1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Spyware problem; Winantivirus popups

Discussion in 'Virus & Other Malware Removal' started by Nick Caligo, Jul 30, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. Nick Caligo

    Nick Caligo Thread Starter

    Joined:
    Jul 30, 2006
    Messages:
    4
    Running: Windows XP
    Virus Scan: Symantec Antivirus
    Also equipped with: Ad Aware, which says I'm clean now.
    Web browser of choice: Mozilla Firefox

    Problem: I recently got hit by a bunch of different popups for phoney antivirus programs that keep insisting I install them. Something managed to worm its way into my computer. I ran my antivirus, cleaned out some junk, ran ad-aware, cleaned out more junk, then uninstalled firefox and reinstalled it after cleaning out its folder. Then I did a little looking around the web when popups persisted; I paid attention to the products they kept trying to push on me. One of them was Sysprotect, the other was Winantivirus. I found a solution to the sysprotect stuff on Symantec's site yesterday and cleaned its clock, but I noticed, peculiarly, that only a few of the files that Symantec mentioned existed--possibly because I never let sysprotect install, but that's just a theory. I've been running my computer all day, and finally, around 12:30-1:00 AM, I got hit with another set of Winantivirus popups while browsing through my music folder. I couldn't find a solid solution to Winantivirus just cruising around the 'net--at least, not one that exactly fit my unique situation of having removed--I THINK, at least--most of the components of the worm it was part of. They also described popups that I didn't get.

    I need to get this junk off my computer, and I need to be sure I got everything. Please help!

    Here's a Hijackthis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 1:25:19 AM, on 7/30/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Intel\IDU\IDUServ.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\sdpasvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\Tablet.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Intel\IDU\iptray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
    C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Java\j2re1.4.2_11\bin\jusched.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\WTablet\TabUserW.exe
    C:\Documents and Settings\Mike\Desktop\HijackThis.exe

    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [SonicFocus] "C:\Program Files\Sonic Focus\SFIGUI\\SFIGUI.EXE" BOOT
    O4 - HKLM\..\Run: [ipTray.exe] "C:\Program Files\Intel\IDU\iptray.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
    O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
    O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_11\bin\jusched.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_11\bin\npjpi142_11.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_11\bin\npjpi142_11.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093818628031
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Intel(R) Desktop Utilities Service (iHCService) - OSA Technologies, Inc. - C:\Program Files\Intel\IDU\IDUServ.exe
    O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
     
  2. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    hi, welcome to TSG.


    Did you install these linked to overclocking technology, if mot fix them with hijack this?


    O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
    O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe



    Please download http://www.atribune.org/ccount/click.php?id=4 to your desktop.
    · Double-click VundoFix.exe to run it.
    · Click the Scan for Vundo button.
    · Once it's done scanning, click the Remove Vundo button.
    · You will receive a prompt asking if you want to remove the files, click YES
    · Once you click yes, your desktop will go blank as it starts removing Vundo.
    · When completed, it will prompt that it will shutdown your computer, click OK.
    · Turn your computer back on.


    Go here and downlaod the latest version of java, once
    downloaded, go to add/remove and uninstall all previous versions of java
    from add/remove and then instlall the latest version you just downloaded!

    http://java.com/en/download/manual.jsp



    Download the pocket killbox

    http://www.bleepingcomputer.com/files/killbox.php





    Download ewido!


    http://www.ewido.net/en/


    * Once you have downloaded Ewido Anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
    * Once the setup is complete you will need run Ewido and update the definition files.
    * On the main screen select the icon "Update" then select the "Update now" link.
    * Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    * Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
    * Once in the Settings screen click on "Recommended actions" and then select "Delete"
    * Under "Reports"
    * Select "Automatically generate report after every scan"
    * Un-Select "Only if threats were found"


    Close Ewido Anti-spyware, Do NOT run a scan yet. We will do that later in safe mode.



    * Click here to download ATF Cleaner by Atribune and save it to your desktop.

    http://majorgeeks.com/ATF_Cleaner_d4949.html


    * Double-click ATF-Cleaner.exe to run the program.
    * Under Main choose: Select All
    * Click the Empty Selected button.
    o If you use Firefox:
    + Click Firefox at the top and choose: Select All
    + Click the Empty Selected button.
    + NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    o If you use Opera:
    + Click Opera at the top and choose: Select All
    + Click the Empty Selected button.
    + NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    * Click Exit on the Main menu to close the program.


    * Click here for info on how to boot to safe mode if you don't already know
    how.

    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam



    * Now copy these instructions to notepad and save them to your desktop. You
    will need them to refer to in safe mode.


    * Restart your computer into safe mode now. Perform the following steps in
    safe mode:



    have hijack this fix these entries. close all browsers and programmes before
    clicking FIX.


    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
    O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe



    Run Ewido!

    # IMPORTANT: Do not open any other windows or programs while Ewido is scanning as it may interfere with the scanning process:
    # Launch Ewido Anti-spyware by double-clicking the icon on your desktop.
    # Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
    # Ewido will now begin the scanning process. Be patient this may take a little time.
    Once the scan is complete do the following:
    # If you have any infections you will prompted, then select "Apply all actions"
    # Next select the "Reports" icon at the top.
    # Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
    # Close Ewido and reboot your system back into Normal Mode.



    reboot to normal mode and run a few online scans!


    Make sure your ActiveX controls are set as follows:

    Go to Internet Options - Security - Internet, press 'default level', then OK.
    Now press "Custom Level."

    In the ActiveX section, set the first two options (Download signed and
    unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX
    controls not marked as safe" to 'disable'.


    Active X settings

    http://www.compu-docs.com/activex.htm




    Run ActiveScan online virus scan here

    http://www.pandasoftware.com/products/activescan.htm

    When the scan is finished, anything that it cannot clean have it delete it.
    Make a note of the file location of anything that cannot be deleted so you
    can delete it yourself.
    - Save the results from the scan!



    post another hijack this log, the ewido , vundo and active scan logs
     
  3. Nick Caligo

    Nick Caligo Thread Starter

    Joined:
    Jul 30, 2006
    Messages:
    4
    I ran Vundo and it found nothing, and subsequently couldn't clean anything.

    Here's the rest of the logs; note that the viruses that activescan found were ones that were Emailed to me by some fool. I never opened them and they never infected my computer.

    Ewido report:

    ---------------------------------------------------------
    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 8:02:45 PM 7/30/2006

    + Scan result:



    :mozilla.101:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
    :mozilla.35:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
    :mozilla.36:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
    :mozilla.59:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
    :mozilla.60:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
    :mozilla.61:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
    :mozilla.62:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
    :mozilla.86:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
    :mozilla.87:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
    :mozilla.88:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
    :mozilla.89:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
    :mozilla.30:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
    C:\Move\Cookies\[email protected][1].txt -> TrackingCookie.Burstbeacon : Cleaned.
    :mozilla.72:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
    :mozilla.73:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
    :mozilla.74:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
    C:\Move\Cookies\[email protected][2].txt -> TrackingCookie.Com : Cleaned.
    :mozilla.21:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
    C:\Move\Cookies\[email protected]2.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
    :mozilla.65:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
    :mozilla.66:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
    :mozilla.46:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
    :mozilla.37:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
    C:\Move\Cookies\[email protected][1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
    :mozilla.80:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
    :mozilla.81:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
    :mozilla.82:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
    C:\Move\Cookies\[email protected][2].txt -> TrackingCookie.Realcastmedia : Cleaned.
    :mozilla.111:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
    :mozilla.112:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
    :mozilla.113:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
    :mozilla.114:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
    :mozilla.115:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
    C:\Move\Cookies\[email protected][2].txt -> TrackingCookie.Specificclick : Cleaned.
    :mozilla.15:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
    :mozilla.16:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
    :mozilla.67:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
    :mozilla.68:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
    :mozilla.69:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
    :mozilla.70:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
    :mozilla.22:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
    :mozilla.23:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
    :mozilla.24:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
    :mozilla.25:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
    :mozilla.26:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
    :mozilla.27:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
    :mozilla.28:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
    C:\Move\Cookies\[email protected][2].txt -> TrackingCookie.Web-stat : Cleaned.
    :mozilla.90:C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.


    ::Report end
    --------------------------------------------
    Active Scan Report:

    Incident Status Location

    Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\j06yigzl.default\cookies.txt[.toplist.cz/]
    Virus:Bck/Breplibot.Q Disinfected Personal Folders\Deleted Items\SPAM-C CCTV still of Rapist\suspicious photo.zip[Photo and Article.exe]
    Virus:Bck/Breplibot.Q Disinfected Personal Folders\Deleted Items\approval deadline\Article.zip[Photo and Article.exe]

    ----------------------------------------------
    Hijack This Report:
    Logfile of HijackThis v1.99.1
    Scan saved at 9:56:18 PM, on 7/30/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Intel\IDU\IDUServ.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\sdpasvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Intel\IDU\iptray.exe
    C:\WINDOWS\system32\Tablet.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
    C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\WTablet\TabUserW.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Mike\Desktop\HijackThis.exe

    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [SonicFocus] "C:\Program Files\Sonic Focus\SFIGUI\\SFIGUI.EXE" BOOT
    O4 - HKLM\..\Run: [ipTray.exe] "C:\Program Files\Intel\IDU\iptray.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
    O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093818628031
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: Intel(R) Desktop Utilities Service (iHCService) - OSA Technologies, Inc. - C:\Program Files\Intel\IDU\IDUServ.exe
    O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
     
  4. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    ok.

    For Mozilla

    To block cookies in mozilla and stop them from coming back click on
    tools/ options/privacy/click view cookies, now you will now see a
    list of cookies, click on all the cookies to delete that you don't want
    to keep! You can view all the blocked cookies by clicking exceptions!


    your using msconfig, go back in there and recheck all the boxes that are unchecked click ok and reboot as there maybe some baddies in there which are disabled and are not showing up, you cna always go back into msconfig and disable the programms you don't want to start up later!


    you don't appear to have a firewall, even if you have a router you still need
    a software frewall, downlaod the one from the link below!


    Filseclab Personal Firewall Professional Edition


    http://www.filseclab.com/eng/download/downloads.htm

    http://www.download.com/Filseclab-Pe...8.html?tag=dir


    use this site to confgure filseclab , see page 7 and post 165 of that thread!

    http://www.wilderssecurity.com/showthread.php?t=92710


    Use this site's shields up to test filseclab and see if it is stealthing, some rules may have to be changed to " out " to pass the tests!

    http://grc.com/



    go to this site and download these tools and once you get both
    adaware Se 1.6 and spybot, update both of them.

    Set adaware to do a full system scan and deselect, "search for neglible risk
    entries". Click next to start the scan. Delete everything adaware finds.

    reboot and now run spybot

    Spybot: Search and destroy.

    Delete what spybot finds marked in red. After updating spybot hit the
    immunize button.

    reboot again




    Go here and download Microsoft® Windows Defender. First in the top menu click
    File then Check for updates to download the definitons updates.

    After updating look in the right side of the main window under "Run Quick
    Scan Now" and click Spyware scan options. In that window put a tick by Run a
    full system scan and then put a check by all three options below that then
    click Run Scan now.

    When the scan is finished, let it fix anything that it finds (have it
    quarantine the items that have that option rather than delete just in case.
    It is a beta program and there may be false positives)

    Restart your computer.


    All tools can be downloaded at the link below and found on that page!


    . Microsoft® Windows Defender!
    . SpyBot search and destroy
    . AdAware SE personal


    http://www.majorgeeks.com/downloads31.html


    post another log
     
  5. Nick Caligo

    Nick Caligo Thread Starter

    Joined:
    Jul 30, 2006
    Messages:
    4
    I think we're getting closer, but we're not quite there. Symantec Antivirus just popped up right as I was going to post my logs, just two seconds before I wrote this, and told me the following:

    Scan type: Auto-Protect Scan
    Event: Threat Found!
    Threat: Downloader
    File: C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\865VO8EC\L2[1].exe
    Location: C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\865VO8EC
    Computer: MIKEP4915GAME
    User: Mike
    Action taken: Clean failed : Quarantine failed : Delete succeeded : Access denied
    Date found: Monday, July 31, 2006 2:43:05 PM


    Here's what I found from all the scans. It's odd because I haven't seen hair nor hide of these things Spybot found. Smitfraud sounds especially nasty, though. I sure am glad Spybot got it before it got me!

    Problems found and fixed in Spybot:
    AstaKiller
    Attune
    Smitfraud-C.
    Smitfraud-C. Toolbar
    True Sword
    Windows Security Center.AntiVirusOverride

    Windows Defender found nothing

    Ad-Aware SE found one critical item:
    Name: Tracking Cookie
    Category: Data Miner
    Object Type: IECache Entry
    Size: 96 Bytes
    Location: C:\Documents and Settings\Mike\Cookies\[email protected]
    Last Activity: 7-31-2006 6:07:43 AM
    Relevance: Low
    TAC Rating: 3
    Comment: Hits: 2


    Logfile of HijackThis v1.99.1
    Scan saved at 2:40:29 PM, on 7/31/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
    C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Intel\IDU\IDUServ.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\sdpasvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\Tablet.exe
    C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
    C:\Program Files\Intel\IDU\iptray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\ALCWZRD.EXE
    C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
    C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
    C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\program files\valve\steam\steam.exe
    C:\Program Files\Filseclab\xfilter\xfilter.exe
    C:\Program Files\Common Files\Filseclab\FilMsg.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    C:\WINDOWS\system32\WTablet\TabUserW.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
    C:\Documents and Settings\Mike\Desktop\HijackThis.exe
    C:\WINDOWS\system32\HPBPRO.EXE

    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
    O4 - HKLM\..\Run: [SonicFocus] "C:\Program Files\Sonic Focus\SFIGUI\\SFIGUI.EXE" BOOT
    O4 - HKLM\..\Run: [ipTray.exe] "C:\Program Files\Intel\IDU\iptray.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
    O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
    O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [AttuneClientEngine] C:\PROGRA~1\Aveo\Attune\bin\attune_ce.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [XFILTER] "C:\Program Files\Filseclab\xfilter\xfilter.exe" -a
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Filseclab Messenger.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
    O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
    O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
    O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
    O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093818628031
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
    O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: Intel(R) Desktop Utilities Service (iHCService) - OSA Technologies, Inc. - C:\Program Files\Intel\IDU\IDUServ.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: SDPAUMS server service (SDPASVC) - Matsushita Electric Industrial Co.,Ltd. - C:\WINDOWS\system32\sdpasvc.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
     
  6. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    How's the computer running now any better?



    Please download SmitfraudFix (by S!Ri)
    Extract the content (a folder named SmitfraudFix) to your Desktop.

    Open the SmitfraudFix folder and double-click smitfraudfix.cmd
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm
     
  7. Nick Caligo

    Nick Caligo Thread Starter

    Joined:
    Jul 30, 2006
    Messages:
    4
    Well, there's not been any sign of spyware or malware for a while, but the computer's running an awful lot slower now around startup. It takes five to ten minutes for windows to set itself up to a point where it runs smoothly, and Windows Security Center insists that my virus protection status is unknown even though Symantec Antivirus is both installed and running auto-protect and I have more anti-spyware software than ever before thanks to you. What do I need to do?

    Here's the log you asked for:

    SmitFraudFix v2.76

    Scan done at 17:44:24.75, Mon 07/31/2006
    Run from C:\Documents and Settings\Mike\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    Fix ran in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Mike\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Mike\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  8. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    clean log!




    You should now turn off system restore to flush out the bad restore points and
    then re-enable it and make a new clean restore point.


    How to turn off system restore

    http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam


    http://support.microsoft.com/default.aspx?scid=kb;[LN];310405




    Here's some free tools to keep you from getting infected in the future.


    To stop reinfection get spywareblaster from


    http://www.javacoolsoftware.com/downloads.html


    get the hosts file from here.Unzip it to a folder!



    http://www.mvps.org/winhelp2002/hosts.htm


    put it into : or click the mvps bat and it should do it for you!


    Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
    Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
    Win 98\ME = C:\WINDOWS



    ie-spyad.Puts over 5000 sites in your restricted zone so you'll be protected

    when you visit innocent-looking sites that aren't actually innocent at all.

    http://www.spywarewarrior.com/uiuc/resource.htm


    Arovax shield: stop your computer from being hijacked!

    http://www.arovaxshield.com/


    Use spybot's immunize button and use spywareblaster' enable
    protection once you update it. you can put spybot's hosts file into
    your own and lock it.



    I would also suggest switching to Mozilla's firefox browser, it's safer, has
    a built in pop up blocker, blocks cookies and adds. Mozilla Thunderbird is also a good
    e-mail client.

    http://www.mozilla.org/


    Another good and free browser is Opera!

    http://www.opera.com/


    Read here to see how to tighten your security:

    http://forums.techguy.org/t208517.html


    A good overall guide for firewalls, anti-virus, and anti-trojans as well as
    regular spyware cleaners.

    http://www.firewallguide.com/anti-trojan.htm



    you can mark your own thread solved through thread tools at the top of
    the page.
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Solved Spyware problem
  1. dano_61
    Replies:
    14
    Views:
    467
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/487715

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice