1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: My Computer Feels Like its Being TAKEN OVER!

Discussion in 'Virus & Other Malware Removal' started by buggingainey, Oct 29, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. buggingainey

    buggingainey Thread Starter

    Joined:
    Oct 29, 2007
    Messages:
    144
    My computer has been acting f-d up since this summer. I allowed my boyfriends mother and sister use my computer untill they repaired there crashed computer or purchase two new lap tops leaving me with this mess. I just want to be able to play my online games (CS, GW, WOW, Warcraft, etc.) without having these ''system suggestive downloads'' pop-ups. I have no access to my ''add or remove programs''. In the startup folder there are to applications called ''autorun'' and ''system'' that even if deleted they re-appear. I have alot of other things, a few weeks ago I was unable to use google, and frequently my internet pages close at any random given time, it really makes paying bills, checking my grades, and running emails difficult. I do not know what is wrong or even more so where to begin. I have litte resourses for removal programs or repairs etc. anything that I can do manually (with full instructions) I am fully prepared to do. My computer feels like its being TAKEN OVER!
    Included below is the results I have from the Webroot Spy Sweer that I downloaded and the HiJack log.

    Webroot Spy Sweep Results:

    Behavioral found: Mal/HckPk-A
    Adware found: purityscan
    Spy Cookie found: 2o7.net cookie
    Spy Cookie found: websponsors cookie
    Spy Cookie found: yieldmanager cookie
    Spy Cookie found: adprofile cookie
    Spy Cookie found: adrevolver cookie
    Spy Cookie found: pointroll cookie
    Spy Cookie found: advertising cookie
    Spy Cookie found: atlas dmt cookie
    Spy Cookie found: azjmp cookie
    Spy Cookie found: bs.serving-sys cookie
    Spy Cookie found: casalemedia cookie
    Spy Cookie found: clickzs cookie
    Spy Cookie found: screensavers.com cookie
    Spy Cookie found: mediaplex cookie
    Spy Cookie found: questionmarket cookie
    Spy Cookie found: realmedia cookie
    Spy Cookie found: serving-sys cookie
    Spy Cookie found: trafficmp cookie
    Spy Cookie found: tribalfusion cookie
    Spy Cookie found: webpower cookie
    Adware found: command
    Trojan Horse found: trojan.gen
    Trojan Horse found: trojan downloader matcash
    Behavioral found: Mal/Emogen-G
    Behavioral found: Mal/Heuri-E
    Adware found: zquest
    Virus found: Troj/Dload-U
    Adware found: maxifiles
    Virus found: Troj/RunPatch-A
    Behavioral found: Mal/Generic-A
    Behavioral found: Mal/Emogen-F
    Virus found: W32/Jeefo-A
    Virus found: Troj/Canida-Fam
    Trojan Horse found: trojan-pws-bluedit


    Here is my Hijack Log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:41:49 AM, on 10/29/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\System32\printer.exe
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\printer.exe
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CamMonitor] "c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe"
    O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HPHUPD05] "c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [NAV CfgWiz] "c:\PROGRA~1\NORTON~1\Cfgwiz.exe" /R
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Sunkist2k] "C:\Program Files\Multimedia Card Reader\shwicon2k.exe"
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
    O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - HKCU\..\Run: [BackupNotify] "c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe"
    O4 - HKCU\..\Run: [NVIEW] "rundll32.exe" nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
    O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
    O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
    O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
    O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
    O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
    O4 - Startup: autorun.exe
    O4 - Startup: HP Organize.lnk = ?
    O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
    O4 - Startup: system.exe
    O4 - Global Startup: autorun.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

    --
    End of file - 6525 bytes


    :confused:
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Hi, Welcome to TSG!!



    Please download (save) SmitfraudFix (by S!Ri) to your desktop. SmitfraudFix runs under W2K, XP only.

    Extract the content (a folder named SmitfraudFix) to your Desktop. Select all of the contents and Extract them
    to a new folder called SmitfraudFix.
    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm
     
  3. buggingainey

    buggingainey Thread Starter

    Joined:
    Oct 29, 2007
    Messages:
    144
    My SmitfraudFix Findings

    SmitFraudFix v2.245

    Scan done at 20:32:48.67, Tue 10/30/2007
    Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» Process

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\System32\printer.exe
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\HP\KBD\KBD.EXE
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\cmd.exe

    »»»»»»»»»»»»»»»»»»»»»»»» hosts

    hosts file corrupted !

    192.168.200.3 download.microsoft.com
    192.168.200.3 downloads.microsoft.com
    192.168.200.3 go.microsoft.com
    192.168.200.3 microsoft.com
    192.168.200.3 msdn.microsoft.com
    192.168.200.3 office.microsoft.com
    192.168.200.3 support.microsoft.com
    192.168.200.3 windowsupdate.microsoft.com
    192.168.200.3 www.microsoft.com
    192.168.200.3 pandasoftware.com
    192.168.200.3 www.pandasoftware.com

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

    C:\WINDOWS\Tasks\At?.job FOUND !
    C:\WINDOWS\Tasks\At??.job FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

    C:\WINDOWS\system32\printer.exe FOUND !
    C:\WINDOWS\system32\WinAvXX.exe FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu

    C:\DOCUME~1\Owner\STARTM~1\Programs\Startup\autorun.exe FOUND !
    C:\DOCUME~1\Owner\STARTM~1\Programs\Startup\system.exe FOUND !
    C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\autorun.exe FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Rustock



    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
    DNS Server Search Order: 68.87.73.242
    DNS Server Search Order: 68.87.71.226

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{52DDA9EA-21F8-4F83-9586-EE06AFB21F8F}: DhcpNameServer=68.87.73.242 68.87.71.226
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{52DDA9EA-21F8-4F83-9586-EE06AFB21F8F}: DhcpNameServer=68.87.73.242 68.87.71.226
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{52DDA9EA-21F8-4F83-9586-EE06AFB21F8F}: DhcpNameServer=68.87.73.242 68.87.71.226
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.73.242 68.87.71.226
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.73.242 68.87.71.226
    HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.73.242 68.87.71.226


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

    Next, please reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, a menu with options should appear;
    • Select the first option, to run Windows in Safe Mode, then press "Enter".
    • Choose your usual account.
    Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
    Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

    You will be prompted: "Registry cleaning - Do you want to clean the registry?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

    The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

    A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

    The report can also be found at the root of the system drive, usually at C:\rapport.txt

    Warning: running option #2 on a non infected computer will remove your Desktop background.



    Please post the C:\rapport.txt and a new HJT log in your next reply.
     
  5. buggingainey

    buggingainey Thread Starter

    Joined:
    Oct 29, 2007
    Messages:
    144
    SmitFraudFix v2.245

    Scan done at 21:07:28.81, Wed 10/31/2007
    Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    192.168.200.3 ad.doubleclick.net
    192.168.200.3 ad.fastclick.net
    192.168.200.3 ads.fastclick.net
    192.168.200.3 ar.atwola.com
    192.168.200.3 atdmt.com
    192.168.200.3 avp.ch
    192.168.200.3 avp.com
    192.168.200.3 avp.ru
    192.168.200.3 awaps.net
    192.168.200.3 banner.fastclick.net
    192.168.200.3 banners.fastclick.net
    192.168.200.3 ca.com
    192.168.200.3 click.atdmt.com
    192.168.200.3 clicks.atdmt.com
    192.168.200.3 customer.symantec.com
    192.168.200.3 dispatch.mcafee.com
    192.168.200.3 download.mcafee.com
    192.168.200.3 downloads-us1.kaspersky-labs.com
    192.168.200.3 downloads-us2.kaspersky-labs.com
    192.168.200.3 downloads-us3.kaspersky-labs.com
    192.168.200.3 downloads1.kaspersky-labs.com
    192.168.200.3 downloads2.kaspersky-labs.com
    192.168.200.3 downloads3.kaspersky-labs.com
    192.168.200.3 downloads4.kaspersky-labs.com
    192.168.200.3 engine.awaps.net
    192.168.200.3 f-secure.com
    192.168.200.3 fastclick.net
    192.168.200.3 ftp.avp.ch
    192.168.200.3 ftp.downloads1.kaspersky-labs.com
    192.168.200.3 ftp.downloads2.kaspersky-labs.com
    192.168.200.3 ftp.downloads3.kaspersky-labs.com
    192.168.200.3 ftp.f-secure.com
    192.168.200.3 ftp.kasperskylab.ru
    192.168.200.3 ftp.sophos.com
    192.168.200.3 ids.kaspersky-labs.com
    192.168.200.3 kaspersky-labs.com
    192.168.200.3 kaspersky.com
    192.168.200.3 liveupdate.symantec.com
    192.168.200.3 liveupdate.symantecliveupdate.com
    192.168.200.3 mast.mcafee.com
    192.168.200.3 mcafee.com
    192.168.200.3 media.fastclick.net
    192.168.200.3 my-etrust.com
    192.168.200.3 nai.com
    192.168.200.3 networkassociates.com
    192.168.200.3 norton.com
    192.168.200.3 phx.corporate-ir.net
    192.168.200.3 rads.mcafee.com
    192.168.200.3 secure.nai.com
    192.168.200.3 securityresponse.symantec.com
    192.168.200.3 service1.symantec.com
    192.168.200.3 sophos.com
    192.168.200.3 spd.atdmt.com
    192.168.200.3 symantec.com
    192.168.200.3 trendmicro.com
    192.168.200.3 update.symantec.com
    192.168.200.3 updates.symantec.com
    192.168.200.3 updates1.kaspersky-labs.com
    192.168.200.3 updates2.kaspersky-labs.com
    192.168.200.3 updates3.kaspersky-labs.com
    192.168.200.3 updates4.kaspersky-labs.com
    192.168.200.3 updates5.kaspersky-labs.com
    192.168.200.3 us.mcafee.com
    192.168.200.3 vil.nai.com
    192.168.200.3 viruslist.com
    192.168.200.3 viruslist.ru
    192.168.200.3 virusscan.jotti.org
    192.168.200.3 virustotal.com
    192.168.200.3 www.avp.ch
    192.168.200.3 www.avp.com
    192.168.200.3 www.avp.ru
    192.168.200.3 www.awaps.net
    192.168.200.3 www.ca.com
    192.168.200.3 www.f-secure.com
    192.168.200.3 www.fastclick.net
    192.168.200.3 www.grisoft.com
    192.168.200.3 www.kaspersky-labs.com
    192.168.200.3 www.kaspersky.com
    192.168.200.3 www.kaspersky.ru
    192.168.200.3 www.mcafee.com
    192.168.200.3 www.my-etrust.com
    192.168.200.3 www.nai.com
    192.168.200.3 www.networkassociates.com
    192.168.200.3 www.sophos.com
    192.168.200.3 www.symantec.com
    192.168.200.3 www.symantec.com
    192.168.200.3 www.trendmicro.com
    192.168.200.3 www.viruslist.com
    192.168.200.3 www.viruslist.ru
    192.168.200.3 www.virustotal.com
    192.168.200.3 www3.ca.com

    »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

    S!Ri's WS2Fix: LSP not Found.


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    C:\WINDOWS\Tasks\At?.job Deleted
    C:\WINDOWS\Tasks\At??.job Deleted
    C:\WINDOWS\system32\printer.exe Deleted
    C:\WINDOWS\system32\WinAvXX.exe Deleted
    C:\DOCUME~1\Owner\STARTM~1\Programs\Startup\autorun.exe Deleted
    C:\DOCUME~1\Owner\STARTM~1\Programs\Startup\system.exe Deleted
    C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\autorun.exe Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{52DDA9EA-21F8-4F83-9586-EE06AFB21F8F}: DhcpNameServer=68.87.73.242 68.87.71.226
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{52DDA9EA-21F8-4F83-9586-EE06AFB21F8F}: DhcpNameServer=68.87.73.242 68.87.71.226
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{52DDA9EA-21F8-4F83-9586-EE06AFB21F8F}: DhcpNameServer=68.87.73.242 68.87.71.226
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.73.242 68.87.71.226
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.73.242 68.87.71.226
    HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.73.242 68.87.71.226


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  6. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Download the HostsXpert 4.0 - Hosts File Manager.
    • Unzip HostsXpert 4.0 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.0 - Hosts File Manager
    • Run HostsXpert 4.0 - Hosts File Manager from its new home
    • Click "Make Hosts Writable?"
    • Click Restore MS Hosts and then click OK.
    • Click the X to exit the program.
    • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.


    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.

    Click Exit on the Main menu to close the program.



    Download and scan with SUPERAntiSpyware Free for Home Users
    • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    • An icon will be created on your desktop. Double-click that icon to launch the program.
    • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
    • Under "Configuration and Preferences", click the Preferences button.
    • Click the Scanning Control tab.
    • Under Scanner Options make sure the following are checked (leave all others unchecked):
      • Close browsers before scanning.
      • Scan for tracking cookies.
      • Terminate memory threats before quarantining.
    • Click the "Close" button to leave the control center screen.
    • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    • On the left, make sure you check C:\Fixed Drive.
    • On the right, under "Complete Scan", choose Perform Complete Scan.
    • Click "Next" to start the scan. Please be patient while it scans your computer.
    • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    • Make sure everything has a checkmark next to it and click "Next".
    • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    • If asked if you want to reboot, click "Yes".
    • To retrieve the removal information after reboot, launch SUPERAntispyware again.
      • Click Preferences, then click the Statistics/Logs tab.
      • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
      • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
      • Please copy and paste the Scan Log results in your next reply with a new hijackthis log.
    • Click Close to exit the program.
     
  7. buggingainey

    buggingainey Thread Starter

    Joined:
    Oct 29, 2007
    Messages:
    144
    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 11/02/2007 at 00:03 AM

    Application Version : 3.9.1008

    Core Rules Database Version : 3336
    Trace Rules Database Version: 1337

    Scan type : Complete Scan
    Total Scan Time : 00:59:24

    Memory items scanned : 387
    Memory threats detected : 0
    Registry items scanned : 4646
    Registry threats detected : 0
    File items scanned : 68557
    File threats detected : 21

    Trojan.NetMon/DNSChange
    C:\Program Files\Network Monitor

    Trojan.Net-AVP/AVT
    C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\START MENU\PROGRAMS\STARTUP\SYSTEM.EXE

    Adware.ClickSpring/Yazzle
    C:\PROGRAM FILES\COMMON FILES\YAZZLE1122OINADMIN.EXE
    C:\PROGRAM FILES\COMMON FILES\YAZZLE1122OINUNINSTALLER.EXE

    Trojan.Unknown Origin
    C:\PROGRAM FILES\ONLINE SERVICES\BAK\HORYCYWY22011.EXE
    C:\WINDOWS\SGVPZGKGTWF0DGHLD3M\M3PDT340NQIXX315XAG.VBS
    C:\WINDOWS\SYSTEM32\WNSTSSV32.EXE
    C:\WINDOWS\UNINSTALL_NMON.VBS

    Trojan.Downloader-Gen/Suspicious
    C:\PROGRAM FILES\TRASH\BIN\CRAP.1191430590.OLD
    C:\PROGRAM FILES\TRASH\BIN\CRAP.1193185870.OLD

    Adware.k8l
    C:\PROGRAM FILES\WINDOWSUPDATE\PROFSYRTY.HTML

    Trojan.Downloader-Gen/Installer
    C:\WINDOWS\B104.EXE
    C:\WINDOWS\B122.EXE
    C:\WINDOWS\B128.EXE
    C:\WINDOWS\B138.EXE

    Trojan.WinAntiSpyware/WinAntiVirus 2006
    C:\WINDOWS\DOWNLOADED PROGRAM FILES\UWA7P_0001_N99M2908NETINSTALLER.EXE

    Adware.Adservs
    C:\WINDOWS\SGVPZGKGTWF0DGHLD3M\ASAPPSRV.DLL

    Unclassified.Unknown Origin
    C:\WINDOWS\SGVPZGKGTWF0DGHLD3M\COMMAND.EXE

    Trojan.ZQuest-Installer
    C:\WINDOWS\TK58.EXE

    Worm.Sober Variant
    C:\WINDOWS\WNSXS~1\BAK\DEXPLORE.EXE

    Adware.ClickSpring
    C:\WINDOWS\WNSXS~1\DEXPLORE.EXE
     
  8. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Please post your hijackthis log again.
     
  9. buggingainey

    buggingainey Thread Starter

    Joined:
    Oct 29, 2007
    Messages:
    144
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:22:49 PM, on 11/2/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Softex\OmniPass\Omniserv.exe
    C:\Program Files\Softex\OmniPass\OPXPApp.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd.exe
    C:\WINDOWS\System32\hphmon05.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Multimedia Card Reader\shwicon2k.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\System32\rundll32.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [CamMonitor] "c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe"
    O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HPHUPD05] "c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
    O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Sunkist2k] "C:\Program Files\Multimedia Card Reader\shwicon2k.exe"
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKCU\..\Run: [BackupNotify] "c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe"
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - S-1-5-18 Startup: AutoTBar.exe (User 'SYSTEM')
    O4 - S-1-5-18 Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: AutoTBar.exe (User 'Default user')
    O4 - .DEFAULT Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
    O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
    O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
    O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe

    --
    End of file - 5828 bytes
     
  10. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Looks fine. How is it running now? Any problems?
     
  11. buggingainey

    buggingainey Thread Starter

    Joined:
    Oct 29, 2007
    Messages:
    144
    Everything is wonderful now.
    I can change my time and calender...
    I can add or remove programs through my control panel etc..
    And now my boyfriend and I can play warcraft and counter strike or any online game for that matter with out the pop ups.

    What was wrong?

    And I will be making a donation with my next pay check...
    me is a poor young folk but will be donateing with my next pay check. (no bills to pay then!)
     
  12. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    You picked up some baddies along the way. You should always check things out before you allow them to download onto your machine.


    You can and should remove all of the tools I requested you to download and/or folders associated with them now. It is pointless to keep these tools around as they are updated so frequently that the tools can be outdated within a few days, sometimes within just hours.

    OTMoveIt by OldTimer has a CleanUp! option you can use to remove most of the fixes and associated files and folders if you want to use that. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so. Also remove OTMoveIt.


    It's a good idea to Flush your System Restore after removing malware:
    Turn off system restore and then turn it back on: http://support.microsoft.com/kb/310405


    Here are some additional links for you to check out to help you with your computer security.

    How did I get infected in the first place.

    Secunia software inspector & update checker

    Good free tools and advice on how to tighten your security settings.

    Security Help Tools



    You're welcome!
     
  13. buggingainey

    buggingainey Thread Starter

    Joined:
    Oct 29, 2007
    Messages:
    144
    Thankyou!
     
  14. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/645289

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice