1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

no control panel [needs malware help; moved from XP]

Discussion in 'Virus & Other Malware Removal' started by dan42baker, Nov 9, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. dan42baker

    dan42baker Thread Starter

    Joined:
    Nov 9, 2007
    Messages:
    17
    I do not have control panel in my start menu
    when i try to access add/remove programs or view system information from My Computer
    i get an error message saying "this action has been cancelled due to restrictions placed on this computer. Please contact your system administrater"

    Also getting spyware notice.... to my eternal delight

    I have seen threads to help people fix this but it seems like each Highjack this file is computer specific...here is mine
    PLEASE help me

    Logfile of HijackThis v1.99.1
    Scan saved at 5:19:37 PM, on 11/9/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\WinAvXX.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Webroot\Washer\wwDisp.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
    C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\RegClean\RegClean.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Owner\My Documents\Unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\printer.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
    O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
    O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [seekmo] "c:\program files\seekmo\seekmo.exe"
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [RegClean] C:\Program Files\RegClean\RegClean.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [DCC_send] AliceSD.exe
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
    O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
    O4 - Startup: system.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: autorun.exe
    O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
    O15 - Trusted Zone: http://*.63.219.181.7
    O15 - Trusted Zone: http://*.search-soft.net
    O16 - DPF: {0DA69429-A757-4D6F-A827-DB1AF052DDAF} - http://69.28.111.10/webportal/plugins/VA.cab
    O16 - DPF: {40F8967E-34A6-474A-837A-CEC1E7DAC54C} - https://accounting.quickbooks.com/c4/v15.591/qboax9.cab
    O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logmein.com/activex/RACtrl.cab
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
    O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c4/v16.608/qboax10.cab
    O16 - DPF: {CC49479E-93A8-455E-959A-C49BE895D87C} - http://69.28.111.10/webportal/plugins/VMPlayer.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://atsreviews.webex.com/client/T25L/training/ieatgpc.cab
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
    O17 - HKLM\System\CCS\Services\Tcpip\..\{49B6F674-76E2-4BAF-B93E-035436FEDF4A}: NameServer = 85.255.113.91,85.255.112.9
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: MS-DOS Emulation - C:\WINDOWS\system32\f62mlgf1162.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    thank you in advance
    deliriosly happy dan
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,873
    First Name:
    Karen
    Hi and welcome to TSG,

    Before you proceed with these instructions, please move HijackThis into a separate folder of its own in Program Files (not in the temporary files as you currently have it), so that it can create proper back-ups which can be restored, if necessary.


    Download ComboFix and save it to your desktop.

    **Note: In the event you already have ComboFix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

    1. Close any open browsers.

    2. Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

    **Note: Do not mouseclick comboFix's window while it's running. That may cause it to stall**
     
  3. dan42baker

    dan42baker Thread Starter

    Joined:
    Nov 9, 2007
    Messages:
    17
    I dont know that i did close and disable everything on this computer
    i think i did..I ran the scan without knowing for sure...will you be able to tell from the report???....I am successfully making things worse by not knowing what im doing?

    here is combofix

    ComboFix 07-11-08.3 - Owner 2007-11-10 9:41:29.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.184 [GMT -8:00]
    Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users.\documents\settings
    C:\Documents and Settings\All Users.\documents\settings\desktop.ini
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
    C:\Documents and Settings\Owner\Application Data\install_enex[1].exe
    C:\Documents and Settings\Owner\Application Data\Sskknwrd.dll
    C:\Documents and Settings\Owner\ResErrors.log
    C:\Documents and Settings\Owner\Start Menu\Programs\Startup\system.exe
    C:\Documents and Settings\Owner\www.google.com\index.html
    C:\Documents and Settings\Owner\www.google.com\thank.html
    C:\WINDOWS\drsmartloadb1.dat
    C:\WINDOWS\inet20126
    C:\WINDOWS\inet20126\www.google.com\Google_files\hp0.gif
    C:\WINDOWS\inet20126\www.google.com\Google_files\hp1.gif
    C:\WINDOWS\inet20126\www.google.com\Google_files\hp2.gif
    C:\WINDOWS\inet20126\www.google.com\Google_files\hp3.gif
    C:\WINDOWS\inet20126\www.google.com\index.html
    C:\WINDOWS\inet20126\www.google.com\thank.html
    C:\WINDOWS\system32\_000006_.tmp.dll
    C:\WINDOWS\system32\_002405_.tmp.dll
    C:\WINDOWS\system32\_002411_.tmp.dll
    C:\WINDOWS\system32\_002570_.tmp.dll
    C:\WINDOWS\system32\_002571_.tmp.dll
    C:\WINDOWS\system32\_002572_.tmp.dll
    C:\WINDOWS\system32\_002573_.tmp.dll
    C:\WINDOWS\system32\_002580_.tmp.dll
    C:\WINDOWS\system32\_002581_.tmp.dll
    C:\WINDOWS\system32\_002582_.tmp.dll
    C:\WINDOWS\system32\_002583_.tmp.dll
    C:\WINDOWS\system32\_002585_.tmp.dll
    C:\WINDOWS\system32\_002586_.tmp.dll
    C:\WINDOWS\system32\_002589_.tmp.dll
    C:\WINDOWS\system32\_002590_.tmp.dll
    C:\WINDOWS\system32\_002592_.tmp.dll
    C:\WINDOWS\system32\_002593_.tmp.dll
    C:\WINDOWS\system32\_002594_.tmp.dll
    C:\WINDOWS\system32\_002596_.tmp.dll
    C:\WINDOWS\system32\_002597_.tmp.dll
    C:\WINDOWS\system32\_002599_.tmp.dll
    C:\WINDOWS\system32\_002603_.tmp.dll
    C:\WINDOWS\system32\_002604_.tmp.dll
    C:\WINDOWS\system32\_002606_.tmp.dll
    C:\WINDOWS\system32\_002609_.tmp.dll
    C:\WINDOWS\system32\_002611_.tmp.dll
    C:\WINDOWS\system32\_002612_.tmp.dll
    C:\WINDOWS\system32\_002613_.tmp.dll
    C:\WINDOWS\system32\_002614_.tmp.dll
    C:\WINDOWS\system32\_002615_.tmp.dll
    C:\WINDOWS\system32\_002618_.tmp.dll
    C:\WINDOWS\system32\_002620_.tmp.dll
    C:\WINDOWS\system32\_002621_.tmp.dll
    C:\WINDOWS\system32\_002622_.tmp.dll
    C:\WINDOWS\system32\_002626_.tmp.dll
    C:\WINDOWS\system32\8_exception.nls
    C:\WINDOWS\system32\L23C1.tmp.exe
    C:\WINDOWS\system32\printer.exe
    C:\WINDOWS\system32\RunOnce.t__
    C:\WINDOWS\system32\RunOnce.tm_
    C:\WINDOWS\system32\RunOnce2.t__
    C:\WINDOWS\system32\RunOnce2.tm_
    C:\WINDOWS\system32\svcp.csv
    C:\WINDOWS\system32\WinAvXX.exe
    C:\WINDOWS\system32\winsub.xml
    C:\WINDOWS\system32\zlbw.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_CMDSERVICE
    -------\LEGACY_RUNTIME
    -------\Runtime


    ((((((((((((((((((((((((( Files Created from 2007-10-10 to 2007-11-10 )))))))))))))))))))))))))))))))
    .

    2007-11-10 09:33 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-11-10 09:26 <DIR> d-------- C:\Program Files\highjack this
    2007-11-09 16:58 <DIR> d-------- C:\Program Files\RegClean
    2007-11-09 16:58 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\RegClean
    2007-11-09 14:38 <DIR> d-------- C:\Program Files\Lavasoft
    2007-11-09 14:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2007-10-12 14:12 186,256 --a------ C:\WINDOWS\system32\SymNPPWA.dll
    2007-10-12 11:00 <DIR> d-------- C:\Program Files\Norton 360
    2007-10-12 10:59 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
    2007-10-12 10:59 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
    2007-10-12 10:15 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
    2007-10-12 08:39 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\OverDrive
    2007-10-12 08:38 <DIR> d-------- C:\Program Files\OverDrive Media Console
    2007-10-10 13:04 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-10 17:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
    2007-11-10 00:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2007-11-09 22:35 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2007-10-24 02:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\Symantec
    2007-10-12 22:10 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
    2007-10-12 22:10 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
    2007-10-12 22:10 --------- d-----w C:\Program Files\Symantec
    2007-10-12 15:21 --------- d-----w C:\Program Files\Dtab
    2007-10-03 01:42 --------- d-----w C:\Program Files\iTunes
    2007-10-03 01:41 --------- d-----w C:\Program Files\iPod
    2007-10-03 01:40 --------- d-----w C:\Program Files\QuickTime
    2007-10-03 01:36 --------- d-----w C:\Program Files\Apple Software Update
    2007-10-03 01:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
    2007-09-22 21:58 --------- d-----w C:\Program Files\The Weather Channel FW
    2007-09-22 21:58 --------- d-----w C:\Program Files\Freeze.com
    2007-09-22 21:58 --------- d-----w C:\Program Files\360Share
    2007-09-18 21:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
    2007-09-18 21:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
    2007-09-18 21:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
    2007-09-18 21:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
    2007-09-18 21:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
    2007-09-18 21:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
    2007-09-18 21:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
    2007-09-18 21:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
    2007-09-18 21:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
    2005-07-07 22:38 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
    2007-06-22 01:27:02 72 --sha-w C:\WINDOWS\system32\544084883.dat
    2005-02-01 21:51:46 56 --sha-r C:\WINDOWS\system32\E04B2C3A1E.sys
    2005-02-01 21:51:49 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "webscan"="C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" []
    "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2006-12-11 16:36]
    "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-01-29 18:13]
    "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-01-29 18:13]
    "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
    "RegClean"="C:\Program Files\RegClean\RegClean.exe" [2007-10-18 08:03]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 15:18]
    "MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 11:00]
    "Registry Cleaner"="C:\Program Files\Registry Cleaner\RegClean.exe" []
    "SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [2004-02-25 11:48]
    "DCC_send"="AliceSD.exe" []
    "Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2004-04-30 10:51]
    "DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2006-04-19 09:30]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-08-02 19:28:49]
    Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-08-19 15:42:33]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
    WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-11-04 13:49:28]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoBandCustomize"=1 (0x1)

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages"= :\WINDOWS\System3

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\002k0cho.dll]
    RUNDLL32.EXE 002k0cho.dll,b 770171

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defect08]
    xxtoolbar.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
    ?????????

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qzzo]
    C:\PROGRA~1\COMMON~1\qzzo\qzzom.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
    ?????????


    *Newly Created Service* - ALG
    *Newly Created Service* - COMHOST
    *Newly Created Service* - IPNAT
    .
    Contents of the 'Scheduled Tasks' folder
    "2007-11-04 06:53:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2007-11-10 17:46:10 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job"
    .
    **************************************************************************

    catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-10 09:45:07
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-11-10 9:47:30 - machine was rebooted
    .
    --- E O F ---


    and here is highjack this

    Logfile of HijackThis v1.99.1
    Scan saved at 10:11:35 AM, on 11/10/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Webroot\Washer\wwDisp.exe
    C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\RegClean\RegClean.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Documents and Settings\Owner\My Documents\Unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
    O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
    O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [RegClean] C:\Program Files\RegClean\RegClean.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [DCC_send] AliceSD.exe
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O15 - Trusted Zone: http://*.63.219.181.7
    O15 - Trusted Zone: http://*.search-soft.net
    O16 - DPF: {0DA69429-A757-4D6F-A827-DB1AF052DDAF} - http://69.28.111.10/webportal/plugins/VA.cab
    O16 - DPF: {40F8967E-34A6-474A-837A-CEC1E7DAC54C} - https://accounting.quickbooks.com/c4/v15.591/qboax9.cab
    O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logmein.com/activex/RACtrl.cab
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
    O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c4/v16.608/qboax10.cab
    O16 - DPF: {CC49479E-93A8-455E-959A-C49BE895D87C} - http://69.28.111.10/webportal/plugins/VMPlayer.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://atsreviews.webex.com/client/T25L/training/ieatgpc.cab
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
    O17 - HKLM\System\CCS\Services\Tcpip\..\{49B6F674-76E2-4BAF-B93E-035436FEDF4A}: NameServer = 85.255.113.91,85.255.112.9
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    maybye i shouldnt be doing this. I feel very unqualified
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,873
    First Name:
    Karen
    You're doing fine. :)

    Please print these instructions for reference, as you will have to restart your computer during the fix.

    Please download FixWareout from Here or Here.

    Note: You will need to run this tool while having an Internet Connection. The tool will download other files while running.
    1. Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
    2. The fix will begin; follow the prompts.
    3. If your firewall gives an alert, (because this tool will download an additional files from the internet), please don't let your firewall block it, but allow it instead.
    4. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
    5. Once the desktop loads a text file will open (report.txt).
      Please post the C:\fixwareout\report.txt ), along with a new HijackThis log into this topic.
     
  5. dan42baker

    dan42baker Thread Starter

    Joined:
    Nov 9, 2007
    Messages:
    17
    alrighty
    here is the fixwareout

    Username "Owner" - 11/11/2007 8:25:52 [Fixwareout edited 9/01/2007]

    ~~~~~ Prerun check

    HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{49B6F674-76E2-4BAF-B93E-035436FEDF4A}
    "nameserver"="85.255.113.91,85.255.112.9" <Value cleared.

    Successfully flushed the DNS Resolver Cache.


    System was rebooted successfully.

    ~~~~~ Postrun check
    HKLM\SOFTWARE\~\Winlogon\ "System"=""
    ....
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion "mansc" Value deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion "piusc" Value deleted
    HKCR\CLSID\{8AC428CD-B21B-45F3-A8C4-0C9682A7C1B5}\_h\4 Deleted.
    HKCR\CLSID\{8B87441B-90B0-456F-957C-7278A8688158}\_h\4 Deleted.
    ....
    ~~~~~ Misc files.
    C:\Documents and Settings\Owner\Application Data\uns.tmp Deleted
    C:\Documents and Settings\Owner\Application Data\wo.tmp Deleted
    C:\Documents and Settings\All Users\Favorites\AdultGambling.url Deleted
    C:\Documents and Settings\All Users\Favorites\Download Free Spyware Remover.url Deleted
    C:\Documents and Settings\All Users\Favorites\Free Online Dating.url Deleted
    C:\Documents and Settings\All Users\Favorites\**** Real Girls.url Deleted
    C:\Documents and Settings\All Users\Favorites\Kill Annoying Popups.url Deleted
    C:\Documents and Settings\All Users\Favorites\NEW VIAGRA at Half Price!.url Deleted
    C:\Documents and Settings\All Users\Favorites\Online Chat With Nude Girls.url Deleted
    C:\Documents and Settings\All Users\Favorites\Online Sex Poker Rooms.url Deleted
    C:\Documents and Settings\All Users\Favorites\Order CIALIS online without leaving home..url Deleted
    C:\Documents and Settings\All Users\Favorites\PC protection in under 2 minutes!.url Deleted
    C:\Documents and Settings\All Users\Favorites\Play Adult-Poker.url Deleted
    C:\Documents and Settings\All Users\Favorites\Remove Toolbars.url Deleted
    C:\Documents and Settings\All Users\Favorites\SEX Dating - Real Girls For Real SEX.url Deleted
    C:\Documents and Settings\All Users\Favorites\Spyware Uninstall.url Deleted
    C:\Documents and Settings\All Users\Favorites\SPYWARE.url Deleted
    C:\Documents and Settings\All Users\Favorites\Stop PopUps On Your Computer.url Deleted
    C:\Documents and Settings\All Users\Favorites\VIAGRA at incredible low price. Bonus Pills!.url Deleted
    C:\Documents and Settings\All Users\Favorites\View ADULT photos of REAL GIRLS!.url Deleted
    C:\Documents and Settings\All Users\Favorites\XXX personal photos.url Deleted
    C:\WINDOWS\Help\SPAlert.chm Deleted
    C:\WINDOWS\System32\close.bmp Deleted
    C:\WINDOWS\System32\dating.bmp Deleted
    C:\WINDOWS\System32\drivers\zpmodemnt.sys Deleted
    C:\WINDOWS\System32\gambling.bmp Deleted
    C:\WINDOWS\System32\idesk.conf Deleted
    C:\WINDOWS\System32\insurance.bmp Deleted
    C:\WINDOWS\System32\msblank.html Deleted
    C:\WINDOWS\System32\pharmacy.bmp Deleted
    C:\WINDOWS\System32\spyware.bmp Deleted
    C:\WINDOWS\System32\winctrl16.exe Deleted
    C:\WINDOWS\System32\xxx.bmp Deleted
    C:\Documents and Settings\All Users\Favorites\Online Pharmacy Deleted
    C:\Documents and Settings\All Users\Favorites\Sex and Dating Deleted
    C:\Documents and Settings\All Users\Favorites\Spyware Uninstall Deleted
    ....
    ~~~~~ Checking for older varients.
    ....

    ~~~~~ Current runs (hklm hkcu "run" Keys Only)
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
    "webscan"="\"C:\\Program Files\\Acceleration Software\\Anti-Virus\\stopsignav.exe\" -k"
    "Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
    "IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
    "HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
    "Symantec PIF AlertEng"="\"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\PIFSvc.exe\" /a /m \"C:\\Program Files\\Common Files\\Symantec Shared\\PIF\\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\\AlertEng.dll\""
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
    "ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
    "RegClean"="C:\\Program Files\\RegClean\\RegClean.exe"

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
    "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
    "MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\mnyexpr.exe\""
    "Registry Cleaner"="\"C:\\Program Files\\Registry Cleaner\\RegClean.exe\""
    "SpySweeper"="C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeper.exe /0"
    "DCC_send"="AliceSD.exe"
    "Window Washer"="C:\\Program Files\\Webroot\\Washer\\wwDisp.exe"
    "DW4"="\"C:\\Program Files\\The Weather Channel FW\\Desktop Weather\\DesktopWeather.exe\""
    ....
    Hosts file was reset, If you use a custom hosts file please replace it...
    ~~~~~ End report ~~~~~


    here is the highjack this

    Logfile of HijackThis v1.99.1
    Scan saved at 8:30:28 AM, on 11/11/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\RegClean\RegClean.exe
    C:\Documents and Settings\Owner\My Documents\Unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
    O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
    O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [RegClean] C:\Program Files\RegClean\RegClean.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [DCC_send] AliceSD.exe
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O15 - Trusted Zone: http://*.63.219.181.7
    O15 - Trusted Zone: http://*.search-soft.net
    O16 - DPF: {0DA69429-A757-4D6F-A827-DB1AF052DDAF} - http://69.28.111.10/webportal/plugins/VA.cab
    O16 - DPF: {40F8967E-34A6-474A-837A-CEC1E7DAC54C} - https://accounting.quickbooks.com/c4/v15.591/qboax9.cab
    O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logmein.com/activex/RACtrl.cab
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
    O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c4/v16.608/qboax10.cab
    O16 - DPF: {CC49479E-93A8-455E-959A-C49BE895D87C} - http://69.28.111.10/webportal/plugins/VMPlayer.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://atsreviews.webex.com/client/T25L/training/ieatgpc.cab
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    thank you
    Dan
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,873
    First Name:
    Karen
    Good job!

    Please run ComboFix again as you did before and post the new log since running FixWareout.
     
  7. dan42baker

    dan42baker Thread Starter

    Joined:
    Nov 9, 2007
    Messages:
    17
    here is combo fix

    ComboFix 07-11-08.3 - Owner 2007-11-11 19:43:12.2 - NTFSx86
    Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((( Files Created from 2007-10-12 to 2007-11-12 )))))))))))))))))))))))))))))))
    .

    2007-11-10 09:33 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-11-10 09:26 <DIR> d-------- C:\Program Files\highjack this
    2007-11-09 16:58 <DIR> d-------- C:\Program Files\RegClean
    2007-11-09 16:58 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\RegClean
    2007-11-09 14:38 <DIR> d-------- C:\Program Files\Lavasoft
    2007-11-09 14:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2007-10-12 14:12 186,256 --a------ C:\WINDOWS\system32\SymNPPWA.dll
    2007-10-12 11:00 <DIR> d-------- C:\Program Files\Norton 360
    2007-10-12 10:59 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
    2007-10-12 10:59 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
    2007-10-12 10:15 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
    2007-10-12 08:39 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\OverDrive
    2007-10-12 08:38 <DIR> d-------- C:\Program Files\OverDrive Media Console

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-12 03:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
    2007-11-11 16:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2007-11-09 22:54 202,826 ----a-w C:\WINDOWS\system32\atasnt40.dll
    2007-11-09 22:35 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2007-10-24 02:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\Symantec
    2007-10-12 22:10 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
    2007-10-12 22:10 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
    2007-10-12 22:10 --------- d-----w C:\Program Files\Symantec
    2007-10-12 15:21 --------- d-----w C:\Program Files\Dtab
    2007-10-03 01:42 --------- d-----w C:\Program Files\iTunes
    2007-10-03 01:41 --------- d-----w C:\Program Files\iPod
    2007-10-03 01:40 --------- d-----w C:\Program Files\QuickTime
    2007-10-03 01:36 --------- d-----w C:\Program Files\Apple Software Update
    2007-10-03 01:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
    2007-09-22 21:58 --------- d-----w C:\Program Files\The Weather Channel FW
    2007-09-22 21:58 --------- d-----w C:\Program Files\Freeze.com
    2007-09-22 21:58 --------- d-----w C:\Program Files\360Share
    2007-09-18 21:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
    2007-09-18 21:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
    2007-09-18 21:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
    2007-09-18 21:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
    2007-09-18 21:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
    2007-09-18 21:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
    2007-09-18 21:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
    2007-09-18 21:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
    2007-09-18 21:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
    2005-07-07 22:38 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
    2007-06-22 01:27:02 72 --sha-w C:\WINDOWS\system32\544084883.dat
    2005-02-01 21:51:46 56 --sha-r C:\WINDOWS\system32\E04B2C3A1E.sys
    2005-02-01 21:51:49 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
    .

    ((((((((((((((((((((((((((((( [email protected]_ 9.46.13.24 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2007-11-09 23:36:01 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    + 2007-11-11 16:27:08 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    - 2007-11-10 17:44:46 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2007-11-11 16:27:08 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2007-11-10 17:44:46 81,920 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2007-11-11 16:27:08 81,920 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    - 2007-11-10 17:41:25 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
    + 2007-11-12 03:43:08 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
    - 2007-05-29 20:55:35 22,112 ----a-r C:\WINDOWS\system32\drivers\COH_Mon.sys
    + 2007-05-29 21:55:35 22,112 ----a-r C:\WINDOWS\system32\drivers\COH_Mon.sys
    - 2007-10-28 16:47:29 41,880 ----a-w C:\WINDOWS\system32\perfc009.dat
    + 2007-11-10 17:47:02 41,880 ----a-w C:\WINDOWS\system32\perfc009.dat
    - 2007-10-28 16:47:29 316,272 ----a-w C:\WINDOWS\system32\perfh009.dat
    + 2007-11-10 17:47:02 316,272 ----a-w C:\WINDOWS\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "webscan"="C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" []
    "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2006-12-11 16:36]
    "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-01-29 18:13]
    "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-01-29 18:13]
    "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
    "RegClean"="C:\Program Files\RegClean\RegClean.exe" [2007-10-18 08:03]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 15:18]
    "MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 11:00]
    "Registry Cleaner"="C:\Program Files\Registry Cleaner\RegClean.exe" []
    "SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [2004-02-25 11:48]
    "DCC_send"="AliceSD.exe" []
    "Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2004-04-30 10:51]
    "DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2006-04-19 09:30]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-08-02 19:28:49]
    Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-08-19 15:42:33]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
    WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-11-04 13:49:28]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages"= :\WINDOWS\System3

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\002k0cho.dll]
    RUNDLL32.EXE 002k0cho.dll,b 770171

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defect08]
    xxtoolbar.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
    ?????????

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qzzo]
    C:\PROGRA~1\COMMON~1\qzzo\qzzom.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
    ?????????

    R2 ATNT40K;ActiveTouch NT Appsharing Driver;C:\WINDOWS\System32\DRIVERS\ATNT40K.SYS
    S3 NAL;Nal Service ;\??\C:\WINDOWS\System32\Drivers\iqvw32.sys

    *Newly Created Service* - COMHOST
    .
    Contents of the 'Scheduled Tasks' folder
    "2007-11-11 06:53:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    "2007-11-11 16:29:35 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job"
    - C:\Program Files\RegClean\RegClean.exe
    .
    **************************************************************************

    catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-11 19:45:42
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-11-11 19:46:50
    C:\ComboFix2.txt ... 2007-11-10 09:47
    .
    --- E O F ---

    Here is highjack this

    Logfile of HijackThis v1.99.1
    Scan saved at 7:50:45 PM, on 11/11/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\RegClean\RegClean.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Owner\My Documents\Unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
    O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
    O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [RegClean] C:\Program Files\RegClean\RegClean.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [DCC_send] AliceSD.exe
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O15 - Trusted Zone: http://*.63.219.181.7
    O15 - Trusted Zone: http://*.search-soft.net
    O16 - DPF: {0DA69429-A757-4D6F-A827-DB1AF052DDAF} - http://69.28.111.10/webportal/plugins/VA.cab
    O16 - DPF: {40F8967E-34A6-474A-837A-CEC1E7DAC54C} - https://accounting.quickbooks.com/c4/v15.591/qboax9.cab
    O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logmein.com/activex/RACtrl.cab
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
    O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c4/v16.608/qboax10.cab
    O16 - DPF: {CC49479E-93A8-455E-959A-C49BE895D87C} - http://69.28.111.10/webportal/plugins/VMPlayer.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://atsreviews.webex.com/client/T25L/training/ieatgpc.cab
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    Thank You (again)
    Dan
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,873
    First Name:
    Karen
    Open Notepad and copy and paste the text in the quote box below into it:

    Save the file to your desktop and name it CFScript.txt

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

    [​IMG]

    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.
     
  9. dan42baker

    dan42baker Thread Starter

    Joined:
    Nov 9, 2007
    Messages:
    17
    here is combo fix

    ComboFix 07-11-08.3 - Owner 2007-11-12 18:34:35.3 - NTFSx86
    Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Program Files\Freeze.com
    C:\Program Files\Freeze.com\Birthday EZ Cards\EZCards7HB.exe
    C:\Program Files\Freeze.com\Birthday EZ Cards\freeze.ico
    C:\Program Files\Freeze.com\Birthday EZ Cards\undata.exe
    C:\Program Files\Freeze.com\Birthday EZ Cards\undata.ini
    C:\Program Files\Freeze.com\Birthday EZ Cards\UNINSTAL.EXE

    .
    ((((((((((((((((((((((((( Files Created from 2007-10-13 to 2007-11-13 )))))))))))))))))))))))))))))))
    .

    2007-11-10 09:33 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-11-10 09:26 <DIR> d-------- C:\Program Files\highjack this
    2007-11-09 16:58 <DIR> d-------- C:\Program Files\RegClean
    2007-11-09 16:58 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\RegClean
    2007-11-09 14:38 <DIR> d-------- C:\Program Files\Lavasoft
    2007-11-09 14:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-13 02:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
    2007-11-11 16:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2007-11-11 07:33 --------- d-----w C:\Program Files\Norton 360
    2007-11-09 22:54 202,826 ----a-w C:\WINDOWS\system32\atasnt40.dll
    2007-11-09 22:35 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2007-10-24 02:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\Symantec
    2007-10-12 22:10 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
    2007-10-12 22:10 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
    2007-10-12 22:10 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
    2007-10-12 22:10 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
    2007-10-12 22:10 --------- d-----w C:\Program Files\Symantec
    2007-10-12 16:39 --------- d-----w C:\Documents and Settings\Owner\Application Data\OverDrive
    2007-10-12 16:38 --------- d-----w C:\Program Files\OverDrive Media Console
    2007-10-12 15:21 --------- d-----w C:\Program Files\Dtab
    2007-10-03 01:42 --------- d-----w C:\Program Files\iTunes
    2007-10-03 01:41 --------- d-----w C:\Program Files\iPod
    2007-10-03 01:40 --------- d-----w C:\Program Files\QuickTime
    2007-10-03 01:36 --------- d-----w C:\Program Files\Apple Software Update
    2007-10-03 01:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
    2007-09-22 21:58 --------- d-----w C:\Program Files\The Weather Channel FW
    2007-09-22 21:58 --------- d-----w C:\Program Files\360Share
    2007-09-18 21:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
    2007-09-18 21:44 10,662 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
    2007-09-18 21:44 10,658 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
    2007-09-18 21:44 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
    2007-09-18 21:44 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
    2007-09-18 21:44 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
    2007-09-18 21:43 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
    2007-09-18 21:43 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
    2007-09-18 21:43 278,576 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
    2005-07-07 22:38 0 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
    2007-06-22 01:27:02 72 --sha-w C:\WINDOWS\system32\544084883.dat
    2005-02-01 21:51:46 56 --sha-r C:\WINDOWS\system32\E04B2C3A1E.sys
    2005-02-01 21:51:49 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
    .

    ((((((((((((((((((((((((((((( [email protected]_ 9.46.13.24 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2007-11-09 23:36:01 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    + 2007-11-11 16:27:08 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
    - 2007-11-10 17:44:46 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2007-11-11 16:27:08 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    - 2007-11-10 17:44:46 81,920 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    + 2007-11-11 16:27:08 81,920 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    - 2007-11-10 17:41:25 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
    + 2007-11-13 02:34:29 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
    - 2007-05-29 20:55:35 22,112 ----a-r C:\WINDOWS\system32\drivers\COH_Mon.sys
    + 2007-05-29 21:55:35 22,112 ----a-r C:\WINDOWS\system32\drivers\COH_Mon.sys
    - 2007-10-28 16:47:29 41,880 ----a-w C:\WINDOWS\system32\perfc009.dat
    + 2007-11-10 17:47:02 41,880 ----a-w C:\WINDOWS\system32\perfc009.dat
    - 2007-10-28 16:47:29 316,272 ----a-w C:\WINDOWS\system32\perfh009.dat
    + 2007-11-10 17:47:02 316,272 ----a-w C:\WINDOWS\system32\perfh009.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "webscan"="C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" []
    "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2006-12-11 16:36]
    "IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-01-29 18:13]
    "HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-01-29 18:13]
    "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
    "RegClean"="C:\Program Files\RegClean\RegClean.exe" [2007-10-18 08:03]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 15:18]
    "MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 11:00]
    "Registry Cleaner"="C:\Program Files\Registry Cleaner\RegClean.exe" []
    "SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" [2004-02-25 11:48]
    "DCC_send"="AliceSD.exe" []
    "Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2004-04-30 10:51]
    "DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2006-04-19 09:30]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-08-02 19:28:49]
    Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-08-19 15:42:33]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
    WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-11-04 13:49:28]

    R2 ATNT40K;ActiveTouch NT Appsharing Driver;C:\WINDOWS\System32\DRIVERS\ATNT40K.SYS
    S3 NAL;Nal Service ;\??\C:\WINDOWS\System32\Drivers\iqvw32.sys

    *Newly Created Service* - COMHOST
    .
    Contents of the 'Scheduled Tasks' folder
    "2007-11-11 06:53:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    "2007-11-12 11:30:00 C:\WINDOWS\Tasks\RegClean Scheduled Scan.job"
    - C:\Program Files\RegClean\RegClean.exe
    .
    **************************************************************************

    catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-12 18:36:54
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-11-12 18:37:55
    C:\ComboFix2.txt ... 2007-11-11 19:46
    C:\ComboFix3.txt ... 2007-11-10 09:47
    .
    --- E O F ---


    here is highjack this

    Logfile of HijackThis v1.99.1
    Scan saved at 7:32:56 PM, on 11/12/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\RegClean\RegClean.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Owner\My Documents\Unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
    O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
    O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [RegClean] C:\Program Files\RegClean\RegClean.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [DCC_send] AliceSD.exe
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O15 - Trusted Zone: http://*.63.219.181.7
    O15 - Trusted Zone: http://*.search-soft.net
    O16 - DPF: {0DA69429-A757-4D6F-A827-DB1AF052DDAF} - http://69.28.111.10/webportal/plugins/VA.cab
    O16 - DPF: {40F8967E-34A6-474A-837A-CEC1E7DAC54C} - https://accounting.quickbooks.com/c4/v15.591/qboax9.cab
    O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logmein.com/activex/RACtrl.cab
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
    O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c4/v16.608/qboax10.cab
    O16 - DPF: {CC49479E-93A8-455E-959A-C49BE895D87C} - http://69.28.111.10/webportal/plugins/VMPlayer.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://atsreviews.webex.com/client/T25L/training/ieatgpc.cab
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,873
    First Name:
    Karen
    Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.

    Go to the following link and read about Acceleration Software and then you can decide if you really want to keep it or not.

    http://www.spywarewarrior.com/rogue_anti-spyware.htm#ss_note


    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

    O4 - HKCU\..\Run: [DCC_send] AliceSD.exe

    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

    O15 - Trusted Zone: http://*.63.219.181.7

    O15 - Trusted Zone: http://*.search-soft.net



    Reboot the computer.

    Then do this please:

    Open HijackThis and click on "Config" and then on the "Misc Tools" button. Click on the "Open Uninstall Manager" button. Click the "Save List" botton. Copy and paste that list here please.


    Post your new HijackThis scan log along with the HijackThis uninstall list please.
     
  11. dan42baker

    dan42baker Thread Starter

    Joined:
    Nov 9, 2007
    Messages:
    17
    here they are

    360Share(remove only)
    Absolute Fretboard Trainer PRO
    Ad-Aware 2007
    Adobe Flash Player 9 ActiveX
    Adobe Photoshop 7.0
    Adobe Reader 6.0
    Adobe Shockwave Player
    AppCore
    Apple Software Update
    AV
    Birthday EZ Cards
    ccCommon
    Contextual Tool
    Digital Media Reader
    Dtab V0.99d
    eAcceleration
    eMedia Codec 4.0
    Form Viewer
    GearDrvs
    Good Keywords v2.0.072406
    Google Earth
    HijackThis 1.99.1
    Instant Architect
    Intel(R) Extreme Graphics Driver
    Intel(R) PRO Network Adapters and Drivers
    Intel(R) PROSet
    Internet Explorer Security Plugin 2006
    Internet Security Add-On
    iPod for Windows 2005-10-12
    iPod for Windows 2006-01-10
    iTunes
    Java 2 Runtime Environment, SE v1.4.2
    LiveUpdate 3.2 (Symantec Corporation)
    LiveUpdate Notice (Symantec Corporation)
    Microsoft Data Access Components KB870669
    Microsoft FrontPage 2002
    Microsoft Money 2004
    Microsoft Money 2004 System Pack
    Microsoft Office Standard Edition 2003
    Microsoft Works
    Mozilla Firefox (2.0.0.3)
    Norton 360
    Norton 360
    Norton 360
    Norton 360 (Symantec Corporation)
    Norton 360 Help
    Norton Confidential Browser Component
    Norton Confidential Web Authentification Component
    Norton Confidential Web Protection Component
    Olympus Digital Wave Player
    OverDrive Media Console
    Picasa 2
    PowerDVD
    QuickBooks Simple Start Online Edition
    QuickTime
    RealPlayer Basic
    RegClean
    Sateira CD&DVD Burner 2.4
    SoftV92 Data Fax Modem with SmartCP
    SoundMAX
    SPBBC 32bit
    Spy Sweeper
    Spybot - Search & Destroy 1.3
    SuppSoft
    Symantec Technical Support Controls
    SymNet
    SysSnap
    The Weather Channel Desktop
    Viewpoint Media Player
    Weather Services
    WebEx
    Window Washer 5
    Windows Backup Utility
    Windows Media Player 9 Hotfix [See KB885492 for more information]
    Windows XP Hotfix - KB888162
    Windows XP Service Pack 2
    WinZip
    WordPerfect Office 12


    Logfile of HijackThis v1.99.1
    Scan saved at 8:25:32 PM, on 11/13/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Webroot\Washer\wwDisp.exe
    C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
    C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\RegClean\RegClean.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\Documents and Settings\Owner\My Documents\Unzipped\hijackthis\HijackThis.exe

    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
    O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
    O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [RegClean] C:\Program Files\RegClean\RegClean.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O15 - Trusted Zone: http://*.63.219.181.7
    O16 - DPF: {0DA69429-A757-4D6F-A827-DB1AF052DDAF} - http://69.28.111.10/webportal/plugins/VA.cab
    O16 - DPF: {40F8967E-34A6-474A-837A-CEC1E7DAC54C} - https://accounting.quickbooks.com/c4/v15.591/qboax9.cab
    O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logmein.com/activex/RACtrl.cab
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
    O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.kw.com/websiteTemplateAdmin/include/imageUploader/ImageUploader4.cab
    O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c4/v16.608/qboax10.cab
    O16 - DPF: {CC49479E-93A8-455E-959A-C49BE895D87C} - http://69.28.111.10/webportal/plugins/VMPlayer.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://atsreviews.webex.com/client/T25L/training/ieatgpc.cab
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
     
  12. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,873
    First Name:
    Karen
    Download http://www.mvps.org/winhelp2002/DelDomains.inf and place it on desktop. Right click the file and select install, that will reset the zone settings that have been altered.

    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

    Ugrading Java:
    • Download the latest version of Java Runtime Environment (JRE) 6 Update 3.
    • Scroll down to where it says " Java Runtime Environment (JRE) 6 Update 3. The Java SE Runtime Environment (JRE) allows end-users to run Java applications.".
    • Click the "Download" button to the right.
    • Check the box that says: "Accept License Agreement".
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start - Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java version.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on the download to install the newest version.


    Reboot and post a new HijackThis log please.
     
  13. dan42baker

    dan42baker Thread Starter

    Joined:
    Nov 9, 2007
    Messages:
    17
    ok

    Logfile of HijackThis v1.99.1
    Scan saved at 10:59:59 AM, on 11/14/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Webroot\Washer\wwDisp.exe
    C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
    C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
    C:\Documents and Settings\Owner\My Documents\Unzipped\hijackthis\HijackThis.exe

    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
    O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
    O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - https://www.topproduceronline.com/downloads/msjavx86.exe
    O16 - DPF: {0DA69429-A757-4D6F-A827-DB1AF052DDAF} - http://69.28.111.10/webportal/plugins/VA.cab
    O16 - DPF: {40F8967E-34A6-474A-837A-CEC1E7DAC54C} - https://accounting.quickbooks.com/c4/v15.591/qboax9.cab
    O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logmein.com/activex/RACtrl.cab
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
    O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.kw.com/websiteTemplateAdmin/include/imageUploader/ImageUploader4.cab
    O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c4/v16.608/qboax10.cab
    O16 - DPF: {CC49479E-93A8-455E-959A-C49BE895D87C} - http://69.28.111.10/webportal/plugins/VMPlayer.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://atsreviews.webex.com/client/T25L/training/ieatgpc.cab
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
     
  14. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    115,873
    First Name:
    Karen
    Download and install AVG Anti-Spyware v7.5. Note to AVG Free anti-virus program users only: This is not the same program as the one you already have, this is an anti-spyware program so please proceed with the instructions.
    • After download, double click on the file to launch the install process.
    • Choose a language, click "OK" and then click "Next".
    • Read the "License Agreement" and click "I Agree".
    • Accept default installation path: C:\Program Files\Grisoft\AVG Anti-Spyware 7.5, click "Next", then click "Install".
    • After setup completes, click "Finish" to start the program automatically or launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
    • The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'. As AVG Anti-Spyware may interfere with some of our other fixes, we are temporarily disabling its active protection features until your system is clean, then you can re-enable them.
    • Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
    • Connect to the Internet, go back to AVG Anti-Spyware, select the "Update" button and click "Start update".
      Wait until you see the "Update successful" message. If you are having problems with the updater, manually download and update with the AVG Anti-Spyware Full database installer.
    • Exit AVG Anti-Spyware when done - DO NOT perform a scan yet.
    Reboot your computer in SAFE MODE using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". (Note: When run in safe mode, sometimes the GUI is larger than the screen and the buttons at the bottom are partly or completely hidden, making them inaccessible for doing a scan. If this happens press Alt + Spacebar. A menu will come open, make sure you select maximize then run the scan. If that does not help, then you may have to run your scan in normal mode and advise your helper afterwards.)

    Scan with AVG Anti-Spyware as follows:
    • Click on the "Scanner" button and choose the "Settings" tab.
    • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
    • Under "How to Scan? ", "Possibly unwanted software", and What to Scan?" leave all the default settings.
    • Under "Reports" select "Do not automatically generate reports".
    • Click the "Scan" tab to return to scanning options.
    • Click "Complete System Scan" to start.
    • When the scan has finished, it should automatically be set to Quarantine--if not click on Recommended Action and set it there.
    • You will also be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.
    IMPORTANT! Do not save the report before you have clicked the :Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.
    • Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Reports\
    • Exit AVG Anti-Spyware when done, reboot normally and post the log report in your next response.
    Note: Close all open windows, programs, and DO NOT USE the computer while AVG Anti-Spyware is scanning. Doing so can hamper AVG Anti-Spyware's ability to clean properly and may result in reinfection.

    AVG Anti-Spyware is free for 30 days and all the extensions of the full version will be activated. After the 30 day trial, active protection extensions will be deactivated and the program will turn into a feature-limited freeware version that you can continue to use as an on-demand scanner or you may purchase a license to use the full version. We are installing AVG Anti-Spyware with its real-time protection disabled. Once your system is clean you may re-enable it so you can continue using this feature for the remainder of the trial period.


    Please go HERE to run Panda's ActiveScan
    • You need to use IE to run this scan
    • Once you are on the Panda site click the Scan your PC button
    • A new window will open...click the Check Now button
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
    • If it wants to install an ActiveX component allow it
    • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
    • When download is complete, click on My Computer to start the scan
    • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report


    Come back here and post a new HijackThis log along with the logs from the AVG and Panda scans.
     
  15. dan42baker

    dan42baker Thread Starter

    Joined:
    Nov 9, 2007
    Messages:
    17
    question: Now that i have AVG can/should I get rid of spybot:search and destroy and spysweepr??

    2 objects in AVG scan "Tracking Cookie" quarentine was grayed out and delete was default
    ---applied that action
    object "adware.generic" there was an error during quarentine proccess (error report included)

    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 9:14:58 AM 11/15/2007

    + Scan result:



    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On -> Adware.Generic : Cleaned with backup (quarantined).
    HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
    HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Error during cleaning.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006 -> Adware.IntCodec : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{F85E50F6-23AA-4ADC-862E-3E5F25DFB1DC}\RP419\A0038466.sys -> Downloader.Agent.acl : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{F85E50F6-23AA-4ADC-862E-3E5F25DFB1DC}\RP411\A0036356.exe -> Not-A-Virus.Downloader.Win32.WinFixer.z : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\UGA6P_1001_N109M1307NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.z : Cleaned with backup (quarantined).
    C:\qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\install_enex[1].exe.vir -> Not-A-Virus.Downloader.Win32.WinFixer.z : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\18\6a14fd92-3755eb41/Dummy.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\41\4606f7e9-1e644746/Dummy.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\43\2d23572b-3671c2bc/Gummy.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-de1f110-437d1575.zip/Gummy.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-68fb1dc0-5dfdfbd5.zip/Dummy.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup (quarantined).
    C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv411.jar-18270f7c-4c55b49d.zip/Dummy.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup (quarantined).
    :mozilla.120:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\5i02hf5g.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
    :mozilla.84:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\5i02hf5g.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
    :mozilla.85:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\5i02hf5g.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
    :mozilla.86:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\5i02hf5g.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
    :mozilla.87:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\5i02hf5g.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
    :mozilla.88:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\5i02hf5g.default\cookies.txt -> TrackingCookie.Msn : Cleaned.
    :mozilla.89:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\5i02hf5g.default\cookies.txt -> TrackingCookie.Msn : Cleaned.


    ::Report end

    here is error

    [11/15/2007 7:26:27 AM] Error: [CProcessInformation]: Creating snapshot for module enumeration failed., Value: 00000008, Position: .\ProcessInformation.cpp, 274
    [11/15/2007 7:26:27 AM] Error: [CConnectionInformation]: Creating snapshot for module enumeration failed., Value: 00000008, Position: .\ConnectionInformation.cpp, 227
    [11/15/2007 7:45:57 AM] Error: failed to connect to driver, Value: 00000002, Position: .\SelfProtection.cpp, 50
    [11/15/2007 7:46:40 AM] Error: failed to connect to driver, Value: 00000002, Position: .\SelfProtection.cpp, 50
    [11/15/2007 7:46:40 AM] Error: [CProcessInformation]: Creating snapshot for module enumeration failed., Value: 00000008, Position: .\ProcessInformation.cpp, 274
    [11/15/2007 7:46:42 AM] Error: failed to connect to driver, Value: 00000002, Position: .\SelfProtection.cpp, 50
    [11/15/2007 9:21:01 AM] Error: [CProcessInformation]: Creating snapshot for module enumeration failed., Value: 00000008, Position: .\ProcessInformation.cpp, 274
    [11/15/2007 9:21:01 AM] Error: [CConnectionInformation]: Creating snapshot for module enumeration failed., Value: 00000008, Position: .\ConnectionInformation.cpp, 227

    Here is Panda


    Incident Status Location

    Adware:adware/ncase Not disinfected c:\temp\salm.log
    Potentially unwanted tool:application/funweb Not disinfected c:\windows\downloaded program files\f3initialsetup1.0.0.15.inf
    Potentially unwanted tool:application/winfixer2005 Not disinfected c:\windows\downloaded program files\UGA6P_0001_N115M0110NetInstaller.exe
    Adware:adware/ieplugin Not disinfected c:\windows\kwv2.dat
    Adware:adware/webattaker Not disinfected c:\windows\uniq
    Potentially unwanted tool:application/regclean32 Not disinfected C:\Documents and Settings\Owner\Application Data\Registry Cleaner
    Adware:adware/emediacodec Not disinfected Windows Registry
    Adware:adware/dyfuca Not disinfected Windows Registry
    Adware:adware/dollarrevenue Not disinfected Windows Registry
    Hacktool:Exploit/BytVerify Not disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\16\6ffd0c10-15425074[a.class]
    Hacktool:Exploit/BytVerify Not disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\16\6ffd0c10-54a87fa7[a.class]
    Hacktool:Exploit/BytVerify Not disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\16\6ffd0c10-6a6759c1[a.class]
    Hacktool:Exploit/BytVerify Not disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\16\6ffd0c10-7cf683dc[a.class]
    Hacktool:Exploit/BytVerify Not disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-690ccf7f-28d25088.zip[a.class]
    Hacktool:Exploit/BytVerify Not disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-690ccf7f-588e7aeb.zip[a.class]
    Hacktool:Exploit/BytVerify Not disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7161237b-564f8944.zip[a.class]
    Hacktool:Exploit/BytVerify Not disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7161237b-6df70d80.zip[a.class]
    Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Owner\Desktop\ComboFix.exe[nircmd.exe]
    Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Owner\Desktop\ComboFix.exe[nircmd.cfexe]
    Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\fixwareout\FindT\nircmd.exe
    Adware:Adware/WinAntiVirus2007 Not disinfected C:\qoobox\Quarantine\C\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe.vir
    Adware:Adware/WinAntiVirus2007 Not disinfected C:\qoobox\Quarantine\C\Documents and Settings\Owner\Start Menu\Programs\Startup\system.exe.vir
    Adware:Adware/WinAntiVirus2007 Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\printer.exe.vir
    Adware:Adware/WinAntiVirus2007 Not disinfected C:\qoobox\Quarantine\C\WINDOWS\system32\WinAvXX.exe.vir
    Adware:Adware/F1Organizer Not disinfected C:\WINDOWS\Downloaded Program Files\dwnldr.dll
    Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe
    and highjack this

    Logfile of HijackThis v1.99.1
    Scan saved at 10:58:27 AM, on 11/15/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    C:\Program Files\Picasa2\PicasaMediaDetector.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Webroot\Washer\wwDisp.exe
    C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and Settings\Owner\My Documents\Unzipped\hijackthis\HijackThis.exe

    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
    O4 - HKLM\..\Run: [webscan] "C:\Program Files\Acceleration Software\Anti-Virus\stopsignav.exe" -k
    O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
    O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) - https://www.topproduceronline.com/downloads/msjavx86.exe
    O16 - DPF: {0DA69429-A757-4D6F-A827-DB1AF052DDAF} - http://69.28.111.10/webportal/plugins/VA.cab
    O16 - DPF: {40F8967E-34A6-474A-837A-CEC1E7DAC54C} - https://accounting.quickbooks.com/c4/v15.591/qboax9.cab
    O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logmein.com/activex/RACtrl.cab
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
    O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.kw.com/websiteTemplateAdmin/include/imageUploader/ImageUploader4.cab
    O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c4/v16.608/qboax10.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {CC49479E-93A8-455E-959A-C49BE895D87C} - http://69.28.111.10/webportal/plugins/VMPlayer.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://atsreviews.webex.com/client/T25L/training/ieatgpc.cab
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
    O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    thank you
    Dan
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/649964

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice