Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Insatting SP2 and a BLUE SCREEN

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Insatting SP2 and a BLUE SCREEN

Unread postby *zappa » April 12th, 2007, 12:21 am

Every time I try to install Windows SP2 my computer crashes (blue screen). I can’t even go back to a restore point and have to use the restore console using boot disks. I can give more details if it will help, but I’ve tried so many things the last couple of weeks it’s becoming a blur.

I have run Adaware & Spybot.

Attatched are my Hijack This and Panda online logs.

Thanks in advance for any thing you can help me with.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:39:37 PM, on 4/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brian\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.winpatrol.com/cgi-bin/plusin ... oc=en&ext=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [WinPatrol Explorer] "C:\Program Files\BillP Studios\WinPatrol\WinPatrolEx.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe"
O4 - HKUS\S-1-5-18\..\Run: [Ouiv] C:\WINDOWS\System32\??rvices.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Ouiv] C:\WINDOWS\System32\??rvices.exe (User 'Default user')
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5581223125
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/Wsc ... erCtrl.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/in ... ction3.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O20 - AppInit_DLLs:
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 5281 bytes




Incident
Status Location

Adware:adware/powersearch
Not disinfected c:\windows\system32\stlb2.xml
Adware:adware/bookedspace
Not disinfected c:\windows\cfgmgr52.ini
Adware:adware/elitebar
Not disinfected C:\Documents and
Settings\Brian\Favorites\Casino & Carrers
Adware:adware/transponder
Not disinfected Windows Registry
Spyware:Cookie/Belnk
Not disinfected C:\Documents and
Settings\Jason\Cookies\jason@ath.belnk[2].txt
Spyware:Cookie/Azjmp
Not disinfected C:\Documents and
Settings\Jason\Cookies\jason@azjmp[2].txt
Spyware:Cookie/Belnk
Not disinfected C:\Documents and
Settings\Jason\Cookies\jason@belnk[1].txt
Spyware:Cookie/Ccbill
Not disinfected C:\Documents and
Settings\Jason\Cookies\jason@ccbill[1].txt
Spyware:Cookie/360i
Not disinfected C:\Documents and
Settings\Jason\Cookies\jason@ct.360i[1].txt
Spyware:Cookie/did-it
Not disinfected C:\Documents and
Settings\Jason\Cookies\jason@did-it[1].txt
Spyware:Cookie/Belnk
Not disinfected C:\Documents and
Settings\Jason\Cookies\jason@dist.belnk[2].txt
Spyware:Cookie/Screensavers
Not disinfected C:\Documents and
Settings\Jason\Cookies\jason@i.screensavers[1].txt
Spyware:Cookie/Xiti
Not disinfected C:\Documents and
Settings\Jason\Cookies\jason@xiti[1].txt
Potentially unwanted tool:Application/Processor
Not disinfected C:\Documents and
Settings\Jason\Desktop\John\l2mfix.exe[l2mfix/Process.exe]
Spyware:Cookie/Atwola
Not disinfected C:\Documents and Settings\Jason\Local
Settings\Temp\Cookies\jason@atwola[1].txt
Spyware:Cookie/Belnk
Not disinfected C:\Documents and Settings\Jason\Local
Settings\Temp\Cookies\jason@belnk[1].txt
Spyware:Cookie/Belnk
Not disinfected C:\Documents and Settings\Jason\Local
Settings\Temp\Cookies\jason@dist.belnk[2].txt
Potentially unwanted tool:Application/HideWindow.A
Not disinfected C:\hp\bin\FondleWindow.exe
Potentially unwanted tool:Application/KillApp.B
Not disinfected C:\hp\bin\KillIt.exe
Potentially unwanted tool:Application/MyWay
Not disinfected C:\Program Files\iolo\System Mechanic
Professional
6\Undo\Manual\{E7F35FB2-2C57-476F-BDC0-788DA3029428}\{AA7C5741-6C86-4BA7-AAD7-F9B6B19F33F6}.DLL[{AA7C5741-6C86-4BA7-AAD7-F9B6B19F33F6}.DLL]
*zappa
Active Member
 
Posts: 13
Joined: April 11th, 2007, 10:55 pm
Advertisement
Register to Remove

Unread postby John B. » April 13th, 2007, 11:38 am

Hi,

You're using the beta version of HijackThis which is still being tested. Please delete Micro HijackThis v2.0.0 using Add/Remove programs in the Control panel and do this to post a fresh HijackThis log:

Download a copy of hijackthis.exe from here: http://downloads.malwareremoval.com/HijackThis.exe and save it to the desktop.

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it hjtinstall.bat Please save it on your desktop.

@echo off
if not exist "C:\Program Files\HJThis" md "C:\Program Files\HJThis"
move "%userprofile%\desktop\HijackThis.exe" "C:\Program Files\HJThis"
ren "C:\Program Files\HJThis\HijackThis.exe" search.exe
echo @echo off > "%userprofile%\desktop\Search.bat"
echo "C:\Program Files\HJThis\search.exe" >> "%userprofile%\desktop\Search.bat"
start "C:\Program Files\HJThis\search.exe"
del hjtinstall.bat


Double click hjtinstall.bat. Please post a fresh HijackThis log. Also post an Uninstall log:
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

Image

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.


So I would like to see a fresh HijackThis log, not the beta version, and an Uninstall log :)

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Unread postby John B. » April 13th, 2007, 12:29 pm

Hi,

I want you to wait with updating your Windows XP SP1 to SP2 because it can damage your system, if it can be damaged any further, to do it before you're all clean.

Step 1: Download and Run FindAWF
Please download FindAWF here:
http://noahdfear.geekstogo.com/FindAWF.exe
Save to desktop and run
The output is awf.txt, save the text file to your desktop.

Step 2: Search for a file
We need to do a search now.
  • Click Start.
  • Click Search.
  • Click All files and folders.
    • At Look in: you click Browse... and browse to C:\WINDOWS\System32 and click OK.
    • Expand More advanced optionsand then check Search system folders, Search hidden files and folders and uncheck Search Subfolders.
  • Paste this into the All or part of the file name box:

    rvices
You'll find around 3 files of which two are services. That isn't the file we are looking for.
We're looking for a file of 8 letters of which the first 2 letters aren't se but the last 6 are rvices.
When you've found the file please write down the name of the file or something similar so you'll remember the name.

Step 3: Upload a File to Virustotal
Please visit Virustotal
  • Click the Browse... button
  • Navigate to the file you found in Step 2
  • Click the Open button
  • Click the Send button
  • Copy and paste the results in a Notepad/Word file
Step 4: Post logs
  • awf.txt
  • Virustotal results

Greets, John.
Last edited by John B. on April 13th, 2007, 3:59 pm, edited 2 times in total.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Bluescreen

Unread postby *zappa » April 13th, 2007, 3:06 pm

Here are the 2 logs you requested.

THANKS for your help!!


Ad-Aware SE Professional
Adobe Download Manager 2.0 (Remove Only)
Adobe Reader 7.0
Ahead InCD EasyWrite Reader
ANIO Service
ANIWZCS2 Service
Apple Software Update
ArcSoft ShowBiz
ArcSoft Software Suite
AVG Anti-Spyware 7.5
Bikini Twins Screen Saver
CopyPod (remove only)
Hewlett-Packard Multimedia Keyboard/Mouse Solution
HijackThis 1.99.1
hp center
HP Instant Support
HP Memories Disc
hp toolkit
Inactive HP Printer Drivers (Remove only)
Internet Explorer Q903235
InterVideo WinDVD
iolo technologies' System Mechanic Professional 6
iTunes
Lernout & Hauspie TruVoice American English TTS Engine
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.1
Microsoft Broadband Networking
Microsoft Data Access Components KB870669
Microsoft Office 2000 SR-1 Premium
Microsoft Plus! for Windows XP
MSN Music Assistant
MyDVD
Nero Media Player
Nero OEM
NVIDIA Drivers
Palm Desktop
Panda ActiveScan
QuickTime
RealPlayer Basic
RecordNow
RecordNow Update Manager
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896426)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
SimTheme Park
Sound Blaster Audigy
Spybot - Search & Destroy 1.4
Steam(TM)
Trend Micro PC-cillin Internet Security 2007
Trend Micro PC-cillin Internet Security 2007
TrojanHunter 4.6
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
USB Storage R/W v1.14e057
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 9 Hotfix [See KB885492 for more information]
Windows Media Player Hotfix [See Q828026 for more information]
Windows XP Hotfix - KB810217
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833987
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839645
Windows XP Hotfix - KB840315
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB840987
Windows XP Hotfix - KB841356
Windows XP Hotfix - KB841533
Windows XP Hotfix - KB841873
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB871250
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB873376
Windows XP Hotfix - KB883939
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891711
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Hotfix - KB896688
Windows XP Hotfix - KB896727
Windows XP Hotfix - KB897715
Windows XP Hotfix - KB905915
Windows XP Hotfix - KB911567
Windows XP Hotfix - KB918899
Windows XP Hotfix - KB925486
Windows XP Hotfix (SP2) Q811632
Wireless G WUA-1340



Logfile of HijackThis v1.99.1
Scan saved at 2:52:15 PM, on 4/13/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\cmd.exe
C:\Program Files\HJThis\search.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.winpatrol.com/cgi-bin/plusin ... oc=en&ext=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [WinPatrol Explorer] "C:\Program Files\BillP Studios\WinPatrol\WinPatrolEx.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe"
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5581223125
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/Wsc ... erCtrl.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/in ... ction3.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O20 - AppInit_DLLs:
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
*zappa
Active Member
 
Posts: 13
Joined: April 11th, 2007, 10:55 pm

Services

Unread postby *zappa » April 13th, 2007, 4:06 pm

I just read your second post and found only 2 items in Windows services 32:

services.exe
services.msc


John
*zappa
Active Member
 
Posts: 13
Joined: April 11th, 2007, 10:55 pm

Unread postby John B. » April 15th, 2007, 1:09 pm

Hi,

Thanks for the logs!

Please download FindAWF here:
http://noahdfear.geekstogo.com/FindAWF.exe
Save to desktop and run
The output is awf.txt, save the text file to your desktop and post it!

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

AWF report

Unread postby *zappa » April 15th, 2007, 3:09 pm

Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ITUNES\BAK

02/23/2006 04:45 PM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

08/08/2006 04:12 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\EHOME\BAK

11/12/2002 05:37 PM 27,648 ehtray.exe
1 File(s) 27,648 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

05/07/1998 05:04 PM 52,736 hpsysdrv.exe
1 File(s) 52,736 bytes

Directory of C:\PROGRA~1\BILLPS~1\WINPAT~1\BAK

06/20/2005 08:11 PM 218,688 WinPatrol.exe
1 File(s) 218,688 bytes

Directory of C:\PROGRA~1\IOLO\SYSTEM~1\BAK

11/17/2003 05:18 PM 428,032 PopupStopper.exe
1 File(s) 428,032 bytes

Directory of C:\PROGRA~1\IOLO\SYSTEM~3\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

257088 Mar 14 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
278528 Feb 23 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Mar 18 2007 "C:\WINDOWS\Installer\{AB90749C-7422-4580-8A7A-66CC5E9E5F98}\iTunesIco.exe"
116288 Mar 14 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.1.1.5\iTunesSetupAdmin.exe"
282624 Feb 16 2007 "C:\Program Files\QuickTime\qttask.exe"
282624 Aug 8 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
27648 Nov 12 2002 "C:\WINDOWS\eHome\ehtray.exe"
27648 Nov 12 2002 "C:\WINDOWS\eHome\bak\ehtray.exe"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
271936 Mar 26 2007 "C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe"
218688 Jun 20 2005 "C:\Program Files\BillP Studios\WinPatrol\bak\WinPatrol.exe"
428032 Nov 17 2003 "C:\Program Files\iolo\System Mechanic 4 Professional\bak\PopupStopper.exe"


end of report
*zappa
Active Member
 
Posts: 13
Joined: April 11th, 2007, 10:55 pm

Unread postby John B. » April 17th, 2007, 10:16 am

Hi,

Lets try to repair all the programs damaged by the infection :)

Please copy the fix to Notepad/Word, or print it, because you won't always have internet access!

Step 1: Download and Run DelDomains
Please download DelDomains by WinHelp2002 and save it to your desktop.
  • Right-click on DelDomains.inf, and choose Install.
  • You may not see any noticeable changes or prompts; this is normal.
  • Then, please restart your computer, and post a new HijackThis log.
  • You will have to re-immunize with SpywareBlaster, IE-SPYAD, and/or Spybot - Search & Destroy after doing this.
Step 2: Download and Run ResetProtocolDefaults
Please download ResetProtocolDefaults by WinHelp2002 and save it to your desktop.
  • Locate ResetProtocolDefaults.reg which should be on your desktop.
  • Right-click and select: Merge.
  • OK the prompt.
Step 3: Boot into Safe Mode
Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
Step 4: Run Batchfile
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it awf1.bat Please save it on your desktop.

if exist "C:\Program Files\iTunes\iTunesHelper.exe" del /q "C:\Program Files\iTunes\iTunesHelper.exe"
copy /y "C:\Program Files\iTunes\bak\iTunesHelper.exe" "C:\Program Files\iTunes\iTunesHelper.exe"

if exist "C:\Program Files\QuickTime\qttask.exe" del /q "C:\Program Files\QuickTime\qttask.exe"
copy /y "C:\Program Files\QuickTime\bak\qttask.exe" "C:\Program Files\QuickTime\qttask.exe"

if exist "C:\WINDOWS\eHome\ehtray.exe" del /q "C:\WINDOWS\eHome\ehtray.exe"
copy /y "C:\WINDOWS\eHome\bak\ehtray.exe" "C:\WINDOWS\eHome\ehtray.exe"

if exist "C:\WINDOWS\system\hpsysdrv.exe" del /q "C:\WINDOWS\system\hpsysdrv.exe"
copy /y "C:\WINDOWS\system\bak\hpsysdrv.exe" "C:\WINDOWS\system\hpsysdrv.exe"

if exist "C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe" del /q "C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe"
copy /y "C:\Program Files\BillP Studios\WinPatrol\bak\WinPatrol.exe" "C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe"

if exist "C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe" del /q "C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe"
copy /y "C:\Program Files\iolo\System Mechanic 4 Professional\bak\PopupStopper.exe" "C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe"


Double click awf1.bat. A window will opens. After it's done close it if it doesn't close automatically.

Step 5: Reboot and Post logs
Your computer will automatically switch to normal mode if you reboot.
Please post the following logs:
  • Fresh AWF log
  • Fresh HJT log

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

New HJT log

Unread postby *zappa » April 17th, 2007, 5:03 pm

Logfile of HijackThis v1.99.1
Scan saved at 11:52:22 PM, on 4/16/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Brian\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.winpatrol.com/cgi-bin/plusin ... oc=en&ext=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [WinPatrol Explorer] "C:\Program Files\BillP Studios\WinPatrol\WinPatrolEx.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe"
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5581223125
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/Wsc ... erCtrl.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/in ... ction3.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O20 - AppInit_DLLs:
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe[/b]
*zappa
Active Member
 
Posts: 13
Joined: April 11th, 2007, 10:55 pm

Updated Logs

Unread postby *zappa » April 17th, 2007, 5:20 pm

Hope I've done everything right. I'm not sure what you mean by reimunize with Spywareblaster, etc.

Here are the updated logs.


Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ITUNES\BAK

02/23/2006 04:45 PM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

08/08/2006 04:12 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\EHOME\BAK

11/12/2002 05:37 PM 27,648 ehtray.exe
1 File(s) 27,648 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

05/07/1998 05:04 PM 52,736 hpsysdrv.exe
1 File(s) 52,736 bytes

Directory of C:\PROGRA~1\BILLPS~1\WINPAT~1\BAK

06/20/2005 08:11 PM 218,688 WinPatrol.exe
1 File(s) 218,688 bytes

Directory of C:\PROGRA~1\IOLO\SYSTEM~1\BAK

11/17/2003 05:18 PM 428,032 PopupStopper.exe
1 File(s) 428,032 bytes

Directory of C:\PROGRA~1\IOLO\SYSTEM~3\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

257088 Mar 14 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
278528 Feb 23 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Mar 18 2007 "C:\WINDOWS\Installer\{AB90749C-7422-4580-8A7A-66CC5E9E5F98}\iTunesIco.exe"
116288 Mar 14 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.1.1.5\iTunesSetupAdmin.exe"
282624 Feb 16 2007 "C:\Program Files\QuickTime\qttask.exe"
282624 Aug 8 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
27648 Nov 12 2002 "C:\WINDOWS\eHome\ehtray.exe"
27648 Nov 12 2002 "C:\WINDOWS\eHome\bak\ehtray.exe"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
271936 Mar 26 2007 "C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe"
218688 Jun 20 2005 "C:\Program Files\BillP Studios\WinPatrol\bak\WinPatrol.exe"
428032 Nov 17 2003 "C:\Program Files\iolo\System Mechanic 4 Professional\bak\PopupStopper.exe"


end of report



Logfile of HijackThis v1.99.1
Scan saved at 5:12:25 PM, on 4/17/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Documents and Settings\Brian\Desktop\HijackThis.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.winpatrol.com/cgi-bin/plusin ... oc=en&ext=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [WinPatrol Explorer] "C:\Program Files\BillP Studios\WinPatrol\WinPatrolEx.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe"
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5581223125
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/Wsc ... erCtrl.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/in ... ction3.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O20 - AppInit_DLLs:
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe



THANKS AGAIN!!

JOHN
*zappa
Active Member
 
Posts: 13
Joined: April 11th, 2007, 10:55 pm

Unread postby John B. » April 18th, 2007, 9:36 am

Hi,

*zappa wrote:Hope I've done everything right. I'm not sure what you mean by reimunize with Spywareblaster, etc.

You've done it very good!

You have to run Spywareblaster and the reumunize function of Spybot S&D again because running the file I told you to download will remove all those things loaded.

Lets see if there's any more malware.

Please copy the fix to Notepad/Word, or print it, because you won't always have internet access!

Step 1: Move HijackThis
You currently are running HijackThis from your desktop.

Please make a folder there, call it HijackThis and place HijackThis.exe in that folder.

DO NOT follow the steps below until you have moved HijackThis.

Step 2: Disable TrojanHunter
It is a good program but it can interfer with our fixes, so please disable it and when you're all clean you can re-enable it!
  • Go to TrojanHunter Guard in the lower right corner of your screen. It is a light blue magnifying glass icon with a red handle.
  • Right click it and select Settings.
  • Uncheck Load at startup and Enabled.
Step 3: Delete bad program
  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if present):

    Bikini Twins Screen Saver
Step 4: Remove bad HijackThis entries
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

    O20 - AppInit_DLLs: << NOTE: You can receive an error while fixing this entry but please move on.

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.
Step 5: Configure AVG Anti-Spyware
  • Run AVG Anti-Spyware
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
IMPORTANT! Do not scan yet with AVG Anti-Spyware! We will do this later.

Step 6: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Step 7: Boot into Safe Mode
Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
Step 8: Run AVG Anti-Spyware
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Step 9: Reboot
Your computer will automatically switch to Normal Mode.

Step 10: Update Adobe Reader
It looks like your version of Adobe Reader is out of date and you're vulnarable for infections.
Please download the newest version here:
http://www.adobe.com/uk/products/reader/

Install it, then go to Add Remove Programs and remove any older versions that may remain.

Step 11: Download and Run Gmer
Download Gmer to your Desktop and unzip it to your Desktop.
http://www.gmer.net/gmer.zip

Disconnect from internet and close running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double click gmer.exe.
Let the gmer.sys driver load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say Ok.
If no warning....
Click the rootkit tab
To the right of the program you will see a bunch of boxes that have been checked... leave everything checked. Then click the Scan button. Wait for the scan to finish.
Once done click the Copy button.
Open Notepad and hit ctrl+v to paste the log. Save the log to your desktop please.

Step 12: Post logs
You may need several replies to have everything fit in:
  • AVG AS log
  • Gmer log
  • Fresh HJT log
  • Tell me about any problems/questions you've still got

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Unread postby *zappa » April 18th, 2007, 9:15 pm

:? I ran into a few problems and will try to describe them accuratley and in the order they happened:

"Please make a folder there, call it HijackThis and place HijackThis.exe in that folder."

i wasn't sure where "there" was to put the folder, so I put it under Program Files

Disabled Trojanhunter


tried to remove bikini screen saver with the add/remove function in the control panel and recieved this message: "Could not open install.log file".

Ran HJT and selected the 3 items you requested and recieved this message upon running it: "error log" (nothing else but that). But it seems to have removed those entries.

ATF Cleaner: I seleted "all" and ran cleaner. Foxfire & Opera buttons are grayed out, I don't have either.

I made the changes to AVG and restarted in safe mode.

AVG running in safe mode, i recieved this message:

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: )
Error #5 - Invalid procedure call or argument

Please email me at <EDITED>, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2800.1106
HijackThis version: 1.99.1

(i may have caused this to happen as I accidently hit the scan button, then a few seconds later stoped the scan.??)


I closed it and reopened it. Both times it was open it was too large to fit on the screen and I could not see the check boxes on the left, so I could not make any changes to them. checked the boxes on the right per your instructions and ran scan.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:05:22 PM 4/18/2007

+ Scan result:



Nothing found.



::Report end

rebooted and installed Adobe 8. There is no listing on the add/remove menu to remove Adobe 7 although it is still showing under windows explorer.

ran Gmer and got a nice long report. hit the copy button and was notified contents were copied to the clip board. but I could not copy any of it to Notepad, word or wordpad. I have tried several times using different methods to no avail. It wipes out previous content of the clip board but does not insert anything new.

Ran HJT. Report below.


Cheers

John



Logfile of HijackThis v1.99.1
Scan saved at 8:29:35 PM, on 4/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Documents and Settings\Brian\Local Settings\Temp\Temporary Directory 1 for gmer.zip\gmer.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\HJThis\search.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.winpatrol.com/cgi-bin/plusin ... oc=en&ext=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [WinPatrol Explorer] "C:\Program Files\BillP Studios\WinPatrol\WinPatrolEx.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [System Mechanic Popup Blocker] "C:\Program Files\iolo\System Mechanic Professional 6\PopupBlocker.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5581223125
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/Wsc ... erCtrl.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/share ... cgdmgr.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn/in ... ction3.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic Professional 6\IoloSGCtrl.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Edit: Removed email address - 'KG
*zappa
Active Member
 
Posts: 13
Joined: April 11th, 2007, 10:55 pm

Unread postby John B. » April 20th, 2007, 11:17 am

Hi,

*zappa wrote:"Please make a folder there, call it HijackThis and place HijackThis.exe in that folder."

i wasn't sure where "there" was to put the folder, so I put it under Program Files


Before saying that sentence I said "You currently are running HijackThis from your desktop." so with there I meant your desktop. It's find under Program Files :)

*zappa wrote:tried to remove bikini screen saver with the add/remove function in the control panel and recieved this message: "Could not open install.log file".


Knew it wouldn't be easy to remove it. We'll work on that :)

*zappa wrote:AVG running in safe mode, i recieved this message:

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: )
Error #5 - Invalid procedure call or argument

Please email me at merijn AT spywareinfo DOT com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2800.1106
HijackThis version: 1.99.1

(i may have caused this to happen as I accidently hit the scan button, then a few seconds later stoped the scan.??)


This is the error message from HijackThis...

*zappa wrote:There is no listing on the add/remove menu to remove Adobe 7 although it is still showing under windows explorer.


I'll include that in my fix today :)

*zappa wrote:ran Gmer and got a nice long report. hit the copy button and was notified contents were copied to the clip board. but I could not copy any of it to Notepad, word or wordpad. I have tried several times using different methods to no avail. It wipes out previous content of the clip board but does not insert anything new.


We'll use another scanner.

Step 1: Download and Run Blacklight
Download F-Secure Blacklight (fsbl.exe) to the desktop from here.

Open it and click Accept Agreement.
Click Scan.
After the scan is complete, click Next, then Exit.
It will create a log on the desktop named fsbl-xxxxxxx.log (the xxxxxxx will be the date and time of the scan)
Save the log to your desktop.

Step 2: Show your hidden files
To enable the viewing of Hidden files follow these steps:
  • Close all programs so that you are at your desktop.
  • Double-click on the My Computer icon (or click Start, then select My Computer)
  • Select the Tools menu and click Folder Options.
  • After the new window appears select the View tab.
  • Put a checkmark in the checkbox labeled Display the contents of system folders.
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  • Remove the checkmark from the checkbox labeled Hide protected operating system files.
  • Press the Apply button and then the OK button and shutdown My Computer.
    Now your computer is configured to show all hidden files.
Step 3: Delete bad folder
Use Explorer to navigate to and delete the following folder (if present):

<the Adobe Reader 7 folder>

Also please check if the following file exists:

c:\WINDOWS\unbik6\INSTALL.LOG

If it is present please move on to Step 4.

If it isn't present please do this:
  • Make make a new Notepad file, in the c:\WINDOWS\unbik6 folder. Save it as "All Files" and name it INSTALL.LOG
  • Now just exit Explorer.
  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if present):

    Bikini Twins Screen Saver


Step 4: Post the Blacklight log
Also tell me about the adventures you had this time ;)

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Unread postby *zappa » April 20th, 2007, 4:55 pm

Results from last instructions,
Download and installed Blacklight. Received following message:
"F-Secure Blacklight could not acquire necessary privleges (SeDebug Privleges) your computer settings may prevent aquiring these privleges/ a malicious program mihave disabled these privleges"

I've unistalled and reinstalled, turned off all firewall and antispyware programs, even unstalled it and tryed to run it from the link, and always receive this message.

removed adobe 7

created install.log file in unbik6

I want to thank you again for all of you help. I've been trying to resolve these problems for over 3 weeks now (long before I contacted you) and if I can't get this fixed soon I think I will reformat the hard drive, or just throw the computer out the window.

Cheers, John 8)
*zappa
Active Member
 
Posts: 13
Joined: April 11th, 2007, 10:55 pm

Unread postby John B. » April 21st, 2007, 10:05 am

Hi,

I think there's not really a reason for reformat. The only thing which is still left is Bikini Twins Screen Saver which is not really a problem to live with.

Download VX2Finder by Option^Explicit from here and save it to your Desktop.
Double click to run it.
Click the Restore Policy button on the right hand side, and then OK in the Administrator Policy window that opens.
Close the program.

Now try Blacklight again please :)

Can you also tell me if you're still having any problems/questions?

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 481 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware