssCli.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [close trans] C:\DOCUME~1\Owner\APPLIC~1\DUMBSA~1\Show tray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Ealb] "C:\WINDOWS\system32\WNSXS~1\csrss.exe" -vt yazb
O4 - HKCU\..\Run: [Btjtizk] "C:\Documents and Settings\Owner\Application Data\s?curity\w?wexec.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/downloa ... YAX29b.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures04.aim.com/ygp/aol/plugi ... .5.1.8.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Jason2781
Regular Member
 
Posts: 18
Joined: June 30th, 2007, 9:50 pm
Advertisement
Register to Remove

Unread postby silver » August 4th, 2007, 11:34 pm

Hi Jason2781,

Your computer appears to have been infected by a backdoor trojan. These programs have the ability to steal passwords and other information from your system. If you use your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:
  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps
This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

If you wish to reformat then please let me know in your next response, I'll now continue with instructions for cleaning.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).


Then, navigate to the HijackThis folder with Windows Explorer:
C:\Scanner
Right-click the HijackThis program file HijackThis.exe and rename it to scan.exe
If you have a shortcut to HijackThis on your Desktop, it will no longer work, so please delete it and make a new one by right-clicking scan.exe and choosing Send To->Desktop (create shortcut)

Now open HijackThis, select Open the Misc Tools section
Press the Open Uninstall Manager... button, then press Save list...
Save the Uninstall log to your deskop and include a copy in your next response.
Now press Back and Scan and then Save log to create and save a new HijackThis log.

Once complete, please post the SDFix report, the uninstall list and a new HijackThis log.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby Jason2781 » August 5th, 2007, 12:04 pm

Ok I've run SDFix, and HijackThis again. Below are all the reports you asked for


SDFix: Version 1.95

Run by Owner on Sun 08/05/2007 at 11:34 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\Program Files\poolsv\k11u72.exe - Deleted
C:\Program Files\poolsv\svhost.exe - Deleted
C:\Program Files\poolsv\wr-1-0000077.exe - Deleted
C:\Program Files\poolsv\YazzleBundle-1549.exe - Deleted
C:\WINDOWS\svhost.exe - Deleted
C:\WINDOWS\tcb.pmw - Deleted
C:\WINDOWS\wr.txt - Deleted


Folder C:\Program Files\poolsv - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:bittorrent"
"C:\\Program Files\\Netscape\\Netscape\\Netscp.exe"="C:\\Program Files\\Netscape\\Netscape\\Netscp.exe:*:Enabled:Netscape"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\My Music\1987 Paul McCartney - All The Best - Rock - http://www.torrentsource.com.ar byMALO\AlbumArtSmall.jpg
C:\My Music\1987 Paul McCartney - All The Best - Rock - http://www.torrentsource.com.ar byMALO\AlbumArt_{076031BF-8285-497C-8C01-E8651AB4B2ED}_Large.jpg
C:\My Music\1987 Paul McCartney - All The Best - Rock - http://www.torrentsource.com.ar byMALO\AlbumArt_{076031BF-8285-497C-8C01-E8651AB4B2ED}_Small.jpg
C:\My Music\1987 Paul McCartney - All The Best - Rock - http://www.torrentsource.com.ar byMALO\AlbumArt_{39076618-0D47-4C93-BF53-10914614AB0F}_Large.jpg
C:\My Music\1987 Paul McCartney - All The Best - Rock - http://www.torrentsource.com.ar byMALO\AlbumArt_{39076618-0D47-4C93-BF53-10914614AB0F}_Small.jpg
C:\My Music\1987 Paul McCartney - All The Best - Rock - http://www.torrentsource.com.ar byMALO\AlbumArt_{3C49FD86-397B-40B2-B6EC-C6C4C974025B}_Large.jpg
C:\My Music\1987 Paul McCartney - All The Best - Rock - http://www.torrentsource.com.ar byMALO\AlbumArt_{3C49FD86-397B-40B2-B6EC-C6C4C974025B}_Small.jpg
C:\My Music\1987 Paul McCartney - All The Best - Rock - http://www.torrentsource.com.ar byMALO\AlbumArt_{E66BEE18-4FF1-488E-A955-4C74672B99DE}_Large.jpg
C:\My Music\1987 Paul McCartney - All The Best - Rock - http://www.torrentsource.com.ar byMALO\AlbumArt_{E66BEE18-4FF1-488E-A955-4C74672B99DE}_Small.jpg
C:\My Music\1987 Paul McCartney - All The Best - Rock - http://www.torrentsource.com.ar byMALO\desktop.ini
C:\My Music\1987 Paul McCartney - All The Best - Rock - http://www.torrentsource.com.ar byMALO\Folder.jpg
C:\My Music\1987 Paul McCartney - All The Best - Rock - http://www.torrentsource.com.ar byMALO\Thumbs.db
C:\My Music\Bananarama - Drama (Advance 2005) - Disco [www.torrentazos.com]\Thumbs.db
C:\My Music\Depeche Mode\Depeche Mode - A Pain That Im Used To [CDS][Electronic][2005][www.pctrecords.com]\Thumbs.db
C:\My Music\Depeche Mode\Depeche Mode - Playing The Angel (Advance 2005) - Pop_Rock - http://www.torrentazos.com By FEFE2003\Thumbs.db
C:\My Music\Jackson Five - Soul Legends (2006) - R&B [www.torrentazos.com]\Thumbs.db
C:\My Music\Kelis-Kelis_Was_Here-2006-(http://www.realrnb.com)\Thumbs.db
C:\My Music\Stevie Nicks - Crystal Visions (The Very Best) [2007] - Rock [www.torrentazos.com]\Thumbs.db
C:\Documents and Settings\Owner\Application Data\s?curity\w?wexec.exe
C:\Documents and Settings\Owner\My Documents\?ystem\wucrtupd.exe
C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
C:\Program Files\Picasa2\setup.exe
C:\WINDOWS\system32\W?nSxS\csrss.exe
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\Program Files\InterActual\InterActual Player\itiAD9.tmp
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

Finished


Uninstall List
____________________________________________________________
#1 DVD Audio Ripper 1.2.20
Ad-Aware SE Personal
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Help Center 1.0
Adobe Illustrator CS
Adobe Photoshop CS2
Adobe Reader 7.0
Adobe Shockwave Player
Adobe SVG Viewer 3.0
AIM "You've Got Pictures" Picture Finder Plugin v9.5.1.8
Alive MP3 WAV Converter 3.8.0.9
AOL Instant Messenger
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AVG Anti-Spyware 7.5
AviSynth 2.5
Best Buy Digital Music Store
Best Buy Rhapsody
BigFix
BitTorrent 4.24.2
Boilsoft 3GP/iPod/PSP/MP4 Converter 1.22
ccCommon
CDisplay 1.8
City of Villains/City of Heroes (remove only)
CivCity
CleanUp!
Comic Collector Live
DC++ 0.698
DDS Converter 2.1
Digital Media Reader
Direct WAV MP3 Splitter 2.2
DivX
DivX Player
DVD Decrypter (Remove Only)
DVD Shrink 3.2
eMusic - 50 Free MP3 offer
Family Tree Maker
Family Tree Maker 2005
Fetch
First Step Guide
Flock (Photobucket Edition) 0.7
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Hello (remove only)
High Definition Audio Driver Package - KB835221
Hijackthis 1.99.1
HijackThis 1.99.1
Home and Business Attorney
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
ImageMixer VCD2
InCD
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Adapters and Drivers
InterActual Player
Internet Worm Protection
iTunes
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.1_02
Java Web Start
Kaspersky Online Scanner
Learn2 Player (Uninstall Only)
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia Flash Player 8
McAfee AntiSpyware
McAfee SecurityCenter
Media Center Extender
Media Center Extender
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2005
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Picture It! Premium 10
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Word 2002
Microsoft Works
Microsoft Works 2002 Setup Launcher
Microsoft Works 6.0
MSXML 4.0 SP2 (KB927978)
Multimedia Keyboard Driver
MySpaceIM
Napster Burn Engine
Nero BurnRights
Nero Digital
Nero Media Player
Nero OEM
Netscape (7.2)
Norton AntiVirus 2005
Norton AntiVirus 2005 (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton Security Center
Norton WMI Update
NVIDIA Photoshop Plug-ins
OTOY
Panda ActiveScan
Picasa 2
Picture Package
PowerDVD
PSP Video 9 1.74
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Recovery Software Suite Gateway
RegCure 1.3.0.2
RegFix Mantra v3.1
Rhapsody Player Engine
Safari
SecureVideo Plug-in
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901214)
SimCity 4
SoftV92 Data Fax Modem with SmartCP
Sony Sound Forge 8.0
Sony USB Driver
SPBBC
SpongeBob SquarePants Diner Dash 2
Star Wars Empire at War
Star Wars Empire at War Forces of Corruption
Symantec
Symantec Script Blocking Installer
SymNet
The Movies(TM)
The Sims 2
The Sims 2 Family Fun Stuff
The Sims 2 Glamour Life Stuff
The Sims 2 HomeCrafter Plus
The Sims 2 Nightlife
The Sims 2 Open For Business
The Sims 2 Pets
The Sims 2 University
The Simsâ„¢ 2 Seasons
TSR Installation Wizard
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB904942)
Update Rollup 2 for Windows XP Media Center Edition 2005
Videora Xbox360 Converter 0.81
Viewpoint Media Player
Wave Splitter 2.10
Winamp (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Connect
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Overlay Components
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888239
Windows XP Media Center Edition 2005 KB905589
Windows XP Media Center Edition 2005 KB925766
WinRAR archiver
Xfire (remove only)
Xingtone Ringtone Maker
Yahoo! Toolbar for Internet Explorer


Logfile of HijackThis v1.99.1
Scan saved at 12:02:09 PM, on 8/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\WNSXS~1\csrss.exe
C:\Documents and Settings\Owner\Application Data\s?curity\w?wexec.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Scanner\Scan.exe.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {34AD8CB2-310B-6B8E-2177-38B6023DF090} - C:\WINDOWS\system32\svknhis.dll
O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\ssqopqp.dll
O2 - BHO: (no name) - {6D5F89DC-7093-423E-AD09-115DEC9E2302} - C:\WINDOWS\system32\pmkhh.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\system32\jxqvqgkw.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\MssCli.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [close trans] C:\DOCUME~1\Owner\APPLIC~1\DUMBSA~1\Show tray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Ealb] "C:\WINDOWS\system32\WNSXS~1\csrss.exe" -vt yazb
O4 - HKCU\..\Run: [Btjtizk] "C:\Documents and Settings\Owner\Application Data\s?curity\w?wexec.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/downloa ... YAX29b.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures04.aim.com/ygp/aol/plugi ... .5.1.8.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: pmkhh - C:\WINDOWS\system32\pmkhh.dll
O20 - Winlogon Notify: ssqopqp - C:\WINDOWS\SYSTEM32\ssqopqp.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Jason2781
Regular Member
 
Posts: 18
Joined: June 30th, 2007, 9:50 pm

Unread postby Jason2781 » August 5th, 2007, 3:50 pm

I though I should mention that since I ran the programs you told me to, I am still having problems with pop ups for WinSpywareRemoval 2007, and also installers popping up.
Jason2781
Regular Member
 
Posts: 18
Joined: June 30th, 2007, 9:50 pm

Unread postby silver » August 5th, 2007, 9:38 pm

Hi Jason2781,

I am still having problems with pop ups for WinSpywareRemoval 2007, and also installers popping up.

Yes I understand. You have several infections and for best results we need to do things in order. We've now removed what was arguably the worst infection, which had no symptoms at all, we'll be getting rid of the popups very soon so please bear with me :)

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • A log file will be created at C:\vundofix.txt, please post the contents of this in your next response.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Then download NoLop to your desktop from here or here
  • Close any other programs you have running as this will require a reboot
  • Double click NoLop.exe to run it
  • Now click the button labelled "Search and Destroy"
    Your computer will now be scanned for infected files
  • When scanning is finished you will be prompted to reboot only if infected, Click OK
  • Now click the "REBOOT" Button.
  • A message should popup from NoLop. If not, double click the program again and it will finish
  • Please post the contents of C:\NoLop.log in your next response
If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx and copy it into your C:\WINDOWS\system32 folder then rerun the program.

Once complete, please post the Vundofix log, the NoLop log and a new HijackThis log.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby Jason2781 » August 5th, 2007, 10:51 pm

Still having pop up problems. Here's the VundoFix log. NoLop said I had no infections and didn't give me a log.


VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 10:34:38 PM 8/5/2007

Listing files found while scanning....

C:\WINDOWS\system32\hhkmp.bak1
C:\WINDOWS\system32\hhkmp.bak2
C:\WINDOWS\system32\hhkmp.ini
C:\WINDOWS\system32\pmkhh.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\hhkmp.bak1
C:\WINDOWS\system32\hhkmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hhkmp.bak2
C:\WINDOWS\system32\hhkmp.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hhkmp.ini
C:\WINDOWS\system32\hhkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmkhh.dll
C:\WINDOWS\system32\pmkhh.dll Has been deleted!

Performing Repairs to the registry.
Done!
Jason2781
Regular Member
 
Posts: 18
Joined: June 30th, 2007, 9:50 pm

Unread postby silver » August 5th, 2007, 11:12 pm

There will be a NoLop log located here:
C:\NoLop.log

Please post it along with a new HijackThis log :)
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby Jason2781 » August 7th, 2007, 11:42 pm

NoLop! Log by Skate_Punk_21

Please Note: any existing old logs will have now been renamed to NoLop!OLD.log

Fix running from: C:\Documents and Settings\Owner\Desktop
[8/5/2007]
[10:51:42 PM]

---Infection Files Found/Removed---
NO INFECTION FILES FOUND - Cleaning Aborted.

---Listing AppData sub directories---

C:\Documents and Settings\Administrator\Application Data\Identities
C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\Administrator\Application Data\Sampleview -- EMPTY Directory
C:\Documents and Settings\Administrator\Application Data\Sun
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Adobe Systems
C:\Documents and Settings\All Users\Application Data\Ahead
C:\Documents and Settings\All Users\Application Data\Aol -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Apple
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Cyberlink
C:\Documents and Settings\All Users\Application Data\Dvd Shrink
C:\Documents and Settings\All Users\Application Data\Firefly Studios
C:\Documents and Settings\All Users\Application Data\Google
C:\Documents and Settings\All Users\Application Data\Grisoft
C:\Documents and Settings\All Users\Application Data\Kontiki
C:\Documents and Settings\All Users\Application Data\Lionhead Studios
C:\Documents and Settings\All Users\Application Data\Macrovision
C:\Documents and Settings\All Users\Application Data\Mcafee
C:\Documents and Settings\All Users\Application Data\Mcafee.com
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Napster
C:\Documents and Settings\All Users\Application Data\Prism Deploy
C:\Documents and Settings\All Users\Application Data\Pure Networks
C:\Documents and Settings\All Users\Application Data\Quicktime
C:\Documents and Settings\All Users\Application Data\River Past G4
C:\Documents and Settings\All Users\Application Data\Salesmonitor
C:\Documents and Settings\All Users\Application Data\Superantispyware.com
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Temp -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Winantispyware 2007
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
C:\Documents and Settings\Default User\Application Data\Identities
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Default User\Application Data\Sampleview -- EMPTY Directory
C:\Documents and Settings\Default User\Application Data\Sun
C:\Documents and Settings\Localservice\Application Data\Macromedia
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Mozilla
C:\Documents and Settings\Mcx1\Application Data\Identities
C:\Documents and Settings\Mcx1\Application Data\Microsoft
C:\Documents and Settings\Mcx1\Application Data\Sampleview -- EMPTY Directory
C:\Documents and Settings\Mcx1\Application Data\Sun
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Owner\Application Data\.bittornado
C:\Documents and Settings\Owner\Application Data\Adobe
C:\Documents and Settings\Owner\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Owner\Application Data\Ahead
C:\Documents and Settings\Owner\Application Data\Aim
C:\Documents and Settings\Owner\Application Data\Apple Computer
C:\Documents and Settings\Owner\Application Data\Ati
C:\Documents and Settings\Owner\Application Data\Azureus
C:\Documents and Settings\Owner\Application Data\Bitgrabber
C:\Documents and Settings\Owner\Application Data\Bittorrent
C:\Documents and Settings\Owner\Application Data\Canon
C:\Documents and Settings\Owner\Application Data\Cyberlink
C:\Documents and Settings\Owner\Application Data\Dvdcss
C:\Documents and Settings\Owner\Application Data\Efax Messenger
C:\Documents and Settings\Owner\Application Data\Flock
C:\Documents and Settings\Owner\Application Data\Ftw
C:\Documents and Settings\Owner\Application Data\Google
C:\Documents and Settings\Owner\Application Data\Grisoft
C:\Documents and Settings\Owner\Application Data\Hba
C:\Documents and Settings\Owner\Application Data\Help
C:\Documents and Settings\Owner\Application Data\Identities
C:\Documents and Settings\Owner\Application Data\Installshield
C:\Documents and Settings\Owner\Application Data\Lavasoft
C:\Documents and Settings\Owner\Application Data\Lionhead Studios
C:\Documents and Settings\Owner\Application Data\Lucasarts
C:\Documents and Settings\Owner\Application Data\Macromedia
C:\Documents and Settings\Owner\Application Data\Mcafee
C:\Documents and Settings\Owner\Application Data\Microsoft
C:\Documents and Settings\Owner\Application Data\Mozilla
C:\Documents and Settings\Owner\Application Data\My Games -- EMPTY Directory
C:\Documents and Settings\Owner\Application Data\Myspace
C:\Documents and Settings\Owner\Application Data\Netscape
C:\Documents and Settings\Owner\Application Data\Opera -- EMPTY Directory
C:\Documents and Settings\Owner\Application Data\Petroglyph
C:\Documents and Settings\Owner\Application Data\Publish Providers -- EMPTY Directory
C:\Documents and Settings\Owner\Application Data\Real
C:\Documents and Settings\Owner\Application Data\Sampleview -- EMPTY Directory
C:\Documents and Settings\Owner\Application Data\Slysoft
C:\Documents and Settings\Owner\Application Data\Sony
C:\Documents and Settings\Owner\Application Data\Sun
C:\Documents and Settings\Owner\Application Data\Symantec
C:\Documents and Settings\Owner\Application Data\S?curity
C:\Documents and Settings\Owner\Application Data\Template
C:\Documents and Settings\Owner\Application Data\Trojanhunter
C:\Documents and Settings\Owner\Application Data\Vlc
C:\Documents and Settings\Owner\Application Data\Winantispyware 2007
C:\Documents and Settings\Owner\Application Data\Winantispyware 2007 Free
C:\Documents and Settings\Owner\Application Data\Xfire
Jason2781
Regular Member
 
Posts: 18
Joined: June 30th, 2007, 9:50 pm

Unread postby Jason2781 » August 7th, 2007, 11:45 pm

The pop ups are still here and are getting really bad. I can barely use the internet :cry:
Jason2781
Regular Member
 
Posts: 18
Joined: June 30th, 2007, 9:50 pm

Unread postby silver » August 7th, 2007, 11:49 pm

Hi Jason2781,

We'll kill the popups as quickly as possible :)

I also need the new HijackThis log before continuing.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby Jason2781 » August 8th, 2007, 11:09 pm

Logfile of HijackThis v1.99.1
Scan saved at 11:10:20 PM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\WNSXS~1\csrss.exe
C:\Documents and Settings\Owner\Application Data\s?curity\w?wexec.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\QuickTime\QuickTimePlayer.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Scanner\Scan.exe.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {34AD8CB2-310B-6B8E-2177-38B6023DF090} - C:\WINDOWS\system32\svknhis.dll
O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\ssqopqp.dll
O2 - BHO: (no name) - {6D5F89DC-7093-423E-AD09-115DEC9E2302} - C:\WINDOWS\system32\pmkhh.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CF46BFB3-2ACC-441b-B82B-36B9562C7FF1} - C:\WINDOWS\system32\jxqvqgkw.dll
O2 - BHO: (no name) - {D7D3261D-E239-45E3-9247-9FB77C9C43AC} - C:\WINDOWS\system32\awvtq.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\MssCli.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [close trans] C:\DOCUME~1\Owner\APPLIC~1\DUMBSA~1\Show tray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Ealb] "C:\WINDOWS\system32\WNSXS~1\csrss.exe" -vt yazb
O4 - HKCU\..\Run: [Btjtizk] "C:\Documents and Settings\Owner\Application Data\s?curity\w?wexec.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/downloa ... YAX29b.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures04.aim.com/ygp/aol/plugi ... .5.1.8.cab
O20 - Winlogon Notify: awvtq - C:\WINDOWS\system32\awvtq.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: ssqopqp - C:\WINDOWS\SYSTEM32\ssqopqp.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Jason2781
Regular Member
 
Posts: 18
Joined: June 30th, 2007, 9:50 pm

Unread postby silver » August 8th, 2007, 11:45 pm

Hi Jason2781,

Please run Vundofix once more but use the add files option:

  • Double-click VundoFix.exe to run it.
  • Right-click the white box in the middle and select Add more files?
  • Copy the first three of the following filename/paths into the boxes:
    C:\WINDOWS\system32\svknhis.dll
    C:\WINDOWS\system32\ssqopqp.dll
    C:\WINDOWS\system32\jxqvqgkw.dll
    C:\WINDOWS\system32\awvtq.dll
  • Then press Add Files, Close Window, then right-click and press Add more files? again, copy/paste the last filename/path and press Add Files, Close Window
  • You should now have all filenames/paths listed in the white box, then press Remove Vundo
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo
  • When completed, it will prompt that it will reboot your computer, click OK
  • Post the contents of C:\vundofix.txt in your next response

Then download ComboFix to your desktop
  • Double click combofix.exe and follow the prompts.
  • Note: Do not click ComboFix's window while it's running - it may cause it to stall!
  • When finished, it shall produce a log for you, please post it in your next response.

Once complete, please post the Vundofix log, the Combofix log and a new HijackThis log.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby Jason2781 » August 11th, 2007, 10:15 am

VundoFix V6.5.6

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 10:34:38 PM 8/5/2007

Listing files found while scanning....

C:\WINDOWS\system32\hhkmp.bak1
C:\WINDOWS\system32\hhkmp.bak2
C:\WINDOWS\system32\hhkmp.ini
C:\WINDOWS\system32\pmkhh.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\hhkmp.bak1
C:\WINDOWS\system32\hhkmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hhkmp.bak2
C:\WINDOWS\system32\hhkmp.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hhkmp.ini
C:\WINDOWS\system32\hhkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmkhh.dll
C:\WINDOWS\system32\pmkhh.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awvtq.dll
C:\WINDOWS\system32\awvtq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jxqvqgkw.dll
C:\WINDOWS\system32\jxqvqgkw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqopqp.dll
C:\WINDOWS\system32\ssqopqp.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\svknhis.dll
C:\WINDOWS\system32\svknhis.dll Has been deleted!

Performing Repairs to the registry.
Done!



ComboFix 07-08-09.3 - "Owner" 2007-08-11 9:57:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.780 [GMT -4:00]
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\ProductCode
C:\DOCUME~1\Owner\APPLIC~1.\scurit~1
C:\DOCUME~1\Owner\APPLIC~1.\scurit~1\w?wexec.exe
C:\DOCUME~1\Owner\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\Owner\APPLIC~1.\winantispyware 2007 free
C:\DOCUME~1\Owner\APPLIC~1.\winantispyware 2007 free\DownloadUWAS7.url
C:\DOCUME~1\Owner\APPLIC~1.\winantispyware 2007\Logs\update.log
C:\DOCUME~1\Owner\APPLIC~1\WinAntiSpyware 2007 Free\DownloadUWAS7.url
C:\DOCUME~1\Owner\APPLIC~1\WinAntiSpyware 2007\Logs\update.log
C:\DOCUME~1\Owner\MYDOCU~1.\ystem~1
C:\DOCUME~1\Owner\MYDOCU~1.\ystem~1\?ystem\
C:\DOCUME~1\Owner\MYDOCU~1.\ystem~1\wucrtupd.exe
C:\DOCUME~1\Owner\STARTM~1\Programs.\Outerinfo
C:\DOCUME~1\Owner\STARTM~1\Programs.\Outerinfo\Terms.lnk
C:\DOCUME~1\Owner\STARTM~1\Programs.\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\svhost
C:\Program Files\svhost\wr-1-0000077.exe
C:\WINDOWS\system32\bisfyueq.exe
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\f10WtR
C:\WINDOWS\system32\f10WtR\f10WtR1099.exe
C:\WINDOWS\system32\ggjlm.bak1
C:\WINDOWS\system32\ggjlm.bak2
C:\WINDOWS\system32\ggjlm.ini
C:\WINDOWS\system32\ggjlm.tmp
C:\WINDOWS\system32\gjjjmdiu.dll
C:\WINDOWS\system32\gjkkj.bak1
C:\WINDOWS\system32\hogfplhd.exe
C:\WINDOWS\system32\iidfsolw.exe
C:\WINDOWS\system32\jkkjg.dll
C:\WINDOWS\system32\kyatxwgw.exe
C:\WINDOWS\system32\mhukfxbe.exe
C:\WINDOWS\system32\mljgg.dll
C:\WINDOWS\system32\qtvwa.bak1
C:\WINDOWS\system32\qtvwa.bak2
C:\WINDOWS\system32\qtvwa.ini
C:\WINDOWS\system32\sfabmarc.exe
C:\WINDOWS\system32\ssqopqp.dll
C:\WINDOWS\system32\uidmjjjg.ini
C:\WINDOWS\system32\wayqjhyp.exe
C:\WINDOWS\system32\wnsxs~1
C:\WINDOWS\system32\wnsxs~1\csrss.exe
C:\WINDOWS\system32\wnsxs~1\W?nSxS\
C:\WINDOWS\system32\yayxyvv.dll
C:\WINDOWS\system32\yigedfnv.dll
D:\Autorun.inf


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_APIMON
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FOPN
-------\ApiMon
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-07-11 to 2007-08-11 )))))))))))))))))))))))))))))))


2007-08-10 07:40 147,520 --a------ C:\WINDOWS\system32\qijjnuuy.dll
2007-08-09 07:23 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-08-05 22:43 212 --a------ C:\delete.bat
2007-08-05 22:34 <DIR> d-------- C:\VundoFix Backups
2007-08-05 11:33 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-04 21:01 3,920 --a------ C:\WINDOWS\system32\tmp.reg
2007-08-04 17:39 <DIR> d-------- C:\!KillBox
2007-08-04 17:37 <DIR> d-------- C:\bintheredunthat
2007-08-04 14:59 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-08-02 12:01 12,058,624 --a------ C:\DOCUME~1\Owner\ntuser.dat
2007-07-25 14:16 <DIR> d-------- C:\Program Files\Nick Arcade
2007-07-23 10:50 <DIR> d-------- C:\Program Files\3DGroove
2007-07-18 02:14 <DIR> d-------- C:\Program Files\MySpace
2007-07-18 02:14 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\MySpace


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-08 14:25 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\BitTorrent
2007-08-02 01:53 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Canon
2007-07-17 14:41 --------- d-------- C:\Program Files\Picasa2
2007-07-01 15:14 --------- d-------- C:\Program Files\Norton AntiVirus
2007-07-01 15:14 --------- d-------- C:\Program Files\iTunes
2007-07-01 15:14 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-07-01 15:14 --------- d-------- C:\Program Files\Bonjour
2007-07-01 15:13 --------- d-------- C:\Program Files\BitTorrent
2007-07-01 15:12 --------- d-------- C:\Program Files\Google
2007-06-30 22:16 --------- d-------- C:\Program Files\TrojanHunter 4.7
2007-06-30 22:10 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\TrojanHunter
2007-06-30 22:09 --------- d-------- C:\Program Files\Digital Media Reader
2007-06-30 19:01 --------- d-------- C:\Program Files\RegFix Mantra
2007-06-25 22:00 --------- d-------- C:\Program Files\ATI Technologies
2007-06-25 21:51 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-24 21:51 --------- d-------- C:\Program Files\EA GAMES
2007-06-23 00:23 --------- d-------- C:\Program Files\iPod
2007-06-19 16:24 --------- d-------- C:\Program Files\MidTen Media
2007-06-19 09:33 45968 --ah----- C:\WINDOWS\system32\mlfcache.dat
2007-06-18 07:22 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\FTW
2007-06-17 00:11 51200 --a------ C:\WINDOWS\nircmd.exe
2007-06-16 13:24 --------- d-------- C:\Program Files\Safari
2007-06-16 13:24 --------- d-------- C:\DOCUME~1\Owner\APPLIC~1\Apple Computer
2007-06-16 13:23 --------- d-------- C:\Program Files\Apple Software Update
2007-06-13 15:50 43152 --a------ C:\WINDOWS\system32\drivers\ativvpxx.vp
2007-06-13 15:25 339968 --a------ C:\WINDOWS\system32\ATIDEMGX.dll
2007-06-13 15:24 268288 --a--c--- C:\WINDOWS\system32\dllcache\ati2dvag.dll
2007-06-13 15:24 268288 --a------ C:\WINDOWS\system32\ati2dvag.dll
2007-06-13 15:24 2155520 --a--c--- C:\WINDOWS\system32\dllcache\ati2mtag.sys
2007-06-13 15:24 2155520 --a------ C:\WINDOWS\system32\drivers\ati2mtag.sys
2007-06-13 15:23 307200 --a------ C:\WINDOWS\system32\atiiiexx.dll
2007-06-13 15:17 42496 --a------ C:\WINDOWS\system32\ati2edxx.dll
2007-06-13 15:17 26112 --a------ C:\WINDOWS\system32\Ati2mdxx.exe
2007-06-13 15:17 139264 --a------ C:\WINDOWS\system32\atipdlxx.dll
2007-06-13 15:17 118784 --a------ C:\WINDOWS\system32\Oemdspif.dll
2007-06-13 15:16 118784 --a------ C:\WINDOWS\system32\ati2evxx.dll
2007-06-13 15:15 483328 --a------ C:\WINDOWS\system32\ati2evxx.exe
2007-06-13 15:14 53248 --a------ C:\WINDOWS\system32\ATIDDC.DLL
2007-06-13 15:10 8097792 --a------ C:\WINDOWS\system32\atioglx2.dll
2007-06-13 15:07 2922208 --a--c--- C:\WINDOWS\system32\dllcache\ati3duag.dll
2007-06-13 15:07 2922208 --a------ C:\WINDOWS\system32\ati3duag.dll
2007-06-13 14:57 972072 --a------ C:\WINDOWS\system32\ativva6x.dat
2007-06-13 14:57 3107788 --a------ C:\WINDOWS\system32\ativvaxx.dat
2007-06-13 14:57 3107788 --a------ C:\WINDOWS\system32\ativva5x.dat
2007-06-13 14:57 1512960 --a--c--- C:\WINDOWS\system32\dllcache\ativvaxx.dll
2007-06-13 14:57 1512960 --a------ C:\WINDOWS\system32\ativvaxx.dll
2007-06-13 14:46 5431296 --a------ C:\WINDOWS\system32\atioglxx.dll
2007-06-13 14:43 262144 --a------ C:\WINDOWS\system32\atikvmag.dll
2007-06-13 14:42 17408 --a------ C:\WINDOWS\system32\atitvo32.dll
2007-06-13 14:41 50176 --a------ C:\WINDOWS\system32\atiok3x2.dll
2007-06-13 14:41 49152 --a------ C:\WINDOWS\system32\drivers\ati2erec.dll
2007-06-13 14:36 368640 --a--c--- C:\WINDOWS\system32\dllcache\ati2cqag.dll
2007-06-13 14:36 368640 --a------ C:\WINDOWS\system32\ati2cqag.dll
2007-06-13 14:29 520192 --a------ C:\WINDOWS\system32\ati2sgag.exe
2007-03-05 13:40 836 --a------ C:\DOCUME~1\Owner\APPLIC~1\ViewerApp.dat
2006-06-25 23:13 565248 --ahsc--- C:\Program Files\ehthumbs.db
2006-05-10 07:23 244 --a--c--- C:\DOCUME~1\Owner\APPLIC~1\wklnhst.dat


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34AD8CB2-310B-6B8E-2177-38B6023DF090}]
C:\WINDOWS\system32\svknhis.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D5F89DC-7093-423E-AD09-115DEC9E2302}]
C:\WINDOWS\system32\pmkhh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D7D3261D-E239-45E3-9247-9FB77C9C43AC}]
C:\WINDOWS\system32\awvtq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" []
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" []
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" []
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\mcupdate.exe" []
"ShowWnd"="ShowWnd.exe" [2003-09-19 12:09 C:\WINDOWS\ShowWnd.exe]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"Mixersel"="C:\Program Files\Realtek\InstallShield\mixersel.exe" []
"SoundMan"="SOUNDMAN.EXE" [2004-10-21 18:20 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-10-21 21:44 C:\WINDOWS\ALCWZRD.EXE]
"_AntiSpyware"="c:\progra~1\mcafee\MCAFEE~1\MssCli.exe" []
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" []
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" []
"NAV CfgWiz"="C:\Program Files\Norton AntiVirus\CfgWiz.exe" []
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-04-30 18:36]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 20:45 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"SystemRescue"="C:\WINDOWS\system32\qijjnuuy.dll" [2007-08-10 07:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15:00]
"close trans"="C:\DOCUME~1\Owner\APPLIC~1\DUMBSA~1\Show tray.exe" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]
"Ealb"="C:\WINDOWS\system32\WNSXS~1\csrss.exe" []
"Btjtizk"="C:\Documents and Settings\Owner\Application Data\s?curity\w?wexec.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{F2A0229A-C4CA-4789-B606-973D24DCDD1C}"= c:\progra~1\mcafee\mcafee antispyware\mssshell.dll [2005-07-17 22:42 155769]
path=
backup=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
"C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
C:\Program Files\Microsoft Works\WksSb.exe /AllUsers

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
"C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
%WINDIR%\Creator\Remind_XP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
C:\Program Files\Microsoft Works\wkfud.exe

R0 sfsync04;StarForce Protection Synchronization Driver (version 4.x);C:\WINDOWS\system32\drivers\sfsync04.sys
R2 RMSvc;Media Center Extender Resource Monitor;C:\WINDOWS\ehome\RMSvc.exe
R3 SunkFilt;Alcor Micro Corp Reader;\??\C:\WINDOWS\System32\Drivers\sunkfilt.sys
S3 MSDV;Microsoft DV Camera and VCR;C:\WINDOWS\system32\DRIVERS\msdv.sys
S3 QWAVE;QWAVE service;C:\WINDOWS\system32\svchost.exe -k QWAVE
S3 QWAVEDRV;QWAVE driver;C:\WINDOWS\system32\DRIVERS\qwavedrv.sys
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys
S3 xnacc;Microsoft Common Controller For Windows Driver Service;C:\WINDOWS\system32\DRIVERS\xnacc.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE QWAVE


Contents of the 'Scheduled Tasks' folder
2007-08-09 14:57:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-08-11 01:52:29 C:\WINDOWS\Tasks\McAfee AntiSpyware.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-11 10:05:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-11 10:11:24 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-11 10:11
C:\ComboFix2.txt ... 2007-07-01 12:21

--- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 10:16:50 AM, on 8/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Scanner\Scan.exe.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {34AD8CB2-310B-6B8E-2177-38B6023DF090} - C:\WINDOWS\system32\svknhis.dll (file missing)
O2 - BHO: (no name) - {6D5F89DC-7093-423E-AD09-115DEC9E2302} - C:\WINDOWS\system32\pmkhh.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D7D3261D-E239-45E3-9247-9FB77C9C43AC} - C:\WINDOWS\system32\awvtq.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\MssCli.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SystemRescue] rundll32.exe "C:\WINDOWS\system32\qijjnuuy.dll",sitypnow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [close trans] C:\DOCUME~1\Owner\APPLIC~1\DUMBSA~1\Show tray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Ealb] "C:\WINDOWS\system32\WNSXS~1\csrss.exe" -vt yazb
O4 - HKCU\..\Run: [Btjtizk] "C:\Documents and Settings\Owner\Application Data\s?curity\w?wexec.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/downloa ... YAX29b.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures04.aim.com/ygp/aol/plugi ... .5.1.8.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Jason2781
Regular Member
 
Posts: 18
Joined: June 30th, 2007, 9:50 pm

Unread postby silver » August 11th, 2007, 10:37 pm

Hi Jason2781,

First, we'll remove some unwanted programs, please open Start->Control Panel->Add/Remove Programs and remove these:
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.1_02
eMusic - 50 Free MP3 offer


The Java Runtime installations are out of date and now a security risk, you can get the latest update (version 6 update 2) from here

You have BitTorrent, a P2P file sharing program installed on your computer. This program does not come bundled with malware as some similar programs do, but peer-to-peer file sharing networks are one of the biggest sources of malware we see. Anything downloaded from them cannot be trusted to be clean, because even if the file appears to be what it claims to be, it can have malware embedded in it.
I recommend you remove it, but of course the choice is yours.
You can remove BitTorrent via Add/Remove Programs.

You have Viewpoint Media Player installed on your system. This program is not malware but it is foistware in that it is usually installed without the user's knowledge or approval, and for this reason I recommend you remove it. If you actually use this program, I recommend you try using safe and free alternatives such as VLC Player or Media Player Classic.
You can remove Viewpoint Media Player via Add/Remove Programs.

Then, open HijackThis, choose Do a system scan only and place a checkmark next to the following lines (if present):
O2 - BHO: (no name) - {34AD8CB2-310B-6B8E-2177-38B6023DF090} - C:\WINDOWS\system32\svknhis.dll (file missing)
O2 - BHO: (no name) - {6D5F89DC-7093-423E-AD09-115DEC9E2302} - C:\WINDOWS\system32\pmkhh.dll (file missing)
O2 - BHO: (no name) - {D7D3261D-E239-45E3-9247-9FB77C9C43AC} - C:\WINDOWS\system32\awvtq.dll (file missing)
O4 - HKLM\..\Run: [SystemRescue] rundll32.exe "C:\WINDOWS\system32\qijjnuuy.dll",sitypnow
O4 - HKCU\..\Run: [close trans] C:\DOCUME~1\Owner\APPLIC~1\DUMBSA~1\Show tray.exe
O4 - HKCU\..\Run: [Ealb] "C:\WINDOWS\system32\WNSXS~1\csrss.exe" -vt yazb
O4 - HKCU\..\Run: [Btjtizk] "C:\Documents and Settings\Owner\Application Data\s?curity\w?wexec.exe"


Then close all open windows apart from HijackThis, press Fix checked, OK the prompt and close HijackThis.

Next:
  • Check that combofix.exe is on your Desktop
  • Then open Notepad: press Start->Run, type notepad and click OK
  • Copy/paste the contents of the below code box into Notepad:
    Code: Select all
    File::
    C:\WINDOWS\system32\qijjnuuy.dll
    
    Folder::
    C:\SDFix
    
    
  • Save this to your Desktop as CFScript.

    Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
Note: Do not click ComboFix's window while it's running - it may cause it to stall!

Next click Start->Run and type cleanmgr in the box and press OK
Ensure the boxes for Recycle Bin, Temporary Files and Temporary Internet Files are checked, you can choose to check other boxes if you wish but they are not required.
Press OK and Yes to confirm

Download Dr.WEB CureIt to your desktop from here:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
  • Double-click cureit.exe to start the program.
  • Press Start and then OK to start the Express scan
  • The Express scan takes just a few moments to finish, if something is found, click Yes to cure it
  • Once the short scan has finished, Click Options->Change settings
  • Choose the Scan tab and remove the check mark from Heuristic analysis
  • Choose the Actions tab and next to Infected objects select Move, then press OK to close the settings box.
  • Note: These settings changes are IMPORTANT, please ensure you have made them before scanning
  • Select all hard drives to be scanned by clicking on them - choose all drives - a red dot confirms they will be scanned
  • Click the green arrow on the right to start the scan
  • Click Yes to all if it asks if you want to move a file
  • Click File-> Save report list and save the report to your desktop
  • Close Dr.Web Cureit and reboot your computer (this is important as files may be moved/deleted during reboot)


Once complete, please post the ComboFix report, the Dr Web log and a new HijackThis log.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7

Unread postby silver » August 18th, 2007, 1:14 am

Hi,

How are you getting on?

If the instructions are unclear or something isn't working, please let me know before proceeding.
User avatar
silver
Regular Member
 
Posts: 9219
Joined: August 7th, 2006, 9:40 pm
Location: GMT+7
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 71 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware