Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

need winfixer removal help, please!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

need winfixer removal help, please!

Unread postby floete » November 15th, 2005, 9:47 am

can somebody help me get rid of winfixer 2005? thanks! and, here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 8:42:08 AM, on 11/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TPSMain.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\SurfAccuracy\SAcc.exe
C:\WINDOWS\System32\TPSBattM.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\ClipMate6\ClipMate.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\ePrompter\ePrompter.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\kv\Desktop\hijack results\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.myway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ClipMate6] C:\Program Files\ClipMate6\ClipMate.exe
O4 - Startup: ePrompter.lnk = C:\Program Files\ePrompter\ePrompter.exe
O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .mp4: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://66.29.7.159/toolbar/cabs/free_access.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Mouse Hardware Sync (mousehs) - Unknown owner - C:\WINDOWS\System32\mousehs.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe
floete
Regular Member
 
Posts: 39
Joined: November 15th, 2005, 9:44 am
Advertisement
Register to Remove

Unread postby amateur » November 15th, 2005, 3:08 pm

Hi Floete :) ,

Welcome to MRU. I would like to help you. In order to do that, I need to research into the items in your log, which takes a considerable time. Please be patient. In the mean time, if you have any questions, please post them in this thread and I'll be notified.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Unread postby floete » November 15th, 2005, 3:18 pm

thanks much and i look forward to your help!
floete
Regular Member
 
Posts: 39
Joined: November 15th, 2005, 9:44 am

Unread postby amateur » November 15th, 2005, 9:16 pm

Hi Floete,

Thanks for being patient. :) I've done my research and we'll start with downloading some programs and running them later. Let's begin.

Download:

Adaware SE 1.06

1) Run Ad-Aware, and click Check for updates now.

2) Select Configurations (click the Gear wheel at the top) as follows:

  • General Button > Safety & Settings: Check (Green) all three.
  • Tweak Button > Cleaning Engine > UNcheck "Always try to unload modules before deletion".

Click Proceed. Do not run it yet

Spybot S & D

In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it.
Close ALL windows except Spybot S&D
Click the button to 'Search for Updates' then download and install the Updates.
Click on "immunize" button to complete the update. Do not run it yet.

Ewido Security Suit

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful") Do not run it yet.

I noticed that you have an older version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of perceived vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 5.0 Update 5 .

To check your version to see if it is the latest version, Please go to this link to verify your version to get the updates needed:
http://www.java.com/en/download/windows_automatic.jsp

You'll need to use IE and allow ActiveX for this update. Follow the instructions on that page to verify Your Java software

Or you can get the manual download here:
http://www.java.com/en/download/manual.jsp

Once you have installed the latest update, please go to Start>Control Panel>Add/Remove Programs and remove all older instances of Java listed there.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Then please run Ewido, click on the Scanner and run a full scan and let it clean everything it finds. Save the logfile from the scan.


Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Unread postby floete » November 16th, 2005, 8:06 am

well, let's see:

1 / i updated adaware but didn't run it, per your instructions.
2/ sadly, for some reason, i cannot get spybot to open on my laptop. it'll install but when i go to get it to open, i get the hourglass for a second, then nothing. why this i do not know.
3/ i ran ewido but at the end did not see a place to save a single report that i could post. instead, under analysis, i was able to save three reports. they are appended under the hijackthis report.

thanks for your continued help!

Logfile of HijackThis v1.99.1
Scan saved at 6:41:15 AM, on 11/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
c:\toshiba\ivp\swupdate\swupdtmr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\00THotkey.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TPSMain.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\ClipMate6\ClipMate.exe
C:\WINDOWS\System32\TPSBattM.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\ePrompter\ePrompter.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\kv\Desktop\hijack results\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.myway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [ISLP2STA.EXE] ISLP2STA.EXE START
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [OPSE reminder] "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ClipMate6] C:\Program Files\ClipMate6\ClipMate.exe
O4 - Startup: ePrompter.lnk = C:\Program Files\ePrompter\ePrompter.exe
O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .mp4: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://66.29.7.159/toolbar/cabs/free_access.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Mouse Hardware Sync (mousehs) - Unknown owner - C:\WINDOWS\System32\mousehs.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\toshiba\ivp\swupdate\swupdtmr.exe

--------------
---------------------------------------------------------
ewido security suite - Connection report
---------------------------------------------------------

+ Created on: 6:57:25 AM, 11/16/2005
+ Report-Checksum: 5197703B

TCP 0.0.0.0:81 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1026 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1064 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1138 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1180 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2230 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2556 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING
TCP 192.168.0.101:139 0.0.0.0:0 LISTENING
TCP 192.168.0.101:1138 68.1.17.2:110 CLOSE_WAIT
TCP 192.168.0.101:2187 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.101:2190 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.101:2219 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.101:2221 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.101:2230 192.168.0.1:53 SYN_SENT
UDP 0.0.0.0:445
UDP 0.0.0.0:500
UDP 0.0.0.0:1055
UDP 127.0.0.1:123
UDP 127.0.0.1:1035
UDP 127.0.0.1:1054
UDP 127.0.0.1:1317
UDP 127.0.0.1:1354
UDP 127.0.0.1:1900
UDP 192.168.0.101:123
UDP 192.168.0.101:137
UDP 192.168.0.101:138
UDP 192.168.0.101:1900

---------------------------------------------------------
ewido security suite - Process report
---------------------------------------------------------

+ Created on: 6:57:55 AM, 11/16/2005
+ Report-Checksum: 31E6791A

0: System Process
4: System Process
108: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
220: C:\Program Files\QuickTime\qttask.exe
332: C:\WINDOWS\System32\ctfmon.exe
340: C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
344: C:\Program Files\Norton AntiVirus\SAVScan.exe
548: C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
604: C:\WINDOWS\Explorer.EXE
616: C:\WINDOWS\System32\TPSMain.exe
624: C:\Program Files\Apoint2K\Apoint.exe
632: \SystemRoot\System32\smss.exe
696: \??\C:\WINDOWS\system32\csrss.exe
720: \??\C:\WINDOWS\system32\winlogon.exe
764: C:\WINDOWS\system32\services.exe
776: C:\WINDOWS\system32\lsass.exe
812: C:\WINDOWS\System32\TFNF5.exe
920: C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
928: C:\WINDOWS\system32\svchost.exe
992: C:\WINDOWS\System32\svchost.exe
1140: C:\WINDOWS\System32\TPSBattM.exe
1148: C:\Program Files\ClipMate6\ClipMate.exe
1184: C:\WINDOWS\System32\svchost.exe
1208: C:\WINDOWS\System32\svchost.exe
1264: C:\WINDOWS\System32\ezSP_Px.exe
1312: C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
1340: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
1436: C:\Program Files\Apoint2K\Apntex.exe
1524: C:\WINDOWS\system32\spoolsv.exe
1624: C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
1652: C:\WINDOWS\System32\DVDRAMSV.exe
1672: C:\WINDOWS\System32\directs.exe
1704: C:\Program Files\ewido\security suite\ewidoctrl.exe
1744: C:\Program Files\Norton AntiVirus\navapsvc.exe
1844: C:\WINDOWS\System32\svchost.exe
1860: c:\toshiba\ivp\swupdate\swupdtmr.exe
1896: C:\WINDOWS\System32\00THotkey.exe
2276: C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
2344: C:\Program Files\ePrompter\ePrompter.exe
3288: C:\Program Files\Internet Explorer\iexplore.exe
3292: C:\WINDOWS\system32\NOTEPAD.EXE
3804: C:\Program Files\ewido\security suite\SecuritySuite.exe
3868: C:\WINDOWS\System32\wuauclt.exe

---------------------------------------------------------
ewido security suite - Startup report
---------------------------------------------------------

+ Created on: 6:57:06 AM, 11/16/2005
+ Report-Checksum: 3DA51D50

Reg\HKLM\Run ezShieldProtector for Px C:\WINDOWS\System32\ezSP_Px.exe
Reg\HKLM\Run 00THotkey C:\WINDOWS\System32\00THotkey.exe
Reg\HKLM\Run 000StTHK 000StTHK.exe
Reg\HKLM\Run TFNF5 TFNF5.exe
Reg\HKLM\Run TFncKy TFncKy.exe
Reg\HKLM\Run TPSMain TPSMain.exe
Reg\HKLM\Run ISLP2STA.EXE ISLP2STA.EXE START
Reg\HKLM\Run Apoint C:\Program Files\Apoint2K\Apoint.exe
Reg\HKLM\Run ViewMgr C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
Reg\HKLM\Run QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
Reg\HKLM\Run OpwareSE2 "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
Reg\HKLM\Run OPSE reminder "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\Ereg.exe" -r "C:\Program Files\ScanSoft\OmniPageSE2.0\EregEng\ereg.ini"
Reg\HKLM\Run SurfAccuracy C:\Program Files\SurfAccuracy\SAcc.exe
Reg\HKLM\Run SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
Reg\HKCU\Run ctfmon.exe C:\WINDOWS\System32\ctfmon.exe
Reg\HKCU\Run Yahoo! Pager C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
Reg\HKCU\Run MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
Reg\HKCU\Run ClipMate6 C:\Program Files\ClipMate6\ClipMate.exe
Shell\CommonStartup Adobe Gamma Loader.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
Shell\CommonStartup D-Link AirPlus Xtreme G Configuration Utility.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\D-Link AirPlus Xtreme G Configuration Utility.lnk
Shell\UserStartup ePrompter.lnk C:\Documents and Settings\kv\Start Menu\Programs\Startup\ePrompter.lnk
Shell\UserStartup PalNetaware.lnk C:\Documents and Settings\kv\Start Menu\Programs\Startup\PalNetaware.lnk
floete
Regular Member
 
Posts: 39
Joined: November 15th, 2005, 9:44 am

Unread postby amateur » November 16th, 2005, 6:24 pm

Hi Floete,

I am sorry you ran into some difficulties. :( We'll try to solve them.

Go to Start>Contol Panel> Add/Remove Programs and delete them as both are classified as adware, see here and here:

SurfAccuracy
Paltalk
Viewpoint
=============see the note below:

Viewpoint components are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player's components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting "Disable auto updating for the Viewpoint Manager" the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.


I recommend that you remove the Viewpoint products also; however, decide for yourself.

Go to Start > Run and type: CLEANMGR.EXE and hit enter.
When prompted select the C: drive and click ok.
Check the boxes for:
    Temporary Internet Files
    Downloaded Program Files
    Recycle Bin
    Temporary Files
Click OK or Enter

Make sure that you can see hidden files

Start>My Computer>Tools>Folder Options>View

Under the Hidden files and Folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Uncheck the Hide file extensions for known file types.
Click OK.

At this point you may feel more comfortable if you print out the instructions so that you'll have access to them when you are in Safe Mode.

Reboot your computer in Safe Mode using the F8 method below.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.

Run HijackThis. Close all other windows except HijackThis. Put a checkmark against the following entries.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.myway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://66.29.7.159/toolbar/cabs/free_access.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab
O23 - Service: Mouse Hardware Sync (mousehs) - Unknown owner - C:\WINDOWS\System32\mousehs.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe ----if you uninstalled it.

Click on the "Fix checked" button. Exit from HJT.

Still in Safe Mode delete the following folders, in bold, if found:
C:\Program Files\Viewpoint
C:\Program Files\SurfAccuracy
C:\Program Files\Paltalk

and delete the following file, if found:

C:\WINDOWS\System32\mousehs.exe

Still in Safe Mode run Ewido Security Suit

Click on the Scanner button in the left menu, then click on Settings, and under "What to scan?", select "Every file" then click ok.
Then click on Complete System Scan. This scan can take quite a while to run.

If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.

When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again. Do Not reboot yet.

Still in Safe Mode run Spybot S & D

a. In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it.
b. Close ALL windows except Spybot S&D
c. Click the button to 'Search for Updates' then download and install the Updates.
d. Next click the button 'Check for Problems'
e. When Spybot is complete, it will be showing RED entries, BLACK entries and GREEN entries in the window.
f. Make sure that there is a check mark beside all of the RED entries ONLY.
g. Choose Fix Selected Problems and allow Spybot to fix the RED entries.

If it has trouble removing any spyware, you will get a message window, asking if it would be ok to run Spybot - S&D on the next reboot before any other applications start running. You should reply Yes to this. The next time you start Windows, Spybot will run automatically and fix any of the programs it could not fix previously.

At this point you will be presented with the list of found entries again, but now there will be large green checkmarks next to the items that Spybot - S&D was able to remove. The ones that are still checked but do not have the large green checkmark next to them will be fixed on the next reboot of windows. Do Not Reboot Yet.

Still in Safe Mode run Adaware SE

To start the scan, Click > "Scan Now" at left

  • Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
  • Select "Search for low-risk threats"
  • Select "Perform full system scan"
  • Click Next
When the scan has completed, select Next.

  • In the Scanning Results window, select the "Critical Objects" tab.
  • Right-click on the screen and choose "Select all objects"
  • Click Next to remove the infections found, and click OK to the prompt.

Reboot in Normal Mode to complete the scan and clear memory

Please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
and
Panda's ActiveScan and perform a full system scan.
- Once you are on the Panda site click the "Scan your PC" button
- A new window will open...click the big "Check Now" button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
- Click on "Local Disks" to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Please reboot (Normal Mode), run HijackThis again and post the new HijackThis log along with reports from Ewido and the online virus scans from Kaspersky and Panda.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Unread postby floete » November 16th, 2005, 6:47 pm

wow, okay, i'll get on it. but, like i said, i can't get spybot to run on my computer, so i'll have to do without that and see what happens. more later ... and thanks again!
floete
Regular Member
 
Posts: 39
Joined: November 15th, 2005, 9:44 am

Unread postby amateur » November 16th, 2005, 6:54 pm

I am hoping that you may be able to, after the fixes.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Unread postby floete » November 17th, 2005, 8:46 pm

will file reports in a moment. meanwhile,, after running panda, this popped up on my screen:

"files that are required for windows to run properly have been replaced by unrecognized versions. to maintain system stabilty, windows must restore the original versions of these files."

i haven't done anything yet and have left the message up on the screen. what should i do?????
floete
Regular Member
 
Posts: 39
Joined: November 15th, 2005, 9:44 am

Unread postby amateur » November 17th, 2005, 9:11 pm

Is the pop up a windows" window?
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Unread postby floete » November 17th, 2005, 9:12 pm

also: after completing the instructions -- and i don't know if these things are related -- but something weird happened to an email program i used called eprompter. for some reason, the eprompter.exe disppeared. it's not in the eprompter folder or anywhere else.
sheeeeesh!
plus, i keep getting lots of pop ups.
anyway, i guess i'm going to ignore that windows message and reboot so i can run hijack this and send you all the crap i've got.
and believe me there's a lot of it.
floete
Regular Member
 
Posts: 39
Joined: November 15th, 2005, 9:44 am

Unread postby floete » November 17th, 2005, 9:13 pm

i don't know what a windows window is but it seems like a legitimate message.
floete
Regular Member
 
Posts: 39
Joined: November 15th, 2005, 9:44 am

Unread postby amateur » November 17th, 2005, 9:14 pm

Were you able to finish the online virus scans?
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Unread postby floete » November 17th, 2005, 9:15 pm

yes, i was. should i reboot and send you everything after rerunning hijackthis?
floete
Regular Member
 
Posts: 39
Joined: November 15th, 2005, 9:44 am

Unread postby amateur » November 17th, 2005, 9:17 pm

Yes, please.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 43 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware