Live Chat & Podcast at 1:00PM Eastern on Sunday!
There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
Virus & Other Malware Removal
Go to first new post Google Hijacker/Google Search Result vir ...
Go to first new post server not found
Go to first new post slow computer, downloads over a few mb f ...
Go to first new post Ramnit virus, nearly cleared
Go to first new post Trojan: Win32/Alureon.FK - hijack this l ...
Go to first new post Network, good; Internet, bad
Go to first new post Windows live Messenger Virus
Go to first new post We Got System Checked :-(
Go to first new post This setup thing keeps popping up everyd ...
Go to first new post Extremely unresponsive, massive hang-ups ...
Go to first new post Trojan:dos/alureon.E still here!
Go to first new post Cannot access any google sites - youtube ...
Go to first new post "Congratulations, you won" &am ...
Go to first new post Black desktop, missing all shortcuts, fi ...
Go to first new post Microsoft Visual C++ Runtime Library Buf ...
Tag Cloud
access acer asus bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory modem monitor motherboard network printer problem ram registry router security slow software sound toshiba trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Virus & Other Malware Removal >
Solved: Slow running, Ads popping up

Page 1 of 2 1 2
Reply  
Thread Tools
Urimbray's Avatar
Computer Specs
Junior Member with 28 posts.
  
Join Date: Feb 2009
Location: St. Louis
Experience: I can put 'em together!
05-Feb-2009, 09:35 PM #1
Slow running, Ads popping up
Hello everyone, it is my first time here so i apologize if i am not as coherent as people who regularly use this site. My computer has been running slow and I was lead to believe i had some malware on my computer. Ads were popping up in internet explorer when i use Mozilla Firefox and my internet has been running slowly. I tried to fix the problem using Ad-Aware, the free edition, and C-Cleaner. They seemed to do something because the ads now pop up in mozilla firefox instead of internet explorer. But i do have a new program in the "Add or Remove Programs" called Command that i cannot remove, and it always takes me to a website and says to download something to remove it (which i am smart enough not to do). Any and all help is greatly appreciated! I shal be her till about eight thirty tonight (central) and then will check back tomorrow if no reply by then!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:04:51 PM, on 2/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Documents and Settings\Adam Levy\Application Data\cogad\cogad.exe
C:\Documents and Settings\Adam Levy\Application Data\Twain\Twain.exe
C:\PROGRA~1\COMMON~1\rirf\rirfm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\COMMON~1\rirf\rirfa.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\QWRhbQ\command.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [288daa17] rundll32.exe "C:\WINDOWS\system32\xjillgor.dll",b
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [DriverCure] C:\Program Files\ParetoLogic\DriverCure\DriverCure.exe -scan
O4 - HKCU\..\Run: [cogad] "C:\Documents and Settings\Adam Levy\Application Data\cogad\cogad.exe" 61A847B5BBF72813338B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKCU\..\Run: [Twain] C:\Documents and Settings\Adam Levy\Application Data\Twain\Twain.exe
O4 - HKCU\..\Run: [rirf] C:\PROGRA~1\COMMON~1\rirf\rirfm.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: xqsiec.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QWRhbQ\command.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4926 bytes
Last edited by Urimbray; 06-Feb-2009 at 05:03 PM..
Register for free to hide this ad!
Urimbray's Avatar
Computer Specs
Junior Member with 28 posts.
  
Join Date: Feb 2009
Location: St. Louis
Experience: I can put 'em together!
08-Feb-2009, 12:12 AM #2
bump
Urimbray's Avatar
Computer Specs
Junior Member with 28 posts.
  
Join Date: Feb 2009
Location: St. Louis
Experience: I can put 'em together!
09-Feb-2009, 11:49 PM #3
bump
Urimbray's Avatar
Computer Specs
Junior Member with 28 posts.
  
Join Date: Feb 2009
Location: St. Louis
Experience: I can put 'em together!
12-Feb-2009, 12:09 AM #4
i really could use some help, any would be appreciated, i can give more information if required.
Last edited by Urimbray; 12-Feb-2009 at 12:14 AM..
cybertech's Avatar
Computer Specs
Malware Removal Specialist with 69,217 posts.
  
Join Date: Apr 2002
Location: Washington State
15-Feb-2009, 09:27 AM #5
Hi Welcome to TSG!!

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System




Download the file & save it as it's originally named.


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

Please note once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall.



  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.




  • At the next prompt, click 'Yes' to run the full ComboFix scan.
  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.
Urimbray's Avatar
Computer Specs
Junior Member with 28 posts.
  
Join Date: Feb 2009
Location: St. Louis
Experience: I can put 'em together!
15-Feb-2009, 11:05 PM #6
ComboFix 09-02-15.01 - Adam Levy 2009-02-15 21:32:15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.726 [GMT -6:00]
Running from: c:\documents and settings\Adam Levy\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Adam Levy\Application Data\GetModule
c:\documents and settings\Adam Levy\Application Data\GetModule\dicik.gz
c:\documents and settings\Adam Levy\Application Data\GetModule\kwdik.gz
c:\documents and settings\Adam Levy\Application Data\GetModule\ofadik.gz
c:\documents and settings\Adam Levy\Application Data\twain\Twain.exe
c:\documents and settings\Adam Levy\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Adam Levy\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\Adam Levy\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\LocalService\Application Data\NetMon
c:\documents and settings\LocalService\Application Data\NetMon\domains.txt
c:\documents and settings\LocalService\Application Data\NetMon\log.txt
c:\program files\Common Files\rirf
c:\program files\Common Files\rirf\rirfa.exe
c:\program files\Common Files\rirf\rirfa.lck
c:\program files\Common Files\rirf\rirfd\class-barrel
c:\program files\Common Files\rirf\rirfd\rirfc.dll
c:\program files\Common Files\rirf\rirfd\vocabulary
c:\program files\Common Files\rirf\rirfh
c:\program files\Common Files\rirf\rirfl.exe
c:\program files\Common Files\rirf\rirfl.lck
c:\program files\Common Files\rirf\rirfm.exe
c:\program files\Common Files\rirf\rirfm.lck
c:\program files\Common Files\rirf\rirfp.exe
c:\program files\inetget2
c:\program files\inetget2\stub109_4_0_4_0.exe
c:\program files\Mjcore
c:\program files\Mjcore\Mjcore.dll
c:\program files\network monitor
c:\program files\network monitor\netmon.exe
c:\windows\QWRhbQ\
c:\windows\QWRhbQ\\asappsrv.dll.vir
c:\windows\QWRhbQ\\command.exe
c:\windows\QWRhbQ\\kql1vk.vbs
c:\windows\QWRhbQ\command.exe
c:\windows\rirf
c:\windows\rirf\rirf.dat
c:\windows\rirf\wu
c:\windows\system32\amkydrlg.dll
c:\windows\system32\atmtd.dll
c:\windows\system32\atmtd.dll._
c:\windows\system32\aufbpj.dll
c:\windows\system32\biflhlty.dll
c:\windows\system32\cclhcn.dll
c:\windows\system32\cdgjylcj.dll
c:\windows\system32\cnevit.dll
c:\windows\system32\efcDVmkh.dll
c:\windows\system32\ekrubuwp.dll
c:\windows\system32\fgctfkrj.ini
c:\windows\system32\fgugjrhc.ini
c:\windows\system32\gawneb.dll
c:\windows\system32\ggNTCfhk.ini
c:\windows\system32\ggNTCfhk.ini2
c:\windows\system32\gpntcnhj.dll
c:\windows\system32\hikdfbtr.dll
c:\windows\system32\jfhccihy.dll
c:\windows\system32\jxnndvol.ini
c:\windows\system32\kgksiulr.ini
c:\windows\system32\khfCTNgg.dll
c:\windows\system32\lovdnnxj.dll
c:\windows\system32\pfbaefix.dll
c:\windows\system32\pgwfulge.ini
c:\windows\system32\psufcq.dll
c:\windows\system32\qrvarm.dll
c:\windows\system32\rluiskgk.dll
c:\windows\system32\rogllijx.ini
c:\windows\system32\sdzcso.dll
c:\windows\system32\trtqqiqv.dll
c:\windows\system32\tsuninst.exe
c:\windows\system32\twspyird.dll
c:\windows\system32\uoxqmsqr.ini
c:\windows\system32\vbpnefap.ini
c:\windows\system32\wpv071233435211.cpx
c:\windows\system32\xqsiec.dll
c:\windows\system32\yayvVMDv.dll
c:\windows\system32\yhicchfj.ini
c:\windows\system32\zyqtzj.dll
c:\windows\Tasks\jdbyykoc.job
c:\windows\uninstall_nmon.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Service_cmdService


((((((((((((((((((((((((( Files Created from 2009-01-16 to 2009-02-16 )))))))))))))))))))))))))))))))
.

2009-02-15 21:11 . 2009-02-15 21:11 36,352 --a------ c:\windows\system32\urqPgebY.dll
2009-02-08 11:06 . 2009-02-08 11:06 <DIR> d-------- c:\windows\Cache
2009-02-08 11:06 . 2009-02-08 11:06 <DIR> d-------- c:\program files\Coupons
2009-02-08 11:06 . 2009-02-08 11:06 197,976 -ra------ c:\windows\system32\cpnprt2.cid
2009-02-05 19:30 . 2009-02-05 19:30 <DIR> d-------- c:\program files\Trend Micro
2009-02-04 17:38 . 2009-02-04 17:38 <DIR> d-------- C:\!KillBox
2009-02-04 17:25 . 2009-02-04 17:25 67 --a------ c:\windows\wininit.ini
2009-02-04 16:50 . 2009-02-15 21:32 <DIR> d-------- c:\documents and settings\Adam Levy\Application Data\Twain
2009-02-03 06:53 . 2009-02-03 06:53 <DIR> d-------- c:\program files\WebShow
2009-02-01 22:03 . 2009-02-01 22:03 <DIR> d-------- c:\documents and settings\Adam Levy\Application Data\cogad
2009-01-19 19:43 . 2009-01-19 19:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\DriverCure
2009-01-19 19:43 . 2009-01-19 19:43 <DIR> d-------- c:\documents and settings\Adam Levy\Application Data\DriverCure
2009-01-19 19:42 . 2009-01-19 19:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-16 03:35 --------- d-----w c:\program files\Mjcore
2009-01-20 01:21 --------- d-----w c:\program files\Yahoo!
2009-01-17 20:58 34 ----a-w c:\documents and settings\Adam Levy\jagex_runescape_preferences.dat
2008-12-19 01:52 --------- d-----w c:\program files\Java
2008-11-17 01:35 271,716 ----a-w C:\jagex_runescape_preferences.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D88E1558-7C2D-407A-953A-C044F5607CEA}]
2009-02-15 21:35 136704 --a------ c:\program files\Mjcore\Mjcore.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"cogad"="c:\documents and settings\Adam Levy\Application Data\cogad\cogad.exe" [2009-02-01 56832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-18 136600]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-07-12 c:\windows\SOUNDMAN.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=gawneb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\EA Games\\Red Alert 3 Beta\\RetailExe\\1.3\\ra3game.dat"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{2844e476-63e3-11dd-a606-003018c38ef4}]
\Shell\AutoRun\command - F:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{38b1dfcf-6357-11dd-823a-806d6172696f}]
\Shell\AutoRun\command - D:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2008-09-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{51622E18-1CCE-40FC-83A0-A02C5F7E3DE6} - c:\windows\system32\khfCTNgg.dll
BHO-{5775ea59-5d3c-4d2c-a5c0-67dd6d0ceb4e} - c:\windows\system32\qrvarm.dll
HKCU-Run-DriverCure - c:\program files\ParetoLogic\DriverCure\DriverCure.exe
HKLM-Run-288daa17 - c:\windows\system32\rluiskgk.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Adam Levy\Application Data\Mozilla\Firefox\Profiles\r3ycah5s.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www13.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://www13.yoog.com/search.php?q=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www13.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www13.yoog.com/search.php?q=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-15 21:35:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-839522115-776561741-1801674531-1004\Software\SecuROM\License information*]
"datasecu"=hex:24,8b,84,42,b8,47,9a,16,d7,e8,5b,05,2e,aa,f3,41,f8,00,45,e8, d8,
1f,3e,81,0a,91,2b,43,36,85,ea,e2,26,e2,28,63,33,ee,1a,f3,fa,32,19,19,61,20, \
"rkeysecu"=hex:cf,fd,36,ed,8f,83,8f,67,d5,d5,68,a4,04,da,e7,c7
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rundll32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-02-15 21:37:44 - machine was rebooted [Adam Levy]
ComboFix-quarantined-files.txt 2009-02-16 03:37:41

Pre-Run: 116,907,401,216 bytes free
Post-Run: 116,854,099,968 bytes free

209 --- E O F --- 2009-01-14 03:36:59




If that fixed it, you sir, are my savior.
Last edited by Urimbray; 15-Feb-2009 at 11:39 PM..
cybertech's Avatar
Computer Specs
Malware Removal Specialist with 69,217 posts.
  
Join Date: Apr 2002
Location: Washington State
16-Feb-2009, 07:12 PM #7
Open Notepad and copy and paste the text in the code box below into it:
Code:
KILLALL::
File::
c:\windows\system32\urqPgebY.dll
c:\windows\system32\gawneb.dll
Folder::
c:\program files\Mjcore
c:\documents and settings\Adam Levy\Application Data\cogad
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D88E1558-7C2D-407A-953A-C044F5607CEA}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cogad"="-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. It may ask to reboot. Post the contents of c:\Combofix.txt in your next reply.


Please download ATF Cleaner by Atribune.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

Click Exit on the Main menu to close the program.




Please download Malwarebytes Anti-Malware and save it to your desktop. alternate link 1 alternate link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply with a new hijackthis log.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Urimbray's Avatar
Computer Specs
Junior Member with 28 posts.
  
Join Date: Feb 2009
Location: St. Louis
Experience: I can put 'em together!
16-Feb-2009, 10:21 PM #8
I was informed whenever i started ComboFix that the file C:\WINDOWS\QWRhbQ\asappsrv.dll was trying to attach to ComboFix. I was informed to write it down.

ComboFix 09-02-15.01 - Adam Levy 2009-02-16 20:07:06.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.675 [GMT -6:00]
Running from: c:\documents and settings\Adam Levy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Adam Levy\Desktop\CFscript.txt
* Created a new restore point

FILE ::
c:\windows\system32\gawneb.dll
c:\windows\system32\urqPgebY.dll
.
The following files were disabled during the run:
c:\windows\QWRhbQ\asappsrv.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Adam Levy\Application Data\cogad
c:\documents and settings\Adam Levy\Application Data\cogad\cogad.exe
c:\documents and settings\Adam Levy\Application Data\twain\Twain.exe
c:\documents and settings\Adam Levy\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Adam Levy\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\Adam Levy\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\LocalService\Application Data\NetMon
c:\documents and settings\LocalService\Application Data\NetMon\domains.txt
c:\documents and settings\LocalService\Application Data\NetMon\log.txt
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\CPV.stt
c:\program files\iCheck
c:\program files\iCheck\Uninstall.exe
c:\program files\Mjcore
c:\program files\Mjcore\Mjcore.dll
c:\program files\network monitor
c:\program files\network monitor\netmon.exe
c:\program files\VnrPack
c:\program files\VnrPack\dicts.gz
c:\program files\VnrPack\trgts.gz
c:\program files\VnrPack\VnrPack24.exe
c:\windows\QWRhbQ\
c:\windows\QWRhbQ\\asappsrv.dll.vir
c:\windows\QWRhbQ\\command.exe
c:\windows\QWRhbQ\\kql1vk.vbs
c:\windows\QWRhbQ\command.exe
c:\windows\system32\atmtd.dll
c:\windows\system32\atmtd.dll._
c:\windows\system32\urqPgebY.dll
c:\windows\uninstall_nmon.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Service_cmdService
-------\Service_Network Monitor


((((((((((((((((((((((((( Files Created from 2009-01-17 to 2009-02-17 )))))))))))))))))))))))))))))))
.

2009-02-08 11:06 . 2009-02-08 11:06 <DIR> d-------- c:\windows\Cache
2009-02-08 11:06 . 2009-02-08 11:06 <DIR> d-------- c:\program files\Coupons
2009-02-08 11:06 . 2009-02-08 11:06 197,976 -ra------ c:\windows\system32\cpnprt2.cid
2009-02-05 19:30 . 2009-02-05 19:30 <DIR> d-------- c:\program files\Trend Micro
2009-02-04 17:38 . 2009-02-04 17:38 <DIR> d-------- C:\!KillBox
2009-02-04 17:25 . 2009-02-04 17:25 67 --a------ c:\windows\wininit.ini
2009-02-04 16:50 . 2009-02-16 20:07 <DIR> d-------- c:\documents and settings\Adam Levy\Application Data\Twain
2009-02-03 06:53 . 2009-02-15 21:40 <DIR> d-------- c:\program files\WebShow
2009-01-19 19:43 . 2009-01-19 19:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\DriverCure
2009-01-19 19:43 . 2009-01-19 19:43 <DIR> d-------- c:\documents and settings\Adam Levy\Application Data\DriverCure
2009-01-19 19:42 . 2009-01-19 19:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Downloaded Installations

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-20 01:21 --------- d-----w c:\program files\Yahoo!
2009-01-17 20:58 34 ----a-w c:\documents and settings\Adam Levy\jagex_runescape_preferences.dat
2008-12-19 01:52 --------- d-----w c:\program files\Java
2008-11-17 01:35 271,716 ----a-w C:\jagex_runescape_preferences.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-15_21.37.13.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-09 23:35:30 20,853,704 ----a-w c:\windows\system32\MRT.exe
+ 2009-02-12 04:56:17 21,244,872 ----a-w c:\windows\system32\MRT.exe
- 2007-11-30 12:39:22 17,272 ----a-w c:\windows\system32\spmsg.dll
+ 2008-07-09 07:38:24 17,272 ------w c:\windows\system32\spmsg.dll
+ 2009-02-17 02:10:39 16,384 ----atw c:\windows\temp\Perflib_Perfdata_600.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-18 136600]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-07-12 c:\windows\SOUNDMAN.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\EA Games\\Red Alert 3 Beta\\RetailExe\\1.3\\ra3game.dat"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{2844e476-63e3-11dd-a606-003018c38ef4}]
\Shell\AutoRun\command - F:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{38b1dfcf-6357-11dd-823a-806d6172696f}]
\Shell\AutoRun\command - D:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder

2008-09-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-cogad - c:\documents and settings\Adam Levy\Application Data\cogad\cogad.exe
HKCU-Run-VnrPack24 - c:\program files\VnrPack\VnrPack24.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Adam Levy\Application Data\Mozilla\Firefox\Profiles\r3ycah5s.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www13.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://www13.yoog.com/search.php?q=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www13.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www13.yoog.com/search.php?q=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-16 20:10:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-839522115-776561741-1801674531-1004\Software\SecuROM\License information*]
"datasecu"=hex:24,8b,84,42,b8,47,9a,16,d7,e8,5b,05,2e,aa,f3,41,f8,00,45,e8, d8,
1f,3e,81,0a,91,2b,43,36,85,ea,e2,26,e2,28,63,33,ee,1a,f3,fa,32,19,19,61,20, \
"rkeysecu"=hex:cf,fd,36,ed,8f,83,8f,67,d5,d5,68,a4,04,da,e7,c7
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-02-16 20:12:56 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-17 02:12:53
ComboFix2.txt 2009-02-16 03:37:45

Pre-Run: 116,785,995,776 bytes free
Post-Run: 116,790,132,736 bytes free

168 --- E O F --- 2009-02-16 04:41:25


___________________________________________________________________________ ____________________________


Malwarebytes' Anti-Malware 1.34
Database version: 1766
Windows 5.1.2600 Service Pack 3

2/16/2009 8:20:20 PM
mbam-log-2009-02-16 (20-20-20).txt

Scan type: Quick Scan
Objects scanned: 57518
Time elapsed: 2 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\bho_cpv.workhorse (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_cpv.workhorse.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bho_myjavacore.mjcore.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cpbrkpie.coupon6ctrl.1 (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e780f0b-bcd6-40cb-b2db-7af47ab4d4a4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a138be8b-f051-4802-9a3f-a750a6d862d4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a85a5e6a-de2c-4f4e-99dc-f469df5a0eec} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\CouponPrinter.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cpnprt2.cid (Adware.Agent) -> Quarantined and deleted successfully.


___________________________________________________________________________ ________________________


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:14 PM, on 2/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4547 bytes
cybertech's Avatar
Computer Specs
Malware Removal Specialist with 69,217 posts.
  
Join Date: Apr 2002
Location: Washington State
17-Feb-2009, 07:13 PM #9
Run HJT again and put a check in the following:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

Close all applications and browser windows before you click "fix checked".

I don't see any anti-virus software running.
Look in the TSG Library of Knowledge for suggestions. Some are purchased and some are free. Pick one and get your system protected.

Post a new hijackthis log after that.
Urimbray's Avatar
Computer Specs
Junior Member with 28 posts.
  
Join Date: Feb 2009
Location: St. Louis
Experience: I can put 'em together!
18-Feb-2009, 09:30 PM #10
I believe it is still there and i had no applications or windows up. I will also look into the anti-virus thank you.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:43 PM, on 2/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4466 bytes
cybertech's Avatar
Computer Specs
Malware Removal Specialist with 69,217 posts.
  
Join Date: Apr 2002
Location: Washington State
19-Feb-2009, 02:35 PM #11
Download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.
  1. Close any open browsers.
  2. If your Real protection or Antivirus intervenes with OTScanIt2, allow it to run.
  3. Open the OTScanit2 folder and double-click on OTScanit2.exe to start the program.
  4. In Additional Scans section put a check in Disabled MS Config Items and EventViewer logs
  5. Now click the Run Scan button on the toolbar.
  6. The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  7. When the scan is complete Notepad will open with the report file loaded in it.
  8. Save that notepad file
Use the Reply button, scroll down to the attachments section and attach the notepad file here.
Urimbray's Avatar
Computer Specs
Junior Member with 28 posts.
  
Join Date: Feb 2009
Location: St. Louis
Experience: I can put 'em together!
19-Feb-2009, 11:00 PM #12
Here is the logfile
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
cybertech's Avatar
Computer Specs
Malware Removal Specialist with 69,217 posts.
  
Join Date: Apr 2002
Location: Washington State
20-Feb-2009, 06:27 PM #13
Start OTScanIt2. Copy/Paste the information in the Code box below into the pane where it says Paste fix here and then click the Run Fix button.


Code:
[Registry - Safe List]
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> 
YN -> HKEY_CURRENT_USER\: URLSearchHooks\\"{EF99BD32-C1FB-11D2-892F-0090271D4F88}" [HKLM] -> Reg Error: Key error. [Yahoo! Toolbar]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.
Post that information back here.

I will review the information when it comes back in.
Urimbray's Avatar
Computer Specs
Junior Member with 28 posts.
  
Join Date: Feb 2009
Location: St. Louis
Experience: I can put 'em together!
20-Feb-2009, 07:59 PM #14
[Registry - Safe List]
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EF99BD32-C1FB-11D2-892F-0090271D4F88}\ deleted successfully.
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.8.0 fix logfile created on 02202009_175913
cybertech's Avatar
Computer Specs
Malware Removal Specialist with 69,217 posts.
  
Join Date: Apr 2002
Location: Washington State
21-Feb-2009, 11:08 AM #15
Please post your hijackthis log again.
Email This Email  Print This Print  Tweet This Send to Facebook Send to MySpace Send to StumbleUpon Digg This | More Services More
Reply
Page 1 of 2 1 2

Tags
ads, computer, slow

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!

« Previous Thread | Virus & Other Malware Removal | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.
Thread Tools



Facebook Facebook Twitter Twitter TechGuy.tv TechGuy.tv Mobile TSG Mobile
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 10:03 PM.
Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved.

 Powered by Cermak Technologies, Inc.