1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

please help

Discussion in 'Virus & Other Malware Removal' started by jenn31708, Jul 15, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. jenn31708

    jenn31708 Thread Starter

    Joined:
    Jul 15, 2007
    Messages:
    66
    I used hijack this, and here's my log file. If there's anything you can do to help, thanks



    Logfile of HijackThis v1.99.1
    Scan saved at 10:15:18 PM, on 7/15/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\DOCUME~1\Patricia\APPLIC~1\PPATCH~1\spool32.exe
    C:\WINDOWS\retadpu11.exe
    C:\WINDOWS\system32\F?nts\csrss.exe
    C:\WINDOWS\System32\dllhost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
    C:\WINDOWS\system32\ezSP_Px.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\fknuqodA.exe
    C:\WINDOWS\g4356cbvy63.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\retadpu11.exe
    C:\Program Files\WinPop\winpop.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Documents and Settings\Patricia\My Documents\Unzipped\hijackthis[1]\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
    O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
    O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pyprqw.exe reg_run
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [fknuqodA] C:\WINDOWS\fknuqodA.exe
    O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\TISKY009.exe SKY009
    O4 - HKLM\..\Run: [g4356cbvy63] C:\WINDOWS\g4356cbvy63
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\eupkyvfn.dll",realset
    O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu11.exe 61A847B5BBF72813338B2B27128065E9C084320161C4661227A755E9C2933154389A
    O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
    O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
    O4 - HKCU\..\Run: [softpub] "C:\WINDOWS\system32\softpub.exe"
    O4 - HKCU\..\Run: [Tcet] "C:\DOCUME~1\Patricia\APPLIC~1\PPATCH~1\spool32.exe" -vt yazb
    O4 - HKCU\..\Run: [Pctbr] C:\WINDOWS\system32\F?nts\csrss.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
    O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
    O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
    O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
    O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Patricia\Local Settings\Temp\{34DEE20A-9649-4680-AE13-566023C50C4F}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
    O4 - Startup: TA_Start.lnk = C:\WINDOWS\TISKY009.exe
    O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://3com.snap.com
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Hi Welcome to TSG!!

    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
     
  3. jenn31708

    jenn31708 Thread Starter

    Joined:
    Jul 15, 2007
    Messages:
    66
    Hi there...

    I seem to get a lot of popups, and it stops me from doing a lot of things. i did a system restore to about a week ago (right before all the problems started) Here's my hijack this log file. could you please tell me if there's anything dangerous here. Thanks so much

    jenn:)
     
  4. jenn31708

    jenn31708 Thread Starter

    Joined:
    Jul 15, 2007
    Messages:
    66
    here's my new hijack lof file, everything seems to be working better and faster now (knock on wood) how does it look now??

    Logfile of HijackThis v1.99.1
    Scan saved at 11:47:02 PM, on 7/16/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
    C:\WINDOWS\system32\ezSP_Px.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\kesupqm.exe
    C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    C:\WINDOWS\system32\softpub.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: BestOffers Shopping BHO - {F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} - C:\Program Files\TBONAS\TBONlchr.dll
    O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll
    O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
    O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
    O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
    O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pyprqw.exe reg_run
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [wcihavu] C:\WINDOWS\system32\kesupqm.exe r
    O4 - HKCU\..\Run: [softpub] "C:\WINDOWS\system32\softpub.exe"
    O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
    O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Patricia\Local Settings\Temp\{34DEE20A-9649-4680-AE13-566023C50C4F}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
    O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
    O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://3com.snap.com
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
     
  5. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    I merged your new thread into this one. Please do not start new threads. Keep replying here until this is resolved.

    As for how that log looks..... it's infected.

    Where is your anti-virus software?

    Load AVG http://free.grisoft.com/freeweb.php/doc/2/ it's free. Run a full scan and post the AVG scan results and a new HJT log.
     
  6. jenn31708

    jenn31708 Thread Starter

    Joined:
    Jul 15, 2007
    Messages:
    66
    Thanks for your help, here's my log file from hijack this, and I ran AVG but I'm not sure what to post. It removed 27 things, and moved 3 things to the vault. Is it normal that it took over 4 hours to run?? thanks again, you're the best.



    Logfile of HijackThis v1.99.1
    Scan saved at 4:26:47 PM, on 7/20/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\friglao.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: BestOffers Shopping BHO - {F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} - C:\Program Files\TBONAS\TBONlchr.dll
    O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll
    O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
    O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
    O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
    O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pyprqw.exe reg_run
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [copy real junk the] C:\Documents and Settings\All Users\Application Data\Name beep copy real\Mfcd Sign.exe
    O4 - HKLM\..\Run: [Up second meta the] C:\Documents and Settings\All Users\Application Data\Noun keep the name\less that dumb.exe
    O4 - HKLM\..\Run: [cqwipy] C:\WINDOWS\system32\friglao.exe r
    O4 - HKCU\..\Run: [softpub] "C:\WINDOWS\system32\softpub.exe"
    O4 - HKCU\..\Run: [cdrom readme] C:\DOCUME~1\Patricia\APPLIC~1\PROGRA~1\bind flaw rule.exe
    O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
    O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Patricia\Local Settings\Temp\{34DEE20A-9649-4680-AE13-566023C50C4F}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
    O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
    O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
    O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://3com.snap.com
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
     
  7. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Download Findlop by Metallica.
    http://metallica.geekstogo.com/findlop.zip

    Unzip it to your desktop.
    Double click findlop.bat.
    A Notepad file will open.
    Copy the content of that file and paste it into your reply to this thread.
     
  8. jenn31708

    jenn31708 Thread Starter

    Joined:
    Jul 15, 2007
    Messages:
    66
    okay, I think I have it, here's the log from findlop, followed by a new hijack this. Thanks again!!!


    [TRACE] Enumerating jobs and queues
    [TRACE] Activating job 'A975B33D911A2551.job'
    [TRACE] Printing all job properties

    ApplicationName: 'c:\docume~1\patricia\applic~1\progra~1\Love long acid.exe'
    Parameters: ''
    WorkingDirectory: ''
    Comment: ''
    Creator: 'Patricia'
    Priority: NORMAL
    MaxRunTime: 259200000 (3d 0:00:00)
    IdleWait: 10
    IdleDeadline: 60
    MostRecentRun: 07/23/2007 17:00:00
    NextRun: 07/23/2007 18:00:00
    StartError: S_OK
    ExitCode: 0
    Status: SCHED_S_TASK_READY
    ScheduledWorkItem Flags:
    DeleteWhenDone = 0
    Suspend = 0
    StartOnlyIfIdle = 0
    KillOnIdleEnd = 0
    RestartOnIdleResume = 0
    DontStartIfOnBatteries = 0
    KillIfGoingOnBatteries = 0
    RunOnlyIfLoggedOn = 1
    SystemRequired = 0
    Hidden = 1
    TaskFlags: 0

    1 Trigger

    Trigger 0:
    Type: Daily
    DaysInterval: 1
    StartDate: 02/02/1997
    EndDate: 00/00/0000
    StartTime: 00:00
    MinutesDuration: 1440
    MinutesInterval: 60
    Flags:
    HasEndDate = 0
    KillAtDuration = 0
    Disabled = 0


    [TRACE] Activating job 'Symantec NetDetect.job'
    [TRACE] Printing all job properties

    ApplicationName: 'C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE'
    Parameters: ''
    WorkingDirectory: 'C:\Program Files\Symantec\LiveUpdate'
    Comment: 'Symantec NetDetect'
    Creator: 'Patricia'
    Priority: NORMAL
    MaxRunTime: 259200000 (3d 0:00:00)
    IdleWait: 10
    IdleDeadline: 60
    MostRecentRun: 00/00/0000 0:00:00
    NextRun: 00/00/0000 0:00:00
    StartError: SCHED_S_TASK_HAS_NOT_RUN
    ExitCode: 0
    Status: SCHED_S_TASK_DISABLED
    ScheduledWorkItem Flags:
    DeleteWhenDone = 0
    Suspend = 1
    StartOnlyIfIdle = 0
    KillOnIdleEnd = 0
    RestartOnIdleResume = 0
    DontStartIfOnBatteries = 0
    KillIfGoingOnBatteries = 0
    RunOnlyIfLoggedOn = 1
    SystemRequired = 0
    Hidden = 0
    TaskFlags: 0

    2 Triggers

    Trigger 0:
    Type: Daily
    DaysInterval: 1
    StartDate: 07/13/2007
    EndDate: 00/00/0000
    StartTime: 16:58
    MinutesDuration: 1440
    MinutesInterval: 5
    Flags:
    HasEndDate = 0
    KillAtDuration = 0
    Disabled = 0

    Trigger 1:
    Type: AtLogon
    StartDate: 07/13/2007
    EndDate: 00/00/0000
    StartTime: 16:58
    MinutesDuration: 0
    MinutesInterval: 0
    Flags:
    HasEndDate = 0
    KillAtDuration = 0
    Disabled = 0




    Logfile of HijackThis v1.99.1
    Scan saved at 5:14:29 PM, on 7/23/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
    C:\WINDOWS\system32\ezSP_Px.exe
    C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: BestOffers Shopping BHO - {F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} - C:\Program Files\TBONAS\TBONlchr.dll
    O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll
    O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
    O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
    O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [copy real junk the] C:\Documents and Settings\All Users\Application Data\Name beep copy real\Mfcd Sign.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [cdrom readme] C:\DOCUME~1\Patricia\APPLIC~1\PROGRA~1\bind flaw rule.exe
    O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
    O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Patricia\Local Settings\Temp\{34DEE20A-9649-4680-AE13-566023C50C4F}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
    O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
    O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
    O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://3com.snap.com
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing)
     
  9. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Copy and paste the text from the quote box to an empty file in Notepad.
    Save the file as fix.bat, Save as type: All files.
    Save it to your desktop.
    Doubleclick fix.bat on your desktop.
    A DOS box should open and close quickly, this is normal.



    [​IMG] Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Be aware it is NOT supported for use in 9x or ME and probably will not install in those systems

    Ugrading Java:
    • Download the latest version of Java Runtime Environment (JRE) 6u2.
    • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
    • Click the "Download" button to the right.
    • Check the box that says: "Accept License Agreement".
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java version.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on the download to install the newest version.


    Please download the OTMoveIt by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt.exe to run it.
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

      c:\windows\SvcProc.exe
      C:\Documents and Settings\All Users\Application Data\Name beep copy real
      C:\Program Files\TBONAS


    • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
    • Click the red Moveit! button.
    • Close OTMoveIt
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.

    Click Exit on the Main menu to close the program.



    Download and scan with SUPERAntiSpyware Free for Home Users
    • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    • An icon will be created on your desktop. Double-click that icon to launch the program.
    • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
    • Under "Configuration and Preferences", click the Preferences button.
    • Click the Scanning Control tab.
    • Under Scanner Options make sure the following are checked (leave all others unchecked):
      • Close browsers before scanning.
      • Scan for tracking cookies.
      • Terminate memory threats before quarantining.
    • Click the "Close" button to leave the control center screen.
    • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    • On the left, make sure you check C:\Fixed Drive.
    • On the right, under "Complete Scan", choose Perform Complete Scan.
    • Click "Next" to start the scan. Please be patient while it scans your computer.
    • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    • Make sure everything has a checkmark next to it and click "Next".
    • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    • If asked if you want to reboot, click "Yes".
    • To retrieve the removal information after reboot, launch SUPERAntispyware again.
      • Click Preferences, then click the Statistics/Logs tab.
      • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
      • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
      • Please copy and paste the Scan Log results in your next reply with a new hijackthis log.
    • Click Close to exit the program.
     
  10. jenn31708

    jenn31708 Thread Starter

    Joined:
    Jul 15, 2007
    Messages:
    66
    figures, I have a problem with the first step. I removed java from my programs, but when I downloaded and ran the new java, it said I had existing files and would not update. I ran a search on my c drive in files and folders for java, and there is 50 of them. They are in windows, quicktime, adobe, prefetch. Do I delete all of them, then install the one you told me to?
     
  11. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Remove from add/remove programs and then reboot the machine. That is all it should take.
     
  12. jenn31708

    jenn31708 Thread Starter

    Joined:
    Jul 15, 2007
    Messages:
    66
    here's the log from the super anti-spy scan, and the newest hijack this:

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 07/23/2007 at 09:52 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3259
    Trace Rules Database Version: 1270

    Scan type : Quick Scan
    Total Scan Time : 00:26:01

    Memory items scanned : 305
    Memory threats detected : 0
    Registry items scanned : 702
    Registry threats detected : 115
    File items scanned : 8824
    File threats detected : 27

    Adware.MyWay
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{014DA6C1-189F-421a-88CD-07CFE51CFF10}
    HKCR\CLSID\{014DA6C1-189F-421A-88CD-07CFE51CFF10}
    HKCR\CLSID\{014DA6C1-189F-421A-88CD-07CFE51CFF10}
    HKCR\CLSID\{014DA6C1-189F-421A-88CD-07CFE51CFF10}\InprocServer32
    HKCR\CLSID\{014DA6C1-189F-421A-88CD-07CFE51CFF10}\InprocServer32#ThreadingModel
    HKCR\CLSID\{014DA6C1-189F-421A-88CD-07CFE51CFF10}\Programmable
    HKCR\CLSID\{014DA6C1-189F-421A-88CD-07CFE51CFF10}\TypeLib
    C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL
    HKLM\Software\Microsoft\Internet Explorer\Toolbar#{014DA6C9-189F-421a-88CD-07CFE51CFF10}
    HKCR\CLSID\{014DA6C9-189F-421A-88CD-07CFE51CFF10}
    HKCR\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10}
    HKCR\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10}\InprocServer32
    HKCR\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10}\InprocServer32#ThreadingModel
    HKCR\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10}\Programmable
    HKCR\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10}\TypeLib
    HKCR\TypeLib\{014DA6C0-189F-421a-88CD-07CFE51CFF10}
    HKCR\TypeLib\{014DA6C0-189F-421a-88CD-07CFE51CFF10}\1.0
    HKCR\TypeLib\{014DA6C0-189F-421a-88CD-07CFE51CFF10}\1.0\0
    HKCR\TypeLib\{014DA6C0-189F-421a-88CD-07CFE51CFF10}\1.0\0\win32
    HKCR\TypeLib\{014DA6C0-189F-421a-88CD-07CFE51CFF10}\1.0\FLAGS
    HKCR\TypeLib\{014DA6C0-189F-421a-88CD-07CFE51CFF10}\1.0\HELPDIR
    HKU\S-1-5-21-329068152-789336058-854245398-1003\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser#{014DA6C9-189F-421A-88CD-07CFE51CFF10}
    HKU\S-1-5-21-329068152-789336058-854245398-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{014DA6C9-189F-421A-88CD-07CFE51CFF10}

    Adware.Best Offers
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F5DE8ADB-4A69-4e56-96AB-823171C8E9D8}
    HKCR\CLSID\{F5DE8ADB-4A69-4E56-96AB-823171C8E9D8}
    HKCR\CLSID\{F5DE8ADB-4A69-4E56-96AB-823171C8E9D8}
    HKCR\CLSID\{F5DE8ADB-4A69-4E56-96AB-823171C8E9D8}\InprocServer32
    HKCR\CLSID\{F5DE8ADB-4A69-4E56-96AB-823171C8E9D8}\InprocServer32#ThreadingModel
    HKCR\CLSID\{F5DE8ADB-4A69-4E56-96AB-823171C8E9D8}\ProgID
    HKCR\CLSID\{F5DE8ADB-4A69-4E56-96AB-823171C8E9D8}\Programmable
    HKCR\CLSID\{F5DE8ADB-4A69-4E56-96AB-823171C8E9D8}\TypeLib
    HKCR\CLSID\{F5DE8ADB-4A69-4E56-96AB-823171C8E9D8}\VersionIndependentProgID
    C:\PROGRAM FILES\TBONAS\TBONLCHR.DLL
    HKLM\Software\Microsoft\Internet Explorer\Toolbar#{7FD44536-9DF0-4034-939F-5BD4D98E3187}
    HKCR\CLSID\{7FD44536-9DF0-4034-939F-5BD4D98E3187}
    HKCR\CLSID\{7FD44536-9DF0-4034-939F-5BD4D98E3187}
    HKCR\CLSID\{7FD44536-9DF0-4034-939F-5BD4D98E3187}\InprocServer32
    HKCR\CLSID\{7FD44536-9DF0-4034-939F-5BD4D98E3187}\InprocServer32#ThreadingModel
    HKCR\CLSID\{7FD44536-9DF0-4034-939F-5BD4D98E3187}\ProgID
    HKCR\CLSID\{7FD44536-9DF0-4034-939F-5BD4D98E3187}\Programmable
    HKCR\CLSID\{7FD44536-9DF0-4034-939F-5BD4D98E3187}\TypeLib
    HKCR\CLSID\{7FD44536-9DF0-4034-939F-5BD4D98E3187}\VersionIndependentProgID
    HKCR\MyNewsBarLauncher.IE5BarLauncher.1
    HKCR\MyNewsBarLauncher.IE5BarLauncher.1\CLSID
    HKCR\MyNewsBarLauncher.IE5BarLauncher
    HKCR\MyNewsBarLauncher.IE5BarLauncher\CLSID
    HKCR\MyNewsBarLauncher.IE5BarLauncher\CurVer
    HKCR\TypeLib\{4EF67630-DD6C-4e66-B175-60BCCD1CA89B}
    HKCR\TypeLib\{4EF67630-DD6C-4e66-B175-60BCCD1CA89B}\1.0
    HKCR\TypeLib\{4EF67630-DD6C-4e66-B175-60BCCD1CA89B}\1.0\0
    HKCR\TypeLib\{4EF67630-DD6C-4e66-B175-60BCCD1CA89B}\1.0\0\win32
    HKCR\TypeLib\{4EF67630-DD6C-4e66-B175-60BCCD1CA89B}\1.0\FLAGS
    HKCR\TypeLib\{4EF67630-DD6C-4e66-B175-60BCCD1CA89B}\1.0\HELPDIR
    HKU\S-1-5-21-329068152-789336058-854245398-1003\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser#{7FD44536-9DF0-4034-939F-5BD4D98E3187}
    HKU\S-1-5-21-329068152-789336058-854245398-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{7FD44536-9DF0-4034-939F-5BD4D98E3187}

    Adware.Qoologic/QoolAid
    HKLM\Software\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}
    HKLM\Software\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}#CLSID
    HKLM\Software\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}#MenuText

    Adware.Tracking Cookie
    C:\Documents and Settings\Patricia\Cookies\[email protected][1].txt

    Unclassified.Unknown Origin
    HKCR\CLSID\{B3E19860-0CD5-4991-A066-4FCA2704DE59}
    HKCR\CLSID\{B3E19860-0CD5-4991-A066-4FCA2704DE59}#AppID
    HKCR\CLSID\{B3E19860-0CD5-4991-A066-4FCA2704DE59}\InprocServer32
    HKCR\CLSID\{B3E19860-0CD5-4991-A066-4FCA2704DE59}\InprocServer32#ThreadingModel
    HKCR\CLSID\{B3E19860-0CD5-4991-A066-4FCA2704DE59}\ProgID
    HKCR\CLSID\{B3E19860-0CD5-4991-A066-4FCA2704DE59}\Programmable
    HKCR\CLSID\{B3E19860-0CD5-4991-A066-4FCA2704DE59}\TypeLib
    HKCR\CLSID\{B3E19860-0CD5-4991-A066-4FCA2704DE59}\VersionIndependentProgID
    C:\WINDOWS\DSR.DLL

    Adware.MovieLand/MediaPipe
    HKLM\Software\MediaPipe
    HKLM\Software\MediaPipe\Prefs
    HKLM\Software\MediaPipe\Prefs#version
    HKLM\Software\MediaPipe\Prefs#AltPayments
    HKLM\Software\MediaPipe\Prefs#ProductFamily
    HKLM\Software\MediaPipe\Prefs#Country
    HKLM\Software\MediaPipe\Prefs#Provider
    HKLM\Software\MediaPipe\Prefs#TRAFFIC_COUNTRY
    HKLM\Software\MediaPipe\Prefs#TRAFFIC_PROGRAM
    HKLM\Software\MediaPipe\Prefs#TRAFFIC_SOURCE
    HKLM\Software\MediaPipe\Prefs#TRAFFIC_SUBSOURCE
    HKLM\Software\MediaPipe\Prefs#JOIN_FORM_ID
    HKLM\Software\MediaPipe\Prefs#modem
    HKLM\Software\MediaPipe\Prefs#GUID
    HKLM\Software\MediaPipe\Prefs#Filename
    HKLM\Software\MediaPipe\Prefs\altpayments
    HKLM\Software\MediaPipe\Prefs\altpayments#Provider
    HKCR\MPAgent.Agent
    HKCR\MPAgent.Agent\CLSID
    HKCR\MPAgent.Agent\CurVer
    HKCR\MPAgent.Agent.1
    HKCR\MPAgent.Agent.1\CLSID
    HKCR\AppId\AMNotifier.EXE
    HKCR\AppId\AMNotifier.EXE#AppID
    HKCR\AppId\MPAgent.DLL
    HKCR\AppId\MPAgent.DLL#AppID
    HKCR\AMNotifier.HUBAWindow
    HKCR\AMNotifier.HUBAWindow\CLSID
    HKCR\AMNotifier.HUBAWindow\CurVer
    HKCR\AMNotifier.HUBAWindow.1
    HKCR\AMNotifier.HUBAWindow.1\CLSID
    HKCR\CLSID\{7BF58804-E672-4B96-8EEC-BFCCE6492C9A}
    HKCR\CLSID\{7BF58804-E672-4B96-8EEC-BFCCE6492C9A}#AppID
    HKCR\CLSID\{7BF58804-E672-4B96-8EEC-BFCCE6492C9A}\LocalServer32
    HKCR\CLSID\{7BF58804-E672-4B96-8EEC-BFCCE6492C9A}\ProgID
    HKCR\CLSID\{7BF58804-E672-4B96-8EEC-BFCCE6492C9A}\Programmable
    HKCR\CLSID\{7BF58804-E672-4B96-8EEC-BFCCE6492C9A}\TypeLib
    HKCR\CLSID\{7BF58804-E672-4B96-8EEC-BFCCE6492C9A}\VersionIndependentProgID
    HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}
    HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0
    HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0\0
    HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0\0\win32
    HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0\FLAGS
    HKCR\TypeLib\{AFDBB222-DEA9-4C12-B3A3-A13C2985E3EE}\1.0\HELPDIR
    HKCR\TypeLib\{CCEBBEB5-D011-41B5-9F92-01F88A38DC0D}
    HKCR\TypeLib\{CCEBBEB5-D011-41B5-9F92-01F88A38DC0D}\1.0
    HKCR\TypeLib\{CCEBBEB5-D011-41B5-9F92-01F88A38DC0D}\1.0\0
    HKCR\TypeLib\{CCEBBEB5-D011-41B5-9F92-01F88A38DC0D}\1.0\0\win32
    HKCR\TypeLib\{CCEBBEB5-D011-41B5-9F92-01F88A38DC0D}\1.0\FLAGS
    HKCR\TypeLib\{CCEBBEB5-D011-41B5-9F92-01F88A38DC0D}\1.0\HELPDIR
    C:\Program Files\MediaPipe\Agent.dll
    C:\Program Files\MediaPipe\AltPayments.exe
    C:\Program Files\MediaPipe\altpayments_terms.txt
    C:\Program Files\MediaPipe\api.exe
    C:\Program Files\MediaPipe\insdl.dll
    C:\Program Files\MediaPipe\install.log
    C:\Program Files\MediaPipe\MediaPipe.ini
    C:\Program Files\MediaPipe\p2pinst.exe
    C:\Program Files\MediaPipe\p2pl.exe
    C:\Program Files\MediaPipe\register.dll
    C:\Program Files\MediaPipe

    Adware.IEPlugin
    HKCR\Remove

    Adware.Mirar/NetNucleus
    C:\WINDOWS\Downloaded Program Files\WinATS.inf

    Adware.ClickSpring/Outer Info Network
    C:\Program Files\Outerinfo\Terms.rtf
    C:\Program Files\Outerinfo

    Adware.Casino Games (Golden Palace Casino)
    C:\DOCUMENTS AND SETTINGS\PATRICIA\APPLICATION DATA\MICROSOFT\INSTALLER\{29B2BDE5-3585-11D5-888A-005004D128A9}\CASINO.EXE
    C:\PROGRAM FILES\ACTIVISION VALUE\GAMBLING TYCOON\CASINO.EXE
    C:\DOCUMENTS AND SETTINGS\PATRICIA\START MENU\PROGRAMS\ACTIVISION VALUE\GAMBLING TYCOON\GAMBLING TYCOON.LNK

    Trojan.WinAntiSpyware/WinAntiVirus 2006
    C:\WINDOWS\DOWNLOADED PROGRAM FILES\CONFLICT.1\UWA7P_0001_N91M0809NETINSTALLER.EXE

    Adware.eXactAdvertising-Installer
    C:\WINDOWS\DSR.EXE

    Adware.Aurora/Nail
    C:\WINDOWS\NAIL.EXE

    Adware.Best Offers Network
    C:\WINDOWS\QFCXYHSNKM.EXE

    Trojan.WinFixer
    C:\WINDOWS\SYSTEM32\AWVVU.DLL

    Trojan.Downloader-Gen/HitItQuitIt
    C:\WINDOWS\SYSTEM32\SSQQNOM.DLL




    Logfile of HijackThis v1.99.1
    Scan saved at 10:09:25 PM, on 7/23/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ezSP_Px.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
    O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
    O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Patricia\Local Settings\Temp\{34DEE20A-9649-4680-AE13-566023C50C4F}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
    O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
    O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
    O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://3com.snap.com
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing)
     
  13. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Click Here and download Killbox and save it to your desktop.
    • Double-click on Killbox.exe to run it.
    • Put a tick by Delete on Reboot.
    • Copy the following list of files to clipboard, CTRL+C to copy

      C:\WINDOWS\dinst.exe
      c:\windows\SvcProc.exe


    • Now in Killbox go to File, Paste from clipboard.
    • Click the All Files button.
    • Click on the button that has the red circle with the X in the middle.
    • It will ask for confimation to delete the file.
    • Click Yes.
    • It will ask if you want to reboot now,
    • Click No

    Note: It is possible that Killbox will tell you that the file does not exist.


    If you get an error message "PendingFileRenameOperations Registry Data has been Removed by External Process!" just ignore that.

    Close Killbox.


    Click Start - Run - and type in:
    services.msc
    Click OK.
    In the services window find:
    System Startup Service (SvcProc)
    Right click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK.
    Exit the Services utility.

    Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.



    Run HJT again and put a check in the following:

    O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
    O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Patricia\Local Settings\Temp\{34DEE20A-9649-4680-AE13-566023C50C4F}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
    O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
    O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing)

    Close all applications and browser windows before you click "fix checked".


    Now restart the machine and post your hijackthis log again.
     
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/596297

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice