1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Adware Remover 2007 2.1

Discussion in 'Virus & Other Malware Removal' started by sparky3, Oct 30, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. sparky3

    sparky3 Thread Starter

    Joined:
    Oct 30, 2007
    Messages:
    36
    The above programme has appeared on my PC. It is constantly trying to scan my PC. The programme is not listed when I go into Add/Remove Programmes, although there is an icon in the icon tray and a shortcut on the desktop. When I try to close the application another pop up appears on the screen. I am unable to exit the programme, all I can do is select Task Manager to stop the programme running.

    Every time I boot up my PC the programme re-appears and starts to scan my PC. It completes the scan and will not allow closure of the application. There are two boxes, one to purchase licence and one to continue scanning.

    It is also disabling Norton Auto Protect that I have installed.

    Any advise on how to rid myself of this unwanted programme for good, would be gratefully appreciated.

    Thanks

    Sparky
     
  2. WhitPhil

    WhitPhil Gone but never forgotten Trusted Advisor

    Joined:
    Oct 4, 2000
    Messages:
    8,684
    Download, install and run HiJackThis

    Run the Scan and Save log option.
    When the LOG file opens in NotePad, select All > Copy
    Then return to this thread, Post a Reply, and Paste in the contents for review.
     
  3. sparky3

    sparky3 Thread Starter

    Joined:
    Oct 30, 2007
    Messages:
    36
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:19:03 PM, on 10/30/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Roxio\GoBack\GBPoll.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE
    C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
    C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Leeds United FC - DNA\app.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.windowsdownloads.com/success.htm
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    F2 - REG:system.ini: UserInit=userinit.exe,C:\WINDOWS\system32\ntos.exe,
    O2 - BHO: (no name) - {04EFB2DA-CD3F-43F5-84B1-F160B6F6DEA0} - C:\WINDOWS\system32\dbnmpnt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1da7dbe8-c51b-4ae4-bc6e-21863349b0b4} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
    O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-gb\msntb.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: (no name) - {a2595f37-48d0-46a1-9b51-478591a97764} - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
    O4 - HKLM\..\Run: [EPSON Stylus DX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.EXE /P26 "EPSON Stylus DX3800 Series" /O6 "USB001" /M "Stylus DX3800"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
    O4 - HKLM\..\Run: [Ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
    O4 - HKLM\..\Run: [C:\DOCUME~1\THESEX~1\LOCALS~1\Temp\update.exe] C:\Program Files\MSN\MSNCoreFiles\update.exe
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [Leeds United FC - Desktop News Alerts] C:\Program Files\Leeds United FC - DNA\launch.exe
    O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
    O4 - HKCU\..\Run: [AdwareRemover2007] C:\Program Files\AdwareRemover2007\AdwareRemover2007.exe
    O4 - HKUS\S-1-5-18\..\Run: [NTSF MICROSOFT SYSTEM] winsis32.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [NTSF MICROSOFT SYSTEM] winsis32.exe (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {33331111-1111-1111-1111-611111193423} -
    O16 - DPF: {33331111-1111-1111-1111-611111193429} - http://www.www2.p0rt2.com/files/_ipsec_.cab
    O16 - DPF: {33331111-1111-1111-1111-615111193427} -
    O16 - DPF: {33331111-1131-1111-1111-611111193428} -
    O16 - DPF: {33331111-1234-1111-1111-615111193427} - http://www.www2.p0rt2.com/files/epl29bd.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7F020B55-BE77-4A8A-A4B0-3D977ADAE60C}: NameServer = 212.139.132.6 212.139.132.7
    O18 - Filter hijack: text/html - (no CLSID) - (no file)
    O21 - SSODL: bestreak - - (no file)
    O21 - SSODL: hstsys - {36E50FF7-3BDF-463D-8EB1-741B681C5A33} - C:\WINDOWS\hstsys.dll
    O22 - SharedTaskScheduler: - bestreak - (no file)
    O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 9153 bytes
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,367
    First Name:
    Derek
    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
     
  5. sparky3

    sparky3 Thread Starter

    Joined:
    Oct 30, 2007
    Messages:
    36
    SDFix: Version 1.113

    Run by The Sexy Amps' on Thu 11/01/2007 at 08:25 PM

    Microsoft Windows XP [Version 5.1.2600]

    Running From: C:\SDFix

    Safe Mode:
    Checking Services:


    Restoring Windows Registry Values
    Restoring Windows Default Hosts File
    Restoring Default HomePage Value
    Restoring Default Desktop Components Value

    Rebooting...


    Normal Mode:
    Checking Files:

    Trojan Files Found:

    C:\WINDOWS\hostctrl.dll - Deleted
    C:\WINDOWS\hstsys.dll - Deleted
    C:\WINDOWS\ntspkmxl.dll - Deleted
    C:\WINDOWS\optnet.dll - Deleted
    C:\WINDOWS\search_res.txt - Deleted
    C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted
    C:\WINDOWS\system32\wsnpoem\video.dll - Deleted
    C:\WINDOWS\system32\ntos.exe - Deleted



    Removing Temp Files...

    ADS Check:

    C:\WINDOWS
    No streams found.

    C:\WINDOWS\system32
    No streams found.

    C:\WINDOWS\system32\svchost.exe
    No streams found.

    C:\WINDOWS\system32\ntoskrnl.exe
    No streams found.



    Final Check:

    catchme 0.3.1253 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-01 20:37:50
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    scanning hidden registry entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    Remaining Services:
    ------------------



    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "C:\\Program Files\\Kazaa\\kazaa.exe"="C:\\Program Files\\Kazaa\\kazaa.exe:*:Enabled:Kazaa"
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
    "C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
    "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
    "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

    Remaining Files:
    ---------------

    File Backups: - C:\SDFix\backups\backups.zip

    Files with Hidden Attributes:

    Thu 5 Jul 2007 363 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti2.tmp"
    Sat 10 Mar 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
    Mon 6 Jun 2005 1,740 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\ccReg.reg"
    Mon 6 Jun 2005 273,070 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\CommonClient.reg"
    Mon 6 Jun 2005 155,336 A..HR --- "C:\Program Files\Common Files\Symantec Shared\Registry Backup\IAM.reg"

    Finished!
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,367
    First Name:
    Derek
    next

    Download Combofix to your desktop:

    * Double-click combofix.exe & follow the prompts.
    * When finished, it shall produce a log for you. Post that log in your next reply.


    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    then after running combofix

    Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
    • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
      • In the Processes group click Non-Microsoft
      • In the Win32 Services group click Non-Microsoft
      • In the Driver Services group click Non-Microsoft
      • In the Registry group click ALL
      • In the Files Created Within group click 30 days Make sure Non-Microsoft only is CHECKED
      • In the Files Modified Within group select 30 days Make sure Non-Microsoft only is CHECKED
      • In the File String Search group select ALL
      in the Additional scans sections please press select all and then unselect event viewer. uncheck non-microsoft only
    • Now click the Run Scan button on the toolbar.
    • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Save that notepad file
    Use the Reply button and attach the notepad file here . I will review it when it comes in.
     
  7. sparky3

    sparky3 Thread Starter

    Joined:
    Oct 30, 2007
    Messages:
    36
    ComboFix 07-11-01.1 - The Sexy Amps' 2007-11-03 12:25:30.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.79 [GMT 0:00]
    Running from: C:\Documents and Settings\The Sexy Amps'\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data.\salesmonitor
    C:\Documents and Settings\The Sexy Amps'\Application Data\install_en[1].exe
    C:\Program Files\ivideocodec
    C:\Program Files\ivideocodec\ot.ico
    C:\Program Files\ivideocodec\ts.ico
    C:\UGA6P
    C:\WINDOWS\system32\dbnmpnt.dll
    C:\WINDOWS\system32\drivers\pvhwydib.dat
    C:\WINDOWS\system32\drivers\vnafudcc.dat
    C:\WINDOWS\system32\mbsrm32.exe
    C:\WINDOWS\system32\u2g.f
    C:\WINDOWS\system32\UBSauthenticateAXC.ocx
    C:\WINDOWS\system32\winiconmon.ico
    C:\WINDOWS\system32\wsnpoem
    C:\WINDOWS\system32\wsnpoem\audio.dll.cla

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_MGLPEWGN
    -------\mglpewgn


    ((((((((((((((((((((((((( Files Created from 2007-10-03 to 2007-11-03 )))))))))))))))))))))))))))))))
    .

    2007-11-03 12:23 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-11-01 20:24 <DIR> d-------- C:\WINDOWS\ERUNT
    2007-10-30 22:17 <DIR> d-------- C:\Program Files\Trend Micro
    2007-10-30 17:19 32 --ahs---- C:\WINDOWS\system32\{D825281E-EB8E-4036-A2FC-3ACA1BD68CBD}.dat
    2007-10-30 17:19 32 --ahs---- C:\WINDOWS\{A91AD121-2F9B-4CED-97B4-236F62AEC177}.dat
    2007-10-30 17:19 14 --a------ C:\WINDOWS\system32\SR2.dat
    2007-10-30 17:18 83,672 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
    2007-10-30 17:18 73,224 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
    2007-10-30 17:18 34,578 --a------ C:\WINDOWS\system32\drivers\NPDRIVER.SYS
    2007-10-30 17:17 <DIR> d-------- C:\Program Files\Norton AntiVirus
    2007-10-30 16:53 156,301 --a------ C:\WINDOWS\system32\drivers\GoBack2K.sys
    2007-10-30 16:53 15,024 --a------ C:\WINDOWS\system32\drivers\GBFSHook.sys
    2007-10-30 16:53 3,945 --a------ C:\WINDOWS\system32\drivers\GBDevice.sys
    2007-10-29 15:23 <DIR> d-------- C:\Program Files\AdwareRemover2007
    2007-10-28 07:39 <DIR> d-------- C:\Documents and Settings\The Sexy Amps'\Application Data\PCSecureSystem
    2007-10-28 07:39 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-03 12:31 62,348 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
    2007-11-03 12:31 5,345,312 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
    2007-10-30 17:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2007-10-30 17:18 --------- d-----w C:\Program Files\Symantec
    2007-10-30 17:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
    2007-10-30 17:12 --------- d-----w C:\Program Files\Norton SystemWorks
    2007-10-29 22:25 --------- d-----w C:\Program Files\Leeds United FC - DNA
    2007-10-29 16:55 --------- d-----w C:\Program Files\Common Files\DriveCleaner Freeware
    2007-10-13 05:59 --------- d-----w C:\Documents and Settings\The Sexy Amps'\Application Data\MSN6
    2007-09-20 10:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
    2007-09-14 21:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Driving Test Success
    2007-09-14 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hazard Perception Training
    2007-09-14 20:39 --------- d-----w C:\Program Files\Hazard Perception 2003-2004
    2007-09-09 07:57 --------- d-----w C:\Program Files\Microsoft Works
    2007-09-06 15:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
    2007-09-06 15:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
    2007-08-30 13:39 2,560 ----a-w C:\sysfpob.exe
    2007-06-17 07:24 30,240 ----a-w C:\Documents and Settings\The Sexy Amps'\Application Data\GDIPFONTCACHEV1.DAT
    2005-11-03 23:29 72,832 ----a-r C:\WINDOWS\inf\CamAvb.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1da7dbe8-c51b-4ae4-bc6e-21863349b0b4}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77701e16-9bfe-4b63-a5b4-7bd156758a37}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-02-21 14:11]
    "SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38]
    "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2005-09-25 18:11]
    "NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2005-09-25 18:11]
    "EPSON Stylus DX3800 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACE.exe" [2005-02-08 04:00]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 03:03]
    "Ulead Photo Express Calendar Checker"="C:\Program Files\Ulead Systems\Ulead Photo Express 5 SE\calcheck.exe" [2004-01-12 20:40]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 09:54]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 18:05]
    "PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-28 13:12]
    "C:\DOCUME~1\THESEX~1\LOCALS~1\Temp\update.exe"="C:\Program Files\MSN\MSNCoreFiles\update.exe" [2002-10-16 13:31]
    "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 15:14]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 22:22]
    "ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 22:23]
    "Advanced Tools Check"="C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE" [2002-08-26 22:35]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" []
    "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" []
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" []
    "Leeds United FC - Desktop News Alerts"="C:\Program Files\Leeds United FC - DNA\launch.exe" [2006-10-10 09:15]
    "AdwareRemover2007"="C:\Program Files\AdwareRemover2007\AdwareRemover2007.exe" [2007-10-29 15:23]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
    "NTSF MICROSOFT SYSTEM"=winsis32.exe
    "PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06]
    GoBack.lnk - C:\Program Files\Roxio\GoBack\GBTray.exe [2007-10-30 16:53:20]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

    S3 CamAv;SAMSUNG Video Capture;C:\WINDOWS\system32\Drivers\CamAv.sys
    S3 NPDriver;Norton Unerase Protection Driver;\??\C:\WINDOWS\system32\Drivers\NPDRIVER.SYS

    .
    Contents of the 'Scheduled Tasks' folder
    "2007-10-30 18:41:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    "2007-10-30 17:31:31 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
    - C:\PROGRA~1\NORTON~2\NAVW32.exe
    "2007-11-03 12:42:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
    - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    .
    **************************************************************************

    catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-03 12:40:45
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    AppInit_DLLs = ??????????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "C:\\DOCUME~1\\THESEX~1\\LOCALS~1\\Temp\\update.exe"="C:\\Program Files\\MSN\\MSNCoreFiles\\update.exe"
    .
    Completion time: 2007-11-03 12:45:39 - machine was rebooted
    .
    --- E O F ---
     
  8. sparky3

    sparky3 Thread Starter

    Joined:
    Oct 30, 2007
    Messages:
    36
    File attached
     

    Attached Files:

  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,367
    First Name:
    Derek
    WinPFind3 Fix -


    Start WinPFind3U. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

    Code:
    [Unregister Dlls]
    [Registry - All]
    < Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> C:\DOCUME~1\THESEX~1\LOCALS~1\Temp\update.exe -> %ProgramFiles%\MSN\MSNCoreFiles\update.exe
    < Run [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YY -> AdwareRemover2007 -> %ProgramFiles%\AdwareRemover2007\AdwareRemover2007.exe
    YN -> BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} -> %CommonProgramFiles%\Ahead\lib\NMBgMonitor.exe
    < SharedTaskScheduler [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
    YN -> bestreak [HKLM] -> Reg Data - Key not found [ ]
    < BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    YN -> {1da7dbe8-c51b-4ae4-bc6e-21863349b0b4} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
    < Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
    YN -> ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
    YN -> ShellBrowser\\{5A074B29-F830-49DE-A31B-5BB9D7F6B407} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
    YN -> WebBrowser\\{1A29A79A-B9C8-44A9-BEDF-7FADDE3CF33F} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
    YN -> WebBrowser\\{4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
    YN -> WebBrowser\\{57F02779-3D88-4958-8AD3-83C12D86ADC7} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
    YN -> WebBrowser\\{A2595F37-48D0-46A1-9B51-478591A97764} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
    YN -> WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> Reg Data - Key not found [Yahoo! Toolbar]
    [Files/Folders - Created Within 30 days]
    NY -> VDMA0.tmp -> %SystemRoot%\VDMA0.tmp
    NY -> VDMA1.tmp -> %SystemRoot%\VDMA1.tmp
    NY -> {A91AD121-2F9B-4CED-97B4-236F62AEC177}.dat -> %SystemRoot%\{A91AD121-2F9B-4CED-97B4-236F62AEC177}.dat
    NY -> {D825281E-EB8E-4036-A2FC-3ACA1BD68CBD}.dat -> %System32%\{D825281E-EB8E-4036-A2FC-3ACA1BD68CBD}.dat
    NY -> PCSecureSystem -> %UserAppData%\PCSecureSystem
    [Empty Temp Folders]
    [Reboot]
    
    [Reboot]
    
    
    The fix should only take a very short time and then you will be asked if you want to reboot. Choose Yes.

    when it reboots


    Post the following back here:


    the latest .log file from the WinPFind3u folder (it will have a name in the format mmddyyyy_hhmmss.log)

    I will review the information when it comes back in.

    Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
     
  10. sparky3

    sparky3 Thread Starter

    Joined:
    Oct 30, 2007
    Messages:
    36
    Hi Derek

    Have tried to run this fix but the programme froze. After about 15 minutes I had to End Task.

    When trying to go back into the folder I got the following message "I/OError 103", when I clicked ok the Run Fix folder opened. I pasted the fix into the box again and when I clicked on Run Fix I got the following message "Access violationat address 00462F9F in module "WinPFind3U.exe". Read of address 00000004.

    Please advise.
     
  11. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,367
    First Name:
    Derek
    reboot teh computer & try again
     
  12. sparky3

    sparky3 Thread Starter

    Joined:
    Oct 30, 2007
    Messages:
    36
    Hi Derek

    Have tried to reboot the PC this morning. All we are getting is a black screen with a flashing white cursor in the top corner and a message that says "NTLDR is missing. CNTRL, ALT & Delete to restart.

    Have tried this, but the same screen appears.

    Please advise

    Regards
     
  13. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,367
    First Name:
    Derek
  14. sparky3

    sparky3 Thread Starter

    Joined:
    Oct 30, 2007
    Messages:
    36
    Hi Derek

    Thanks for the advise and web link.

    If and when we are able to access our PC, do we need to try running the "Fix" again or has trying to run this caused our current problem?

    Regards
     
  15. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,367
    First Name:
    Derek
    I doubt if it is the fix we did should have anything to do with the probklem

    however to be safe when you get it back post a fresh HJT log first
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/645595

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice