Adware Remover 2007 2.1

[sparky3]

The above programme has appeared on my PC. It is constantly trying to scan my PC. The programme is not listed when I go into Add/Remove Programmes, although there is an icon in the icon tray and a shortcut on the desktop. When I try to close the application another pop up appears on the screen. I am unable to exit the programme, all I can do is select Task Manager to stop the programme running.

Every time I boot up my PC the programme re-appears and starts to scan my PC. It completes the scan and will not allow closure of the application. There are two boxes, one to purchase licence and one to continue scanning.

It is also disabling Norton Auto Protect that I have installed.

Any advise on how to rid myself of this unwanted programme for good, would be gratefully appreciated.

Thanks

Sparky

 

[WhitPhil]

Download, install and run HiJackThis

Run the Scan and Save log option.
When the LOG file opens in NotePad, select All > Copy
Then return to this thread, Post a Reply, and Paste in the contents for review.

 

[sparky3]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:03 PM, on 10/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Leeds United FC - DNA\app.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.windowsdownloads.com/success.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: (no name) - {04EFB2DA-CD3F-43F5-84B1-F160B6F6DEA0} - C:\WINDOWS\system32\dbnmpnt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1da7dbe8-c51b-4ae4-bc6e-21863349b0b4} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {a2595f37-48d0-46a1-9b51-478591a97764} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus DX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE /P26 "EPSON Stylus DX3800 Series" /O6 "USB001" /M "Stylus DX3800"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [C:\DOCUME~1\THESEX~1\LOCALS~1\Temp\update.exe] C:\Program Files\MSN\MSNCoreFiles\update.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Leeds United FC - Desktop News Alerts] C:\Program Files\Leeds United FC - DNA\launch.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [AdwareRemover2007] C:\Program Files\AdwareRemover2007\AdwareRemover2007.exe
O4 - HKUS\S-1-5-18\..\Run: [NTSF MICROSOFT SYSTEM] winsis32.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NTSF MICROSOFT SYSTEM] winsis32.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429} - http://www.www2.p0rt2.com/files/_ipsec_.cab
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {33331111-1131-1111-1111-611111193428} -
O16 - DPF: {33331111-1234-1111-1111-615111193427} - http://www.www2.p0rt2.com/files/epl29bd.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F020B55-BE77-4A8A-A4B0-3D977ADAE60C}: NameServer = 212.139.132.6 212.139.132.7
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O21 - SSODL: bestreak - - (no file)
O21 - SSODL: hstsys - {36E50FF7-3BDF-463D-8EB1-741B681C5A33} - C:\WINDOWS\hstsys.dll
O22 - SharedTaskScheduler: - bestreak - (no file)
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9153 bytes

 

[dvk01]

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

 

[sparky3]

SDFix: Version 1.113

Run by The Sexy Amps' on Thu 11/01/2007 at 08:25 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\hostctrl.dll - Deleted
C:\WINDOWS\hstsys.dll - Deleted
C:\WINDOWS\ntspkmxl.dll - Deleted
C:\WINDOWS\optnet.dll - Deleted
C:\WINDOWS\search_res.txt - Deleted
C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted
C:\WINDOWS\system32\wsnpoem\video.dll - Deleted
C:\WINDOWS\system32\ntos.exe - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1253 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-01 20:37:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Kazaa\\kazaa.exe"="C:\\Program Files\\Kazaa\\kazaa.exe:*:Enabled:Kazaa"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Thu 5 Jul 2007 363 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti2.tmp"
Sat 10 Mar 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Mon 6 Jun 2005 1,740 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
Mon 6 Jun 2005 273,070 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
Mon 6 Jun 2005 155,336 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\IAM.reg"

Finished!

 

[dvk01]

next

Download Combofix to your desktop:

* Double-click combofix.exe & follow the prompts.
* When finished, it shall produce a log for you. Post that log in your next reply.


Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

then after running combofix

Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

• Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • In the Processes group click Non-Microsoft
  • In the Win32 Services group click Non-Microsoft
  • In the Driver Services group click Non-Microsoft
  • In the Registry group click ALL
  • In the Files Created Within group click 30 days Make sure Non-Microsoft only is CHECKED
  • In the Files Modified Within group select 30 days Make sure Non-Microsoft only is CHECKED
  • In the File String Search group select ALL
  in the Additional scans sections please press select all and then unselect event viewer. uncheck non-microsoft only
• Now click the Run Scan button on the toolbar.
• The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Save that notepad file

Use the Reply button and attach the notepad file here . I will review it when it comes in.

 

[sparky3]

ComboFix 07-11-01.1 - The Sexy Amps' 2007-11-03 12:25:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.79 [GMT 0:00]
Running from: C:\Documents and Settings\The Sexy Amps'\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\The Sexy Amps'\Application Data\install_en[1].exe
C:\Program Files\ivideocodec
C:\Program Files\ivideocodec\ot.ico
C:\Program Files\ivideocodec\ts.ico
C:\UGA6P
C:\WINDOWS\system32\dbnmpnt.dll
C:\WINDOWS\system32\drivers\pvhwydib.dat
C:\WINDOWS\system32\drivers\vnafudcc.dat
C:\WINDOWS\system32\mbsrm32.exe
C:\WINDOWS\system32\u2g.f
C:\WINDOWS\system32\UBSauthenticateAXC.ocx
C:\WINDOWS\system32\winiconmon.ico
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\audio.dll.cla

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_MGLPEWGN
-------\mglpewgn


((((((((((((((((((((((((( Files Created from 2007-10-03 to 2007-11-03 )))))))))))))))))))))))))))))))
.

2007-11-03 12:23 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-01 20:24 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-30 22:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-30 17:19 32 --ahs---- C:\WINDOWS\system32\{D825281E-EB8E-4036-A2FC-3ACA1BD68CBD}.dat
2007-10-30 17:19 32 --ahs---- C:\WINDOWS\{A91AD121-2F9B-4CED-97B4-236F62AEC177}.dat
2007-10-30 17:19 14 --a------ C:\WINDOWS\system32\SR2.dat
2007-10-30 17:18 83,672 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-30 17:18 73,224 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-30 17:18 34,578 --a------ C:\WINDOWS\system32\drivers\NPDRIVER.SYS
2007-10-30 17:17 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-10-30 16:53 156,301 --a------ C:\WINDOWS\system32\drivers\GoBack2K.sys
2007-10-30 16:53 15,024 --a------ C:\WINDOWS\system32\drivers\GBFSHook.sys
2007-10-30 16:53 3,945 --a------ C:\WINDOWS\system32\drivers\GBDevice.sys
2007-10-29 15:23 <DIR> d-------- C:\Program Files\AdwareRemover2007
2007-10-28 07:39 <DIR> d-------- C:\Documents and Settings\The Sexy Amps'\Application Data\PCSecureSystem
2007-10-28 07:39 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-03 12:31 62,348 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-03 12:31 5,345,312 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-10-30 17:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-30 17:18 --------- d-----w C:\Program Files\Symantec
2007-10-30 17:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-30 17:12 --------- d-----w C:\Program Files\Norton SystemWorks
2007-10-29 22:25 --------- d-----w C:\Program Files\Leeds United FC - DNA
2007-10-29 16:55 --------- d-----w C:\Program Files\Common Files\DriveCleaner Freeware
2007-10-13 05:59 --------- d-----w C:\Documents and Settings\The Sexy Amps'\Application Data\MSN6
2007-09-20 10:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-09-14 21:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Driving Test Success
2007-09-14 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hazard Perception Training
2007-09-14 20:39 --------- d-----w C:\Program Files\Hazard Perception 2003-2004
2007-09-09 07:57 --------- d-----w C:\Program Files\Microsoft Works
2007-09-06 15:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-09-06 15:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-08-30 13:39 2,560 ----a-w C:\sysfpob.exe
2007-06-17 07:24 30,240 ----a-w C:\Documents and Settings\The Sexy Amps'\Application Data\GDIPFONTCACHEV1.DAT
2005-11-03 23:29 72,832 ----a-r C:\WINDOWS\inf\CamAvb.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1da7dbe8-c51b-4ae4-bc6e-21863349b0b4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77701e16-9bfe-4b63-a5b4-7bd156758a37}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-02-21 14:11]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2005-09-25 18:11]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2005-09-25 18:11]
"EPSON Stylus DX3800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.exe" [2005-02-08 04:00]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 03:03]
"Ulead Photo Express Calendar Checker"="C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe" [2004-01-12 20:40]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 09:54]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 18:05]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-28 13:12]
"C:\DOCUME~1\THESEX~1\LOCALS~1\Temp\update.exe"="C:\Program Files\MSN\MSNCoreFiles\update.exe" [2002-10-16 13:31]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 15:14]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 22:22]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 22:23]
"Advanced Tools Check"="C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE" [2002-08-26 22:35]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" []
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" []
"Leeds United FC - Desktop News Alerts"="C:\Program Files\Leeds United FC - DNA\launch.exe" [2006-10-10 09:15]
"AdwareRemover2007"="C:\Program Files\AdwareRemover2007\AdwareRemover2007.exe" [2007-10-29 15:23]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"NTSF MICROSOFT SYSTEM"=winsis32.exe
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06]
GoBack.lnk - C:\Program Files\Roxio\GoBack\GBTray.exe [2007-10-30 16:53:20]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

S3 CamAv;SAMSUNG Video Capture;C:\WINDOWS\system32\Drivers\CamAv.sys
S3 NPDriver;Norton Unerase Protection Driver;\??\C:\WINDOWS\system32\Drivers\NPDRIVER.SYS

.
Contents of the 'Scheduled Tasks' folder
"2007-10-30 18:41:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-10-30 17:31:31 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~2\NAVW32.exe
"2007-11-03 12:42:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-03 12:40:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = ??????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\\DOCUME~1\\THESEX~1\\LOCALS~1\\Temp\\update.exe"="C:\\Program Files\\MSN\\MSNCoreFiles\\update.exe"
.
Completion time: 2007-11-03 12:45:39 - machine was rebooted
.
--- E O F ---

 

[sparky3]

File attached

 

[dvk01]

WinPFind3 Fix -


Start WinPFind3U. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Registry - All]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> C:\DOCUME~1\THESEX~1\LOCALS~1\Temp\update.exe -> %ProgramFiles%\MSN\MSNCoreFiles\update.exe
< Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> AdwareRemover2007 -> %ProgramFiles%\AdwareRemover2007\AdwareRemover2007.exe
YN -> BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} -> %CommonProgramFiles%\Ahead\lib\NMBgMonitor.exe
< SharedTaskScheduler [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
YN -> bestreak [HKLM] -> Reg Data - Key not found [ ]
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {1da7dbe8-c51b-4ae4-bc6e-21863349b0b4} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
YN -> ShellBrowser\\{5A074B29-F830-49DE-A31B-5BB9D7F6B407} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
YN -> WebBrowser\\{1A29A79A-B9C8-44A9-BEDF-7FADDE3CF33F} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
YN -> WebBrowser\\{4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
YN -> WebBrowser\\{57F02779-3D88-4958-8AD3-83C12D86ADC7} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
YN -> WebBrowser\\{A2595F37-48D0-46A1-9B51-478591A97764} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
YN -> WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> Reg Data - Key not found [Yahoo! Toolbar]
[Files/Folders - Created Within 30 days]
NY -> VDMA0.tmp -> %SystemRoot%\VDMA0.tmp
NY -> VDMA1.tmp -> %SystemRoot%\VDMA1.tmp
NY -> {A91AD121-2F9B-4CED-97B4-236F62AEC177}.dat -> %SystemRoot%\{A91AD121-2F9B-4CED-97B4-236F62AEC177}.dat
NY -> {D825281E-EB8E-4036-A2FC-3ACA1BD68CBD}.dat -> %System32%\{D825281E-EB8E-4036-A2FC-3ACA1BD68CBD}.dat
NY -> PCSecureSystem -> %UserAppData%\PCSecureSystem
[Empty Temp Folders]
[Reboot]

[Reboot]

The fix should only take a very short time and then you will be asked if you want to reboot. Choose Yes.

when it reboots


Post the following back here:


the latest .log file from the WinPFind3u folder (it will have a name in the format mmddyyyy_hhmmss.log)

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

 

[sparky3]

Hi Derek

Have tried to run this fix but the programme froze. After about 15 minutes I had to End Task.

When trying to go back into the folder I got the following message "I/OError 103", when I clicked ok the Run Fix folder opened. I pasted the fix into the box again and when I clicked on Run Fix I got the following message "Access violationat address 00462F9F in module "WinPFind3U.exe". Read of address 00000004.

Please advise.

 

[dvk01]

reboot teh computer & try again

 

[sparky3]

Hi Derek

Have tried to reboot the PC this morning. All we are getting is a black screen with a flashing white cursor in the top corner and a message that says "NTLDR is missing. CNTRL, ALT & Delete to restart.

Have tried this, but the same screen appears.

Please advise

Regards

 

[dvk01]

all I can suggest is work through the advice here
http://www.computerhope.com/issues/ch000465.htm

it does sound like hard disc has possibly failed from the symptoms

 

[sparky3]

Hi Derek

Thanks for the advise and web link.

If and when we are able to access our PC, do we need to try running the "Fix" again or has trying to run this caused our current problem?

Regards

 

[dvk01]

I doubt if it is the fix we did should have anything to do with the probklem

however to be safe when you get it back post a fresh HJT log first