1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Ntnc.exe

Discussion in 'Virus & Other Malware Removal' started by Page449, Jan 23, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. Page449

    Page449 Thread Starter

    Joined:
    Jan 23, 2006
    Messages:
    6
    I have been infected with some kind of spyware or other malicious program. My desktop has been hijacked and i cannot change it. I have two unknown files on my c drive: ntce.exe and winstall.exe. Also on my task bar there is a new icon that tells me my computer is infected with spyware and i can't get rid of the icon. Any help would be appreciated.
     
  2. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Welcome to TSG :)

    Click here to download HJTsetup.exe: http://www.thespykiller.co.uk/files/HJTSetup.exe
    Save HJTsetup.exe to your desktop.

    Double click on the HJTsetup.exe icon on your desktop.
    By default it will install to C:\Program Files\Hijack This.
    Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
    Put a check by Create a desktop icon then click Next again.
    Continue to follow the rest of the prompts from there.
    At the final dialogue box click Finish and it will launch Hijack This.
    Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    Click Save to save the log file and then the log will open in notepad.
    Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    Come back here to this thread and Paste the log in your next reply.
    DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
     
  3. Page449

    Page449 Thread Starter

    Joined:
    Jan 23, 2006
    Messages:
    6
    Logfile of HijackThis v1.99.1
    Scan saved at 1:55:38 PM, on 1/23/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\OfficeScan NT\ntrtscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\OfficeScan NT\OfcPfwSvc.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\OfficeScan NT\tmlisten.exe
    C:\WINDOWS\TEMP\MPAB9E.EXE
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Apoint\Apoint.exe
    C:\OfficeScan NT\pccntmon.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\Program Files\ESPNRunTime\DIGServices.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\winstall.exe
    C:\Program Files\Apoint\Apntex.exe
    \MAIL\netlogon\ImLua.exe
    C:\WINDOWS\scanfile.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
    C:\Program Files\HijackThis\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
    O4 - Startup: Scanner File Utility.lnk = C:\Program Files\Kyocera Mita\FileUtility\fileexec.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://mail.thefamilyschool.com/officescan/ClientInstall/WinNTChk.cab
    O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://mail.thefamilyschool.com/officescan/clientinstall/setupini.cab
    O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://mail.thefamilyschool.com/officescan/clientinstall/setup.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/16d5e7ddfdb2d628ef16/netzip/RdxIE601.cab
    O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://mail.thefamilyschool.com/officescan/clientinstall/RemoveCtrl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1098968952093
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thefamilyschool.com
    O17 - HKLM\Software\..\Telephony: DomainName = thefamilyschool.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{60DD272C-BBE8-41CD-A808-EB06567A4F78}: NameServer = 10.0.2.251,198.6.1.142
    O17 - HKLM\System\CCS\Services\Tcpip\..\{65FBF8FF-16E3-48B3-95F3-A041FCBD3217}: NameServer = 10.0.2.251,198.6.1.142
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thefamilyschool.com
    O17 - HKLM\System\CS1\Services\Tcpip\..\{60DD272C-BBE8-41CD-A808-EB06567A4F78}: NameServer = 10.0.2.251,198.6.1.142
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thefamilyschool.com
    O17 - HKLM\System\CS2\Services\Tcpip\..\{60DD272C-BBE8-41CD-A808-EB06567A4F78}: NameServer = 10.0.2.251,198.6.1.142
    O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\OfficeScan NT\OfcPfwSvc.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
    O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\OfficeScan NT\tmlisten.exe
     
  4. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    * Click here to download smitRem.exe.
    • Save the file to your desktop.
    • It is a self extracting file.
    • Doubleclick the smitRem.exe and it will extract the files to a smitRem folder on your desktop.
    • Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.

    * Download the trial version of Ewido Security Suite here.
    • Install ewido.
    • During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    • Launch ewido
    • It will prompt you to update click the OK button and it will go to the main screen
    • On the left side of the main screen click update
    • Click on Start and let it update.
    • DO NOT run a scan yet. You will do that later in safe mode.


    * Click here for info on how to boot to safe mode if you don't already know how.


    * Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


    * Restart your computer into safe mode now. Perform the following steps in safe mode:


    * Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
    Wait for the tool to complete and disk cleanup to finish.


    * Run Ewido:
    • Click on scanner
    • Click Complete System Scan and the scan will begin.
    • During the scan it will prompt you to clean files, click OK
    • When the scan is finished, look at the bottom of the screen and click the Save report button.
    • Save the report to your desktop


    * Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


    * Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.


    * Restart back into Windows normally now.


    * Run ActiveScan online virus scan here

    When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
    - Save the results from the scan!

    Post a new HiJack This log along with the results from ActiveScan and the Ewido scan and post the contents of the smitfiles.txt.
     
  5. Page449

    Page449 Thread Starter

    Joined:
    Jan 23, 2006
    Messages:
    6
    Here are the files:

    HIJACK THIS:

    Logfile of HijackThis v1.99.1
    Scan saved at 6:28:30 PM, on 1/23/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\OfficeScan NT\ntrtscan.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\OfficeScan NT\OfcPfwSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\RegSrvc.exe
    C:\OfficeScan NT\tmlisten.exe
    \MAIL\netlogon\ImLua.exe
    C:\WINDOWS\TEMP\UM3CF9.EXE
    C:\Program Files\Apoint\Apoint.exe
    C:\OfficeScan NT\pccntmon.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\ESPNRunTime\DIGServices.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\scanfile.exe
    C:\OfficeScan NT\pccntupd.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\HijackThis\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
    O4 - Startup: Scanner File Utility.lnk = C:\Program Files\Kyocera Mita\FileUtility\fileexec.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://mail.thefamilyschool.com/officescan/ClientInstall/WinNTChk.cab
    O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://mail.thefamilyschool.com/officescan/clientinstall/setupini.cab
    O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://mail.thefamilyschool.com/officescan/clientinstall/setup.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/16d5e7ddfdb2d628ef16/netzip/RdxIE601.cab
    O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://mail.thefamilyschool.com/officescan/clientinstall/RemoveCtrl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1098968952093
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thefamilyschool.com
    O17 - HKLM\Software\..\Telephony: DomainName = thefamilyschool.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{60DD272C-BBE8-41CD-A808-EB06567A4F78}: NameServer = 10.0.2.251,198.6.1.142
    O17 - HKLM\System\CCS\Services\Tcpip\..\{65FBF8FF-16E3-48B3-95F3-A041FCBD3217}: NameServer = 10.0.2.251,198.6.1.142
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thefamilyschool.com
    O17 - HKLM\System\CS1\Services\Tcpip\..\{60DD272C-BBE8-41CD-A808-EB06567A4F78}: NameServer = 10.0.2.251,198.6.1.142
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thefamilyschool.com
    O17 - HKLM\System\CS2\Services\Tcpip\..\{60DD272C-BBE8-41CD-A808-EB06567A4F78}: NameServer = 10.0.2.251,198.6.1.142
    O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\OfficeScan NT\OfcPfwSvc.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
    O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\OfficeScan NT\tmlisten.exe

    ACTIVE SCAN:


    Incident Status Location

    Spyware:Cookie/go Not disinfected C:\Documents and Settings\pkandetzke\Cookies\[email protected][1].txt
    Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\ttowsley\Cookies\[email protected][2].txt
    Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\ttowsley\Cookies\[email protected][1].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\ttowsley\Cookies\[email protected][1].txt
    Spyware:Cookie/Barelylegal Not disinfected C:\Documents and Settings\ttowsley\Cookies\[email protected][2].txt
    Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\ttowsley\Cookies\[email protected][1].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\ttowsley\Cookies\[email protected][2].txt
    Spyware:Cookie/go Not disinfected C:\Documents and Settings\ttowsley\Cookies\[email protected][1].txt
    Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\ttowsley\Cookies\[email protected][2].txt
    Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\ttowsley\Cookies\[email protected][2].txt
    Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\ttowsley\Cookies\[email protected][1].txt
    Spyware:Cookie/Buydomains Not disinfected C:\Documents and Settings\ttowsley\Cookies\[email protected][1].txt
    Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\ttowsley\Cookies\[email protected][1].txt
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\ttowsley\Desktop\smitRem\Process.exe
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\ttowsley\Desktop\smitRem.exe[Process.exe]
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\ttowsley\Local Settings\Temporary Internet Files\Content.IE5\0RNJE8DD\smitRem[1].exe[Process.exe]
    Virus:Exploit/Mhtredir.CU Disinfected C:\Documents and Settings\ttowsley\Local Settings\Temporary Internet Files\Content.IE5\M5CFAPQH\dia148[1].htm
    Virus:Exploit/LoadImage Disinfected C:\Documents and Settings\ttowsley\Local Settings\Temporary Internet Files\Content.IE5\NEHSPFZF\nc[1].anr
    Potentially unwanted tool:Application/Processor Not disinfected C:\RECYCLER\S-1-5-21-1844237615-1078145449-682003330-1204\Dc37.exe[Process.exe]
    Potentially unwanted tool:Application/Processor Not disinfected C:\RECYCLER\S-1-5-21-1844237615-1078145449-682003330-1204\Dc40\Process.exe

    EWIDO SCAN:

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 3:46:07 PM, 1/23/2006
    + Report-Checksum: 43B6BD77

    + Scan result:

    C:\Documents and Settings\pkandetzke\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\ttowsley\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\ttowsley\Cookies\[email protected][2].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
    C:\Documents and Settings\ttowsley\Cookies\[email protected][1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
    C:\Documents and Settings\ttowsley\Cookies\[email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
    C:\Documents and Settings\ttowsley\Cookies\[email protected][2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
    C:\Documents and Settings\ttowsley\Cookies\[email protected][1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\ttowsley\Cookies\[email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\ttowsley\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\ttowsley\Cookies\[email protected][1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
    C:\Documents and Settings\ttowsley\Cookies\[email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\ttowsley\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\ttowsley\Cookies\[email protected][1].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
    C:\Documents and Settings\ttowsley\Cookies\[email protected][1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
    C:\Documents and Settings\ttowsley\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\ttowsley\Cookies\[email protected][1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
    C:\Documents and Settings\ttowsley\Cookies\[email protected][1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
    C:\Documents and Settings\ttowsley\Cookies\[email protected][1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
    C:\Documents and Settings\ttowsley\Cookies\[email protected][1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
    C:\Documents and Settings\ttowsley\Local Settings\Temporary Internet Files\Content.IE5\K963CTMZ\nca[1].exe -> Downloader.Zlob.dc : Cleaned with backup
    C:\Documents and Settings\ttowsley\Local Settings\Temporary Internet Files\Content.IE5\NEHSPFZF\runapl[1].exe -> Not-A-Virus.Hoax.Win32.Renos.au : Cleaned with backup
    C:\ntnc.exe -> Not-A-Virus.Hoax.Win32.Renos.au : Cleaned with backup
    C:\Program Files\DIGStream\digstream.exe -> Not-A-Virus.Downloader.Win32.DigStream.a : Cleaned with backup

    SMIT FILES:


    smitRem © log file
    version 2.8

    by noahdfear


    Microsoft Windows XP [Version 5.1.2600]
    The current date is: Mon 01/23/2006
    The current time is: 14:34:28.75

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    checking for ShudderLTD key

    ShudderLTD key not present!

    checking for PSGuard.com key


    PSGuard.com key not present!


    checking for WinHound.com key

    WinHound.com key present!



    Running WinHound.com fix!



    WinHound.com key was successfully removed! :)

    spyaxe uninstaller NOT present
    Winhound uninstaller NOT present
    SpywareStrike uninstaller NOT present
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Existing Pre-run Files


    ~~~ Program Files ~~~



    ~~~ Shortcuts ~~~



    ~~~ Favorites ~~~



    ~~~ system32 folder ~~~



    ~~~ Icons in System32 ~~~



    ~~~ Windows directory ~~~

    desktop.html


    ~~~ Drive root ~~~

    winstall.exe

    ~~~ Miscellaneous Files/folders ~~~




    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 [email protected]
    Killing PID 888 'explorer.exe'

    Starting registry repairs

    Deleting files


    Remaining Post-run Files


    ~~~ Program Files ~~~



    ~~~ Shortcuts ~~~



    ~~~ Favorites ~~~



    ~~~ system32 folder ~~~



    ~~~ Icons in System32 ~~~



    ~~~ Windows directory ~~~



    ~~~ Drive root ~~~



    ~~~ Miscellaneous Files/folders ~~~




    ~~~ Wininet.dll ~~~

    CLEAN! :)

    Thanks
     
  6. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Download KillBox here: http://www.downloads.subratam.org/KillBox.exe
    Save it to your desktop.
    DO NOT run it yet.

    Rescan with Hijack This.
    Close all browser windows except Hijack This.
    Put a check mark beside these entries and click "Fix Checked".

    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/16d5e7dd...p/RdxIE601.cab


    Boot into Safe Mode.

    * Double-click on Killbox.exe to run it.

    Put a tick by Standard File Kill.
    In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

    C:\winstall.exe

    Click on the button that has the red circle with the X in the middle after you enter each file.
    It will ask for confirmation to delete the file.
    Click Yes.
    Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
    Killbox may tell you that one or more files do not exist.
    If that happens, just continue on with all the files. Be sure you don't miss any.
    Next in Killbox go to Tools > Delete Temp Files
    In the window that pops up, put a check by ALL the options there except these three:
    XP Prefetch
    Recent
    History
    Now click the Delete Selected Temp Files button.
    Exit the Killbox.

    Finally go to Control Panel > Internet Options.
    On the General tab under "Temporary Internet Files" Click "Delete Files".
    Put a check by "Delete Offline Content" and click OK.
    Click on the Programs tab then click the "Reset Web Settings" button.
    Click Apply then OK.

    Empty the Recycle Bin.

    Reboot, post a new log.
     
  7. Page449

    Page449 Thread Starter

    Joined:
    Jan 23, 2006
    Messages:
    6
    Logfile of HijackThis v1.99.1
    Scan saved at 8:51:53 AM, on 1/24/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\S24EvMon.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\ZCfgSvc.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\OfficeScan NT\ntrtscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\OfficeScan NT\OfcPfwSvc.exe
    C:\WINDOWS\System32\RegSrvc.exe
    C:\OfficeScan NT\tmlisten.exe
    C:\WINDOWS\TEMP\AVD14A.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Apoint\Apoint.exe
    C:\OfficeScan NT\pccntmon.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\ESPNRunTime\DIGServices.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\LimeWire\LimeWire.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Apoint\Apntex.exe
    \BLACKBAUD\netlogon\ImLua.exe
    C:\WINDOWS\scanfile.exe
    C:\OfficeScan NT\pccntupd.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\HijackThis\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
    O4 - Startup: Scanner File Utility.lnk = C:\Program Files\Kyocera Mita\FileUtility\fileexec.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) - http://mail.thefamilyschool.com/officescan/ClientInstall/WinNTChk.cab
    O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupIniCtrl Class) - http://mail.thefamilyschool.com/officescan/clientinstall/setupini.cab
    O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - http://mail.thefamilyschool.com/officescan/clientinstall/setup.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - http://mail.thefamilyschool.com/officescan/clientinstall/RemoveCtrl.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1098968952093
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = thefamilyschool.com
    O17 - HKLM\Software\..\Telephony: DomainName = thefamilyschool.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{60DD272C-BBE8-41CD-A808-EB06567A4F78}: NameServer = 10.0.2.251,198.6.1.142
    O17 - HKLM\System\CCS\Services\Tcpip\..\{65FBF8FF-16E3-48B3-95F3-A041FCBD3217}: NameServer = 10.0.2.251,198.6.1.142
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = thefamilyschool.com
    O17 - HKLM\System\CS1\Services\Tcpip\..\{60DD272C-BBE8-41CD-A808-EB06567A4F78}: NameServer = 10.0.2.251,198.6.1.142
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = thefamilyschool.com
    O17 - HKLM\System\CS2\Services\Tcpip\..\{60DD272C-BBE8-41CD-A808-EB06567A4F78}: NameServer = 10.0.2.251,198.6.1.142
    O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
    O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\OfficeScan NT\OfcPfwSvc.exe
    O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
    O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
    O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\OfficeScan NT\tmlisten.exe

    Thanks
     
  8. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    How are things now?
     
  9. Page449

    Page449 Thread Starter

    Joined:
    Jan 23, 2006
    Messages:
    6
    Thank you so much.
     
  10. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    You're welcome :)

    Now turn off System Restore:

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    Restart your computer, turn System Restore back on and create a restore point.

    To create a restore point:

    Single-click Start and point to All Programs.
    Mouse over Accessories, then System Tools, and select System Restore.
    In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
    Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.

    You can mark your thread "Solved" from the Thread Tools drop down menu.
     
  11. Page449

    Page449 Thread Starter

    Joined:
    Jan 23, 2006
    Messages:
    6
    For whatever reason i can't change my desktop background. There is just a blue screen. Any thoughts?
     
  12. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.

    If that doesn't work...

    Download and save Cleandesktop to your computer from this link: http://www.thespykiller.co.uk/files/cleandesktop.exe and double click on the cleandesktop.exe

    It will automatically extract to c:\desktopclean where it needs to be to run and will automatically run the cleandesktop.vbs script

    If it doesn't open then go to c:\desktopclean and double click on the cleandesktop.vbs Do not run any other file from there please unless asked to

    If you have script blocking enabled you will get a warning about a malicious script wanting to run. Please allow this script to run. It is not malicious.

    If you get a message when you first run it "Can not find script file "blah blah blah" then don't worry just doubleclick the cleandesktop.vbs script again you sometimes get that message when a script blocker blocks the script

    It will then kill Explorer. You will lose your taskbar and desktop. It will repair the registry entries returning your normal desktop and context menu functions.

    It will restart Explorer.

    Once you have performed the big cleanup, each of the other Users on the System needs to be signed in to clean up their desktop and regain the right click.

    I have included another vbs to do this. It is named Other Profiles Regfix.vbs

    Have each User sign in and run Other Profiles Regfix.vbs
    Open C:\ (Go to Start>Run and type C: Press enter) and Open the c:\desktopclean folder. Double click on Other Profiles Regfix.vbs

    Explorer will be ended and that user's active desktop registry entries will be repaired. Explorer will be restarted.

    To restore the desktop to whatever picture you normally have right click on a blank part of desktop & select properties/desktop & select your prefered picture press apply & then ok to exit and then press F5.

    You will need to do this step for every user account.
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/436542

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice